Bug 698024 - heap-buffer-overflow in Ins_MIRP(base/ttinterp.c)
Summary: heap-buffer-overflow in Ins_MIRP(base/ttinterp.c)
Status: RESOLVED FIXED
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-12 04:21 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
PoC (37.22 KB, application/zip)
2017-06-12 04:21 UTC, Kim Gwan Yeong
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-12 04:21:40 UTC
Created attachment 13773 [details]
PoC

POC to trigger heap buffer overflow (gxps)

I found a crashing test case.

Please confirm.

Version 9.22 and Git Head: f6507e828ddfe1f60645bc925bff9bedfdb306ce

OS: Ubuntu 16.04.2 x86_64

Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE


---------------
GDB out:
---------------
[──────────────────────────────────REGISTERS───────────────────────────────────]
*RAX  0x4c07f1 (Project_y) <- push   rbp
*RBX  0x15e4144 <- 0x0
*RCX  0x132c0
*RDX  0x16506c0
*RDI  0x15aa120 -> 0x15aa6c0 -> 0x15aef68 -> 0x4ca5da (gx_ttfReader__Eof) <- ...
*RSI  0x15fb1c0 <- 0x1554000000000
*R8   0x7fffffffbb78 <- 0xffff0000015a060e
*R9   0x68a0
*R10  0x6890
*R11  0x7ffff7478390 <- scasd  eax, dword ptr [rdi]
*R12  0x460ea0 (_start) <- xor    ebp, ebp
*R13  0x7fffffffdd30 <- 0x5
 R14  0x0
 R15  0x0
*RBP  0x7fffffffba10 -> 0x7fffffffbb10 -> 0x7fffffffbb40 -> 0x7fffffffbd50 <- ...
*RSP  0x7fffffffb9d0 -> 0x15e3ba0 <- 0x4
*RIP  0x4c51fe (Ins_MIRP+642) <- mov    edx, dword ptr [rdx]
[────────────────────────────────────DISASM────────────────────────────────────]
 ► 0x4c51fe <Ins_MIRP+642>    mov    edx, dword ptr [rdx]
   0x4c5200 <Ins_MIRP+644>    mov    edi, ecx
   0x4c5202 <Ins_MIRP+646>    sub    edi, edx
   0x4c5204 <Ins_MIRP+648>    mov    rdx, qword ptr [rbp - 0x38]
   0x4c5208 <Ins_MIRP+652>    mov    rdx, qword ptr [rdx + 0x2b8]
   0x4c520f <Ins_MIRP+659>    mov    ecx, dword ptr [rbp - 0x20]
   0x4c5212 <Ins_MIRP+662>    movsxd rcx, ecx
   0x4c5215 <Ins_MIRP+665>    shl    rcx, 2
   0x4c5219 <Ins_MIRP+669>    add    rdx, rcx
   0x4c521c <Ins_MIRP+672>    mov    ecx, dword ptr [rdx]
   0x4c521e <Ins_MIRP+674>    mov    rdx, qword ptr [rbp - 0x38]
[────────────────────────────────────SOURCE────────────────────────────────────]
3895	
3896	      CUR.zp1.cur_x[point] = CUR.zp1.org_x[point];
3897	      CUR.zp1.cur_y[point] = CUR.zp1.org_y[point];
3898	    }
3899	
3900	    org_dist = CUR_Func_dualproj( CUR.zp1.org_x[point] -  <-- Vulnerability
3901	                                    CUR.zp0.org_x[CUR.GS.rp0],
3902	                                  CUR.zp1.org_y[point] -
3903	                                    CUR.zp0.org_y[CUR.GS.rp0] );
3904	
[────────────────────────────────────STACK─────────────────────────────────────]
00:0000│ rsp  0x7fffffffb9d0 -> 0x15e3ba0 <- 0x4
01:0008│      0x7fffffffb9d8 -> 0x15aa120 -> 0x15aa6c0 -> 0x15aef68 <- ...
02:0010│      0x7fffffffb9e0 -> 0x7fffffffba10 -> 0x7fffffffbb10 -> 0x7fffffffbb40 <- ...
03:0018│      0x7fffffffb9e8 <- 0x0
04:0020│      0x7fffffffb9f0 <- 0x4
05:0028│      0x7fffffffb9f8 -> 0x15aa120 -> 0x15aa6c0 -> 0x15aef68 <- ...
06:0030│      0x7fffffffba00 -> 0x15e4144 <- 0x0
07:0038│      0x7fffffffba08 -> 0x460ea0 (_start) <- xor    ebp, ebp
[──────────────────────────────────BACKTRACE───────────────────────────────────]
 ► f 0           4c51fe Ins_MIRP+642
   f 1           4c7112 RunIns+1489
   f 2           4c905b Context_Run+555
   f 3           4bd8df ttfOutliner__BuildGlyphOutlineAux+7250
   f 4           4bdb7f ttfOutliner__BuildGlyphOutline+147
   f 5           4beb08 ttfOutliner__Outline+238
   f 6           4cc91f gx_ttf_outline+619
   f 7           4b8e3c append_outline_fitted+111
   f 8           4b7ecd gs_type42_glyph_outline+478
   f 9           8c7f76 gs_default_glyph_info+314
   f 10           4b803f gs_type42_glyph_info_by_gid+141
[────────BACKTRACE───────────────────]
#0  0x00000000004c51fe in Ins_MIRP (exc=0x15aa120, args=0x15e3ba0) at ./base/ttinterp.c:3900
#1  0x00000000004c7112 in RunIns (exc=0x15aa120) at ./base/ttinterp.c:5032
#2  0x00000000004c905b in Context_Run (exec=0x15aa120, debug=0) at ./base/ttobjs.c:457
#3  0x00000000004bd8df in ttfOutliner__BuildGlyphOutlineAux (self=0x7fffffffbf20, glyphIndex=36, m_orig=0x7fffffffbd80, gOutline=0x7fffffffbf58) at ./base/ttfmain.c:827
#4  0x00000000004bdb7f in ttfOutliner__BuildGlyphOutline (self=0x7fffffffbf20, glyphIndex=36, orig_x=0, orig_y=0, gOutline=0x7fffffffbf58) at ./base/ttfmain.c:874
#5  0x00000000004beb08 in ttfOutliner__Outline (self=0x7fffffffbf20, glyphIndex=36, orig_x=0, orig_y=0, m1=0x7fffffffbe90) at ./base/ttfmain.c:1033
#6  0x00000000004cc91f in gx_ttf_outline (ttf=0x15eea30, r=0x15aef68, pfont=0x15f30c8, glyph_index=36, m=0x7fffffffc400, pscale=0x7fffffffc080, path=0x7fffffffc180, design_grid=1) at ./base/gxttfb.c:787
#7  0x00000000004b8e3c in append_outline_fitted (glyph_index=36, pmat=0x7fffffffc400, ppath=0x7fffffffc180, pair=0x15ddf78, pscale=0x7fffffffc080, design_grid=1) at ./base/gstype42.c:1595
#8  0x00000000004b7ecd in gs_type42_glyph_outline (font=0x15f30c8, WMode=0, glyph=36, pmat=0x7fffffffc400, ppath=0x7fffffffc180, sbw=0x7fffffffc200) at ./base/gstype42.c:991
#9  0x00000000008c7f76 in gs_default_glyph_info (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=4, info=0x7fffffffc4e0) at ./base/gsfont.c:1036
#10 0x00000000004b803f in gs_type42_glyph_info_by_gid (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=13, info=0x7fffffffc4e0, glyph_index=36) at ./base/gstype42.c:1017
#11 0x00000000004b8401 in gs_type42_glyph_info (font=0x15f30c8, glyph=36, pmat=0x7fffffffc400, members=13, info=0x7fffffffc4e0) at ./base/gstype42.c:1088
#12 0x00000000007786b4 in pdf_compute_font_descriptor (pdev=0x15cc6e8, pfd=0x15f6128) at ./devices/vector/gdevpdtd.c:457
#13 0x0000000000779109 in pdf_finish_FontDescriptor (pdev=0x15cc6e8, pres=0x15f6128) at ./devices/vector/gdevpdtd.c:636
#14 0x0000000000793de3 in pdf_finish_resources (pdev=0x15cc6e8, type=resourceFontDescriptor, finish_proc=0x779090 <pdf_finish_FontDescriptor>) at ./devices/vector/gdevpdtw.c:677
#15 0x000000000071262a in do_pdf_close (dev=0x15cc6e8) at ./devices/vector/gdevpdf.c:2569
#16 0x00000000007150d6 in pdf_close (dev=0x15cc6e8) at ./devices/vector/gdevpdf.c:3281
#17 0x00000000008ba0be in gs_closedevice (dev=0x15cc6e8) at ./base/gsdevice.c:720
#18 0x0000000000aee98e in pl_main_universe_dnit (universe=0x15a23b8, mem=0x15a17a0) at ./pcl/pl/plmain.c:557
#19 0x0000000000aee5dd in pl_main_delete_instance (minst=0x15a1930) at ./pcl/pl/plmain.c:436
#20 0x0000000000a4662d in plapi_delete_instance (lib=0x15a11d0) at ./pcl/pl/plapi.c:89
#21 0x0000000000aedb60 in main (argc=5, argv=0x7fffffffdd38) at ./pcl/pl/realmain.c:50
#22 0x00007ffff7304830 in __libc_start_main (main=0xaeda69 <main>, argc=5, argv=0x7fffffffdd38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd28) at ../csu/libc-start.c:291
#23 0x0000000000460ec9 in _start ()
---------------
ASan out:
---------------
=================================================================
==2414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000b49d0 at pc 0x00000054ff14 bp 0x7ffe886dd5d0 sp 0x7ffe886dd5c0
READ of size 4 at 0x6310000b49d0 thread T0
    #0 0x54ff13 in Ins_MIRP base/ttinterp.c:3900
    #1 0x556503 in RunIns base/ttinterp.c:5032
    #2 0x55c9a1 in Context_Run base/ttobjs.c:457
    #3 0x537dc5 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827
    #4 0x538466 in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874
    #5 0x53aab1 in ttfOutliner__Outline base/ttfmain.c:1033
    #6 0x567314 in gx_ttf_outline base/gxttfb.c:787
    #7 0x52c811 in append_outline_fitted base/gstype42.c:1595
    #8 0x52a3d2 in gs_type42_glyph_outline base/gstype42.c:991
    #9 0xf3c43b in gs_default_glyph_info base/gsfont.c:1036
    #10 0x52a783 in gs_type42_glyph_info_by_gid base/gstype42.c:1017
    #11 0x52ae85 in gs_type42_glyph_info base/gstype42.c:1088
    #12 0xc22569 in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457
    #13 0xc236c9 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636
    #14 0xc66550 in pdf_finish_resources devices/vector/gdevpdtw.c:677
    #15 0xb3c918 in do_pdf_close devices/vector/gdevpdf.c:2569
    #16 0xb42674 in pdf_close devices/vector/gdevpdf.c:3281
    #17 0xf1c525 in gs_closedevice base/gsdevice.c:720
    #18 0x14aaadf in pl_main_universe_dnit pcl/pl/plmain.c:557
    #19 0x14aa339 in pl_main_delete_instance pcl/pl/plmain.c:436
    #20 0x1317967 in plapi_delete_instance pcl/pl/plapi.c:89
    #21 0x14a9095 in main pcl/pl/realmain.c:50
    #22 0x7f51c26ff82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #23 0x461a48 in _start (/home/karas/gwanyeong/ghostpdl/debugbin/gxps+0x461a48)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow base/ttinterp.c:3900 Ins_MIRP
Shadow bytes around the buggy address:
  0x0c628000e8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c628000e930: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0c628000e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628000e980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==2414==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-13 07:52:59 UTC
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c7c559727
Comment 2 Kim Gwan Yeong 2017-06-15 16:49:00 UTC
This was assigned CVE-2017-9611