Bug 697456 - Use-After-Free in pdf14_cleanup_parent_color_profiles()
Summary: Use-After-Free in pdf14_cleanup_parent_color_profiles()
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Color Management (show other bugs)
Version: unspecified
Hardware: PC Linux
: P1 normal
Assignee: Michael Vrhel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-27 05:15 UTC by Kamil Frankowicz
Modified: 2016-12-29 14:44 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
POC to trigger use-after-free (gs) (66 bytes, text/plain)
2016-12-27 05:15 UTC, Kamil Frankowicz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2016-12-27 05:15:00 UTC
Created attachment 13263 [details]
POC to trigger use-after-free (gs)

After some fuzz testing I found a crashing test case.

Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_uaf_pdf14_cleanup_parent_color_profiles -c quit

ASAN + Output:

GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
=================================================================
==27314==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a00054d848 at pc 0x0000008d63ce bp 0x7ffef086f770 sp 0x7ffef086f768
READ of size 8 at 0x62a00054d848 thread T0
    #0 0x8d63cd in pdf14_cleanup_parent_color_profiles XYZ/ghostpdl/./base/gdevp14.c:2123:31
    #1 0x8d54ee in pdf14_device_finalize XYZ/ghostpdl/./base/gdevp14.c:8472:5
    #2 0x1b3c4b8 in restore_finalize XYZ/ghostpdl/./psi/isave.c:952:13
    #3 0x1b3c4b8 in alloc_restore_step_in XYZ/ghostpdl/./psi/isave.c:759
    #4 0x1b3e288 in alloc_restore_all XYZ/ghostpdl/./psi/isave.c:886:16
    #5 0x19d3d83 in gs_main_finit XYZ/ghostpdl/./psi/imain.c:997:16
    #6 0x5476b5 in main XYZ/ghostpdl/./psi/gs.c:139:9
    #7 0x7f99712e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8)

0x62a00054d848 is located 5704 bytes inside of 20048-byte region [0x62a00054c200,0x62a000551050)
freed by thread T0 here:
    #0 0x519e9b in __interceptor_free /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x146a4ff in gs_heap_free_object XYZ/ghostpdl/./base/gsmalloc.c:348:5

previously allocated by thread T0 here:
    #0 0x51a1ec in malloc /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x1469abf in gs_heap_alloc_bytes XYZ/ghostpdl/./base/gsmalloc.c:183:34

SUMMARY: AddressSanitizer: heap-use-after-free XYZ/ghostpdl/./base/gdevp14.c:2123:31 in pdf14_cleanup_parent_color_profiles
Shadow bytes around the buggy address:
  0x0c54800a1ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c54800a1b00: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c54800a1b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800a1b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27314==ABORTING