Created attachment 13347 [details] POC to trigger null pointer dereference (gs) After some fuzz testing I found a crashing test case. Git HEAD: 0dbfbb773e40d23de5052fc5641387dad5d79bae To reproduce: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER null_ptr_ref_stack_index -c quit ASAN: ==7046==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000018a9438 bp 0x7ffe09812530 sp 0x7ffe098121e0 T0) ==7046==The signal is caused by a READ memory access. ==7046==Hint: address points to the zero page. #0 0x18a9437 in mem_get_bits_rectangle XYZ/ghostpdl/./base/gdevmem.c:632:69 #1 0x1afa1cc in zgetbitsrect XYZ/ghostpdl/./psi/zdevice.c:184:12 #2 0x19fa3b7 in interp XYZ/ghostpdl/./psi/interp.c:1578:40 #3 0x19fa3b7 in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511 #4 0x19fa3b7 in gs_interpret XYZ/ghostpdl/./psi/interp.c:468 #5 0x19cd1b2 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12 #6 0x19cd1b2 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663 #7 0x19cd1b2 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621 #8 0x19d914b in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16 #9 0x19d914b in runarg XYZ/ghostpdl/./psi/imainarg.c:967 #10 0x19d85a8 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16 #11 0x19d10e3 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24 #12 0x547488 in main XYZ/ghostpdl/./psi/gs.c:96:16 #13 0x7f0936f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x47b888 in _start (/usr/local/bin/gs+0x47b888) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gdevmem.c:632:69 in mem_get_bits_rectangle ==7046==ABORTING
Anyone looking into this one? I confirm the segfault and it crashes on all versions available in Debian (3.05, 3.06 and 3.20).
Bah, I meant 9.05, 9.06 and 9.20 (and not 3.x obviously).
I'm confused: the title says "Null pointer dereference in ref_stack_index()", but the asan crash log shows the fault in "mem_get_bits_rectangle"....
(In reply to Chris Liddell (chrisl) from comment #3) > I'm confused: the title says "Null pointer dereference in > ref_stack_index()", but the asan crash log shows the fault in > "mem_get_bits_rectangle".... For me, its a GPF in ref_stack_index(), the call stack is utterly different from the stack given in comment #0
Yeah, the initial stack trace looks wrong. Even the reproducer file mentions ref_stack_index. Here is the stack trace that I get: Program received signal SIGSEGV, Segmentation fault. ref_stack_index (pstack=0x5555557c027a, idx=1436942025) at ./psi/istack.c:224 224 ./psi/istack.c: Aucun fichier ou dossier de ce type. (gdb) bt #0 ref_stack_index (pstack=0x5555557c027a, idx=1436942025) at ./psi/istack.c:224 #1 0x00007ffff706db79 in stack_param_enumerate (plist=0x555555db7e70, penum=0x7fffffffc780, key=0x7fffffffc790, type=0x7fffffffc770) at ./psi/iparam.c:400 #2 0x00007ffff706ed50 in ref_param_read_typed (plist=0x7fffffffd1d0, pkey=<optimized out>, pvalue=0x7fffffffc810) at ./psi/iparam.c:775 #3 0x00007ffff6fca9e3 in param_read_requested_typed (plist=plist@entry=0x7fffffffd1d0, pkey=pkey@entry=0x7ffff71401f5 "Margins", pvalue=pvalue@entry=0x7fffffffc810) at ./base/gsparam.c:264 #4 0x00007ffff6fcade8 in param_read_float_array (plist=plist@entry=0x7fffffffd1d0, pkey=pkey@entry=0x7ffff71401f5 "Margins", pvalue=pvalue@entry=0x7fffffffc920) at ./base/gsparam.c:333 #5 0x00007ffff6fb792a in gx_default_put_params (dev=dev@entry=0x5555558076d8, plist=plist@entry=0x7fffffffd1d0) at ./base/gsdparam.c:1500 #6 0x00007ffff6e45f87 in gdev_prn_put_params (pdev=pdev@entry=0x5555558076d8, plist=plist@entry=0x7fffffffd1d0) at ./base/gdevprn.c:897 #7 0x00007ffff6e857ac in bit_put_params (pdev=0x5555558076d8, plist=0x7fffffffd1d0) at ./devices/gdevbit.c:686 #8 0x00007ffff6fbb190 in gs_putdeviceparams (dev=dev@entry=0x5555558076d8, plist=plist@entry=0x7fffffffd1d0) at ./base/gsdparam.c:965 #9 0x00007ffff7099219 in zputdeviceparams (i_ctx_p=0x5555557c3c20) at ./psi/zdevice.c:421 #10 0x00007ffff706c2d2 in interp (pi_ctx_p=pi_ctx_p@entry=0x555555774680, pref=<optimized out>, perror_object=perror_object@entry=0x7fffffffdb70) at ./psi/interp.c:1574 #11 0x00007ffff706cd45 in gs_call_interp (perror_object=0x7fffffffdb70, pexit_code=0x7fffffffdb6c, user_errors=1, pref=0x7fffffffda00, pi_ctx_p=0x555555774680) at ./psi/interp.c:511 #12 gs_interpret (pi_ctx_p=0x555555774680, pref=pref@entry=0x7fffffffdb30, user_errors=1, pexit_code=0x7fffffffdb6c, perror_object=<optimized out>) at ./psi/interp.c:468 #13 0x00007ffff7061215 in gs_main_interpret (perror_object=<optimized out>, pexit_code=<optimized out>, user_errors=<optimized out>, pref=0x7fffffffdb30, minst=<optimized out>) at ./psi/imain.c:245 #14 gs_main_run_string_end (minst=<optimized out>, user_errors=<optimized out>, pexit_code=<optimized out>, perror_object=<optimized out>) at ./psi/imain.c:663 #15 0x00007ffff7062ca9 in run_string (minst=minst@entry=0x5555557745e0, str=str@entry=0x55555586fbc0 "<4356452d323031372d353935315f6e756c6c5f7074725f7265665f737461636b5f696e646578>.runfile", options=options@entry=3) at ./psi/imainarg.c:977 #16 0x00007ffff7062e2a in runarg (minst=0x5555557745e0, pre=0x7ffff713e5c5 "", arg=<optimized out>, post=0x7ffff715bfd4 ".runfile", options=3) at ./psi/imainarg.c:967 #17 0x00007ffff7064518 in gs_main_init_with_args (minst=0x5555557745e0, argc=8, argv=0x7fffffffe768) at ./psi/imainarg.c:238 #18 0x0000555555554acb in main (argc=8, argv=0x7fffffffe768) at ./psi/dxmainc.c:86
Sorry, the confusion over the title and the stack trace in the description meant I thought it was someone else's area, and they thought it was mine - hence we both ignored it..... Fixed in: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=bfa6b2ec