Bug 697450 - Null pointer dereference in gx_device_finalize()
Summary: Null pointer dereference in gx_device_finalize()
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Fuzzing (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Ken Sharp
Depends on:
Reported: 2016-12-21 06:39 UTC by Kamil Frankowicz
Modified: 2019-07-22 07:08 UTC (History)
1 user (show)

See Also:
Word Size: ---

POC to trigger null pointer dereference (gs) (41 bytes, text/plain)
2016-12-21 06:39 UTC, Kamil Frankowicz

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2016-12-21 06:39:48 UTC
Created attachment 13259 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7

Command: s -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_nullptr_gx_device_finalize -c quit

ASAN + Output:

GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
/* Copyright (C) 2012 Artifex Software Inc.  All rights reserved.
   Unauthorized use, copying, and/or distribution prohibited.
==16905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001414e50 bp 0x000000000b10 sp 0x7ffc3225d290 T0)
==16905==The signal is caused by a READ memory access.
==16905==Hint: address points to the zero page.
    #0 0x1414e4f in gx_device_finalize XYZ/ghostpdl/./base/gsdevice.c:55:9
    #1 0x13cfd9a in i_free_object XYZ/ghostpdl/./base/gsalloc.c:1471:9
    #2 0x1420ddb in gs_makewordimagedevice XYZ/ghostpdl/./base/gsdevmem.c:232:9
    #3 0x1aff2f8 in zmakewordimagedevice XYZ/ghostpdl/./psi/zdevice.c:313:12
    #4 0x19fe547 in interp XYZ/ghostpdl/./psi/interp.c:1578:40
    #5 0x19fe547 in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511
    #6 0x19fe547 in gs_interpret XYZ/ghostpdl/./psi/interp.c:468
    #7 0x19d1352 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12
    #8 0x19d1352 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663
    #9 0x19d1352 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621
    #10 0x19dd2eb in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16
    #11 0x19dd2eb in runarg XYZ/ghostpdl/./psi/imainarg.c:967
    #12 0x19dc748 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16
    #13 0x19d5283 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #14 0x5475d8 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #15 0x7f14703eb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gsdevice.c:55:9 in gx_device_finalize
Comment 1 Ken Sharp 2016-12-21 08:55:58 UTC
Commit daf85701dab05f17e924a48a81edc9195b4a04e8 should resolve this.