Bug 697810 - Out of bounds read in mark_line_tr()
Summary: Out of bounds read in mark_line_tr()
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Graphics Library (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Robin Watts
QA Contact: Bug traffic
Depends on:
Reported: 2017-04-29 06:04 UTC by Kamil Frankowicz
Modified: 2017-06-02 07:04 UTC (History)
2 users (show)

See Also:
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-04-29 06:04:37 UTC
Created attachment 13629 [details]
POC to trigger out of bounds read (gs)

After some fuzz testing I found a crashing test case.

Git Head: 04b37bbce174eed24edec7ad5b920eb93db4d47d

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_oobr_mark_line_tr -c quit


==14081==ERROR: AddressSanitizer: SEGV on unknown address 0x6311178a3868 (pc 0x00000192041c bp 0x62a00028a078 sp 0x7ffcdf457340 T0)
==14081==The signal is caused by a READ memory access.
    #0 0x192041b in mark_line_tr XYZ/ghostpdl/./base/gxscanc.c:2185:29
    #1 0x191f1b4 in gx_scan_convert_tr XYZ/ghostpdl/./base/gxscanc.c:2359:25
    #2 0x17a6513 in gx_general_fill_path XYZ/ghostpdl/./base/gxfill.c:482:24
    #3 0x17a6513 in gx_default_fill_path XYZ/ghostpdl/./base/gxfill.c:702
    #4 0x1839bf1 in gx_fill_path XYZ/ghostpdl/./base/gxpaint.c:52:12
    #5 0x1491e52 in do_fill XYZ/ghostpdl/./base/gspaint.c:319:12
    #6 0x1491e52 in fill_with_rule XYZ/ghostpdl/./base/gspaint.c:353
    #7 0x14ca8c8 in gs_fapi_finish_render XYZ/ghostpdl/./base/gxfapi.c:1066:24
    #8 0x14d4faa in gs_fapi_do_char XYZ/ghostpdl/./base/gxfapi.c:1682:16
    #9 0x1bc8fce in FAPI_char XYZ/ghostpdl/./psi/zfapi.c:2358:13
    #10 0x1a29dee in interp XYZ/ghostpdl/./psi/interp.c:1320:40
    #11 0x1a29dee in gs_call_interp XYZ/ghostpdl/./psi/interp.c:517
    #12 0x1a29dee in gs_interpret XYZ/ghostpdl/./psi/interp.c:474
    #13 0x19fcab2 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:247:12
    #14 0x19fcab2 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:665
    #15 0x19fcab2 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:623
    #16 0x1a08c1e in run_string XYZ/ghostpdl/./psi/imainarg.c:983:16
    #17 0x1a08c1e in runarg XYZ/ghostpdl/./psi/imainarg.c:973
    #18 0x1a08078 in argproc XYZ/ghostpdl/./psi/imainarg.c:906:16
    #19 0x1a00a93 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #20 0x547608 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #21 0x7ffa44c6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #22 0x47ba38 in _start (/usr/local/bin/gs+0x47ba38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gxscanc.c:2185:29 in mark_line_tr
Comment 1 Robin Watts 2017-05-10 08:24:20 UTC
I cannot reproduce this problem. I've tried 2 different linux boxes, with and without address sanitizer and valgrind.

Can you give me some more information as to what sort of box you were running on please? (32 or 64bit?)

Does it still exhibit with todays fixes in?

Comment 2 Kamil Frankowicz 2017-05-10 10:02:12 UTC
My OS: Ubuntu 16.04 x64
Compiler: Clang 4.0

I tested POC against 1a624d1bfa1e63ceab87f5e4e22c3daffa2d0f01 and all went fine :)
Comment 3 Robin Watts 2017-05-10 12:26:44 UTC
Comment 4 jsegitz 2017-06-02 07:04:18 UTC
We would like to have the reproducer to test our updates. Can you please make it public or sent it to me (jsegitz at suse dot de). Thank you.

Also do you know which commit fixes this? Our maintainer is betting on 1a624d1bfa1e63ceab87f5e4e22c3daffa2d0f01, 
210893fb2b271717957fcca4e6c049494024cc9d or b38f2cb37b7bf469b36ac52b62c4aab6ccf55b6b