Created attachment 13773 [details] PoC POC to trigger heap buffer overflow (gxps) I found a crashing test case. Please confirm. Version 9.22 and Git Head: f6507e828ddfe1f60645bc925bff9bedfdb306ce OS: Ubuntu 16.04.2 x86_64 Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE --------------- GDB out: --------------- [──────────────────────────────────REGISTERS───────────────────────────────────] *RAX 0x4c07f1 (Project_y) <- push rbp *RBX 0x15e4144 <- 0x0 *RCX 0x132c0 *RDX 0x16506c0 *RDI 0x15aa120 -> 0x15aa6c0 -> 0x15aef68 -> 0x4ca5da (gx_ttfReader__Eof) <- ... *RSI 0x15fb1c0 <- 0x1554000000000 *R8 0x7fffffffbb78 <- 0xffff0000015a060e *R9 0x68a0 *R10 0x6890 *R11 0x7ffff7478390 <- scasd eax, dword ptr [rdi] *R12 0x460ea0 (_start) <- xor ebp, ebp *R13 0x7fffffffdd30 <- 0x5 R14 0x0 R15 0x0 *RBP 0x7fffffffba10 -> 0x7fffffffbb10 -> 0x7fffffffbb40 -> 0x7fffffffbd50 <- ... *RSP 0x7fffffffb9d0 -> 0x15e3ba0 <- 0x4 *RIP 0x4c51fe (Ins_MIRP+642) <- mov edx, dword ptr [rdx] [────────────────────────────────────DISASM────────────────────────────────────] ► 0x4c51fe <Ins_MIRP+642> mov edx, dword ptr [rdx] 0x4c5200 <Ins_MIRP+644> mov edi, ecx 0x4c5202 <Ins_MIRP+646> sub edi, edx 0x4c5204 <Ins_MIRP+648> mov rdx, qword ptr [rbp - 0x38] 0x4c5208 <Ins_MIRP+652> mov rdx, qword ptr [rdx + 0x2b8] 0x4c520f <Ins_MIRP+659> mov ecx, dword ptr [rbp - 0x20] 0x4c5212 <Ins_MIRP+662> movsxd rcx, ecx 0x4c5215 <Ins_MIRP+665> shl rcx, 2 0x4c5219 <Ins_MIRP+669> add rdx, rcx 0x4c521c <Ins_MIRP+672> mov ecx, dword ptr [rdx] 0x4c521e <Ins_MIRP+674> mov rdx, qword ptr [rbp - 0x38] [────────────────────────────────────SOURCE────────────────────────────────────] 3895 3896 CUR.zp1.cur_x[point] = CUR.zp1.org_x[point]; 3897 CUR.zp1.cur_y[point] = CUR.zp1.org_y[point]; 3898 } 3899 3900 org_dist = CUR_Func_dualproj( CUR.zp1.org_x[point] - <-- Vulnerability 3901 CUR.zp0.org_x[CUR.GS.rp0], 3902 CUR.zp1.org_y[point] - 3903 CUR.zp0.org_y[CUR.GS.rp0] ); 3904 [────────────────────────────────────STACK─────────────────────────────────────] 00:0000│ rsp 0x7fffffffb9d0 -> 0x15e3ba0 <- 0x4 01:0008│ 0x7fffffffb9d8 -> 0x15aa120 -> 0x15aa6c0 -> 0x15aef68 <- ... 02:0010│ 0x7fffffffb9e0 -> 0x7fffffffba10 -> 0x7fffffffbb10 -> 0x7fffffffbb40 <- ... 03:0018│ 0x7fffffffb9e8 <- 0x0 04:0020│ 0x7fffffffb9f0 <- 0x4 05:0028│ 0x7fffffffb9f8 -> 0x15aa120 -> 0x15aa6c0 -> 0x15aef68 <- ... 06:0030│ 0x7fffffffba00 -> 0x15e4144 <- 0x0 07:0038│ 0x7fffffffba08 -> 0x460ea0 (_start) <- xor ebp, ebp [──────────────────────────────────BACKTRACE───────────────────────────────────] ► f 0 4c51fe Ins_MIRP+642 f 1 4c7112 RunIns+1489 f 2 4c905b Context_Run+555 f 3 4bd8df ttfOutliner__BuildGlyphOutlineAux+7250 f 4 4bdb7f ttfOutliner__BuildGlyphOutline+147 f 5 4beb08 ttfOutliner__Outline+238 f 6 4cc91f gx_ttf_outline+619 f 7 4b8e3c append_outline_fitted+111 f 8 4b7ecd gs_type42_glyph_outline+478 f 9 8c7f76 gs_default_glyph_info+314 f 10 4b803f gs_type42_glyph_info_by_gid+141 [────────BACKTRACE───────────────────] #0 0x00000000004c51fe in Ins_MIRP (exc=0x15aa120, args=0x15e3ba0) at ./base/ttinterp.c:3900 #1 0x00000000004c7112 in RunIns (exc=0x15aa120) at ./base/ttinterp.c:5032 #2 0x00000000004c905b in Context_Run (exec=0x15aa120, debug=0) at ./base/ttobjs.c:457 #3 0x00000000004bd8df in ttfOutliner__BuildGlyphOutlineAux (self=0x7fffffffbf20, glyphIndex=36, m_orig=0x7fffffffbd80, gOutline=0x7fffffffbf58) at ./base/ttfmain.c:827 #4 0x00000000004bdb7f in ttfOutliner__BuildGlyphOutline (self=0x7fffffffbf20, glyphIndex=36, orig_x=0, orig_y=0, gOutline=0x7fffffffbf58) at ./base/ttfmain.c:874 #5 0x00000000004beb08 in ttfOutliner__Outline (self=0x7fffffffbf20, glyphIndex=36, orig_x=0, orig_y=0, m1=0x7fffffffbe90) at ./base/ttfmain.c:1033 #6 0x00000000004cc91f in gx_ttf_outline (ttf=0x15eea30, r=0x15aef68, pfont=0x15f30c8, glyph_index=36, m=0x7fffffffc400, pscale=0x7fffffffc080, path=0x7fffffffc180, design_grid=1) at ./base/gxttfb.c:787 #7 0x00000000004b8e3c in append_outline_fitted (glyph_index=36, pmat=0x7fffffffc400, ppath=0x7fffffffc180, pair=0x15ddf78, pscale=0x7fffffffc080, design_grid=1) at ./base/gstype42.c:1595 #8 0x00000000004b7ecd in gs_type42_glyph_outline (font=0x15f30c8, WMode=0, glyph=36, pmat=0x7fffffffc400, ppath=0x7fffffffc180, sbw=0x7fffffffc200) at ./base/gstype42.c:991 #9 0x00000000008c7f76 in gs_default_glyph_info (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=4, info=0x7fffffffc4e0) at ./base/gsfont.c:1036 #10 0x00000000004b803f in gs_type42_glyph_info_by_gid (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=13, info=0x7fffffffc4e0, glyph_index=36) at ./base/gstype42.c:1017 #11 0x00000000004b8401 in gs_type42_glyph_info (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=13, info=0x7fffffffc4e0) at ./base/gstype42.c:1088 #12 0x00000000007786b4 in pdf_compute_font_descriptor (pdev=0x15cc6e8, pfd=0x15f6128) at ./devices/vector/gdevpdtd.c:457 #13 0x0000000000779109 in pdf_finish_FontDescriptor (pdev=0x15cc6e8, pres=0x15f6128) at ./devices/vector/gdevpdtd.c:636 #14 0x0000000000793de3 in pdf_finish_resources (pdev=0x15cc6e8, type=resourceFontDescriptor, finish_proc=0x779090 <pdf_finish_FontDescriptor>) at ./devices/vector/gdevpdtw.c:677 #15 0x000000000071262a in do_pdf_close (dev=0x15cc6e8) at ./devices/vector/gdevpdf.c:2569 #16 0x00000000007150d6 in pdf_close (dev=0x15cc6e8) at ./devices/vector/gdevpdf.c:3281 #17 0x00000000008ba0be in gs_closedevice (dev=0x15cc6e8) at ./base/gsdevice.c:720 #18 0x0000000000aee98e in pl_main_universe_dnit (universe=0x15a23b8, mem=0x15a17a0) at ./pcl/pl/plmain.c:557 #19 0x0000000000aee5dd in pl_main_delete_instance (minst=0x15a1930) at ./pcl/pl/plmain.c:436 #20 0x0000000000a4662d in plapi_delete_instance (lib=0x15a11d0) at ./pcl/pl/plapi.c:89 #21 0x0000000000aedb60 in main (argc=5, argv=0x7fffffffdd38) at ./pcl/pl/realmain.c:50 #22 0x00007ffff7304830 in __libc_start_main (main=0xaeda69 <main>, argc=5, argv=0x7fffffffdd38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd28) at ../csu/libc-start.c:291 #23 0x0000000000460ec9 in _start () --------------- ASan out: --------------- ================================================================= ==2414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000b49d0 at pc 0x00000054ff14 bp 0x7ffe886dd5d0 sp 0x7ffe886dd5c0 READ of size 4 at 0x6310000b49d0 thread T0 #0 0x54ff13 in Ins_MIRP base/ttinterp.c:3900 #1 0x556503 in RunIns base/ttinterp.c:5032 #2 0x55c9a1 in Context_Run base/ttobjs.c:457 #3 0x537dc5 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827 #4 0x538466 in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874 #5 0x53aab1 in ttfOutliner__Outline base/ttfmain.c:1033 #6 0x567314 in gx_ttf_outline base/gxttfb.c:787 #7 0x52c811 in append_outline_fitted base/gstype42.c:1595 #8 0x52a3d2 in gs_type42_glyph_outline base/gstype42.c:991 #9 0xf3c43b in gs_default_glyph_info base/gsfont.c:1036 #10 0x52a783 in gs_type42_glyph_info_by_gid base/gstype42.c:1017 #11 0x52ae85 in gs_type42_glyph_info base/gstype42.c:1088 #12 0xc22569 in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457 #13 0xc236c9 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636 #14 0xc66550 in pdf_finish_resources devices/vector/gdevpdtw.c:677 #15 0xb3c918 in do_pdf_close devices/vector/gdevpdf.c:2569 #16 0xb42674 in pdf_close devices/vector/gdevpdf.c:3281 #17 0xf1c525 in gs_closedevice base/gsdevice.c:720 #18 0x14aaadf in pl_main_universe_dnit pcl/pl/plmain.c:557 #19 0x14aa339 in pl_main_delete_instance pcl/pl/plmain.c:436 #20 0x1317967 in plapi_delete_instance pcl/pl/plapi.c:89 #21 0x14a9095 in main pcl/pl/realmain.c:50 #22 0x7f51c26ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #23 0x461a48 in _start (/home/karas/gwanyeong/ghostpdl/debugbin/gxps+0x461a48) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow base/ttinterp.c:3900 Ins_MIRP Shadow bytes around the buggy address: 0x0c628000e8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c628000e930: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa 0x0c628000e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c628000e980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2414==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c7c559727
This was assigned CVE-2017-9611