Bug 697676 - Null pointer dereference in mem_get_bits_rectangle()
Summary: Null pointer dereference in mem_get_bits_rectangle()
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Graphics Library (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-19 05:48 UTC by Kamil Frankowicz
Modified: 2017-03-20 02:48 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
POC to trigger null pointer dereference (gs) (221 bytes, text/plain)
2017-03-19 05:48 UTC, Kamil Frankowicz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-03-19 05:48:00 UTC
Created attachment 13476 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git HEAD: 917b4e28c37d5e9ac3a605658f51b29a2357ab28

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_null_ptr_mem_get_bits_rectangle -c quit

ASAN:

==29304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000018c2558 bp 0x7ffe51c3bff0 sp 0x7ffe51c3bca0 T0)
==29304==The signal is caused by a READ memory access.
==29304==Hint: address points to the zero page.
    #0 0x18c2557 in mem_get_bits_rectangle /XYZ/ghostpdl/./base/gdevmem.c:633:69
    #1 0x1b1521c in zgetbitsrect /XYZ/ghostpdl/./psi/zdevice.c:184:12
    #2 0x1a14be7 in interp /XYZ/ghostpdl/./psi/interp.c:1584:40
    #3 0x1a14be7 in gs_call_interp /XYZ/ghostpdl/./psi/interp.c:517
    #4 0x1a14be7 in gs_interpret /XYZ/ghostpdl/./psi/interp.c:474
    #5 0x19e7822 in gs_main_interpret /XYZ/ghostpdl/./psi/imain.c:247:12
    #6 0x19e7822 in gs_main_run_string_end /XYZ/ghostpdl/./psi/imain.c:665
    #7 0x19e7822 in gs_main_run_string_with_length /XYZ/ghostpdl/./psi/imain.c:623
    #8 0x19f380e in run_string /XYZ/ghostpdl/./psi/imainarg.c:979:16
    #9 0x19f380e in runarg /XYZ/ghostpdl/./psi/imainarg.c:969
    #10 0x19f2c68 in argproc /XYZ/ghostpdl/./psi/imainarg.c:902:16
    #11 0x19eb753 in gs_main_init_with_args /XYZ/ghostpdl/./psi/imainarg.c:238:24
    #12 0x547608 in main /XYZ/ghostpdl/./psi/gs.c:96:16
    #13 0x7f492165482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x47ba38 in _start (/usr/local/bin/gs+0x47ba38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /XYZ/ghostpdl/./base/gdevmem.c:633:69 in mem_get_bits_rectangle
==29304==ABORTING
Comment 1 Ken Sharp 2017-03-20 02:48:29 UTC
Commit 309eca4e0a31ea70dcc844812691439312dad091 checks the device's raster memory to see if it has been allocated before attempting to read from it.