Bug 697450 - Null pointer dereference in gx_device_finalize()
Summary: Null pointer dereference in gx_device_finalize()
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Fuzzing (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Ken Sharp
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-21 06:39 UTC by Kamil Frankowicz
Modified: 2019-07-22 07:08 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
POC to trigger null pointer dereference (gs) (41 bytes, text/plain)
2016-12-21 06:39 UTC, Kamil Frankowicz 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2016-12-21 06:39:48 UTC 
Created attachment 13259 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7

Command: s -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_nullptr_gx_device_finalize -c quit

ASAN + Output:

GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
/* Copyright (C) 2012 Artifex Software Inc.  All rights reserved.
   Unauthorized use, copying, and/or distribution prohibited.
ASAN:DEADLYSIGNAL
=================================================================
==16905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001414e50 bp 0x000000000b10 sp 0x7ffc3225d290 T0)
==16905==The signal is caused by a READ memory access.
==16905==Hint: address points to the zero page.
    #0 0x1414e4f in gx_device_finalize XYZ/ghostpdl/./base/gsdevice.c:55:9
    #1 0x13cfd9a in i_free_object XYZ/ghostpdl/./base/gsalloc.c:1471:9
    #2 0x1420ddb in gs_makewordimagedevice XYZ/ghostpdl/./base/gsdevmem.c:232:9
    #3 0x1aff2f8 in zmakewordimagedevice XYZ/ghostpdl/./psi/zdevice.c:313:12
    #4 0x19fe547 in interp XYZ/ghostpdl/./psi/interp.c:1578:40
    #5 0x19fe547 in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511
    #6 0x19fe547 in gs_interpret XYZ/ghostpdl/./psi/interp.c:468
    #7 0x19d1352 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12
    #8 0x19d1352 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663
    #9 0x19d1352 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621
    #10 0x19dd2eb in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16
    #11 0x19dd2eb in runarg XYZ/ghostpdl/./psi/imainarg.c:967
    #12 0x19dc748 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16
    #13 0x19d5283 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #14 0x5475d8 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #15 0x7f14703eb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gsdevice.c:55:9 in gx_device_finalize
==16905==ABORTING
Comment 1 Ken Sharp 2016-12-21 08:55:58 UTC 
Commit daf85701dab05f17e924a48a81edc9195b4a04e8 should resolve this.