697676 – Null pointer dereference in mem_get_bits_rectangle()

Bug 697676 - Null pointer dereference in mem_get_bits_rectangle()

Summary: Null pointer dereference in mem_get_bits_rectangle()

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Graphics Library (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-19 05:48 UTC by Kamil Frankowicz
Modified:	2017-03-20 02:48 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
POC to trigger null pointer dereference (gs) (221 bytes, text/plain) 2017-03-19 05:48 UTC, Kamil Frankowicz	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kamil Frankowicz 2017-03-19 05:48:00 UTC

Created attachment 13476 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git HEAD: 917b4e28c37d5e9ac3a605658f51b29a2357ab28

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_null_ptr_mem_get_bits_rectangle -c quit

ASAN:

==29304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000018c2558 bp 0x7ffe51c3bff0 sp 0x7ffe51c3bca0 T0)
==29304==The signal is caused by a READ memory access.
==29304==Hint: address points to the zero page.
    #0 0x18c2557 in mem_get_bits_rectangle /XYZ/ghostpdl/./base/gdevmem.c:633:69
    #1 0x1b1521c in zgetbitsrect /XYZ/ghostpdl/./psi/zdevice.c:184:12
    #2 0x1a14be7 in interp /XYZ/ghostpdl/./psi/interp.c:1584:40
    #3 0x1a14be7 in gs_call_interp /XYZ/ghostpdl/./psi/interp.c:517
    #4 0x1a14be7 in gs_interpret /XYZ/ghostpdl/./psi/interp.c:474
    #5 0x19e7822 in gs_main_interpret /XYZ/ghostpdl/./psi/imain.c:247:12
    #6 0x19e7822 in gs_main_run_string_end /XYZ/ghostpdl/./psi/imain.c:665
    #7 0x19e7822 in gs_main_run_string_with_length /XYZ/ghostpdl/./psi/imain.c:623
    #8 0x19f380e in run_string /XYZ/ghostpdl/./psi/imainarg.c:979:16
    #9 0x19f380e in runarg /XYZ/ghostpdl/./psi/imainarg.c:969
    #10 0x19f2c68 in argproc /XYZ/ghostpdl/./psi/imainarg.c:902:16
    #11 0x19eb753 in gs_main_init_with_args /XYZ/ghostpdl/./psi/imainarg.c:238:24
    #12 0x547608 in main /XYZ/ghostpdl/./psi/gs.c:96:16
    #13 0x7f492165482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x47ba38 in _start (/usr/local/bin/gs+0x47ba38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XYZ/ghostpdl/./base/gdevmem.c:633:69 in mem_get_bits_rectangle
==29304==ABORTING

Comment 1 Ken Sharp 2017-03-20 02:48:29 UTC

Commit 309eca4e0a31ea70dcc844812691439312dad091 checks the device's raster memory to see if it has been allocated before attempting to read from it.