Bug 698042 - heap-buffer-overflow in xps_true_callback_glyph_name(xps/xpsttf.c)
Summary: heap-buffer-overflow in xps_true_callback_glyph_name(xps/xpsttf.c)
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
Depends on:
Reported: 2017-06-13 18:33 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Word Size: ---

PoC File (37.22 KB, application/zip)
2017-06-13 18:33 UTC, Kim Gwan Yeong

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-13 18:33:40 UTC
Created attachment 13783 [details]
PoC File

POC to trigger heap buffer overflow (gxps)

I am experiencing a similar issue with Bug 698025.

The function same, but the source code is different.

Please confirm.

Version 9.22 and Git Head: fe61712d5157066212d0fcee79b129d6ddcbd251

OS: Ubuntu 16.04.2 32bit

Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

Program received signal SIGSEGV, Segmentation fault.
EAX: 0x88e4c162
EBX: 0x20 (' ')
ECX: 0xbfffbb40 --> 0x8e4c140 --> 0x200
EDX: 0x80000022
ESI: 0xb7f42000 --> 0x1b1db0
EDI: 0xb7f42000 --> 0x1b1db0
EBP: 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...)
ESP: 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...)
EIP: 0x85e9a13 (<u16+6>:        movzx  eax,BYTE PTR [eax])
EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
   0x85e9a0d <u16>:     push   ebp
   0x85e9a0e <u16+1>:   mov    ebp,esp
   0x85e9a10 <u16+3>:   mov    eax,DWORD PTR [ebp+0x8]
=> 0x85e9a13 <u16+6>:   movzx  eax,BYTE PTR [eax]
   0x85e9a16 <u16+9>:   movzx  eax,al
   0x85e9a19 <u16+12>:  shl    eax,0x8
   0x85e9a1c <u16+15>:  mov    edx,eax
   0x85e9a1e <u16+17>:  mov    eax,DWORD PTR [ebp+0x8]
0000| 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...)
0004| 0xbfffbb0c --> 0x85e9d56 (<xps_true_callback_glyph_name+492>:     add    esp,0x10)
0008| 0xbfffbb10 --> 0x88e4c162
0012| 0xbfffbb14 --> 0xedc
0016| 0xbfffbb18 --> 0x20 (' ')
0020| 0xbfffbb1c --> 0xbfffbb40 --> 0x8e4c140 --> 0x200
0024| 0xbfffbb20 --> 0x8e563a0 --> 0x8eb2574 --> 0x0
0028| 0xbfffbb24 --> 0x0
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x085e9a13 in u16 (p=0x88e4c162 <error: Cannot access memory at address 0x88e4c162>)
    at ./xps/xpsttf.c:30
30              return (p[0] << 8) | p[1];
gdb-peda$ bt
#0  0x085e9a13 in u16 (p=0x88e4c162 <error: Cannot access memory at address 0x88e4c162>)
    at ./xps/xpsttf.c:30
#1  0x085e9d56 in xps_true_callback_glyph_name (pfont=0x8e4d6b4, glyph=0xc0000000,
    pstr=0xbfffbc0c) at ./xps/xpsttf.c:203
#2  0x0836b00d in copy_glyph_type42 (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94,
    options=0x0) at ./devices/gxfcopy.c:1381
#3  0x0836d4d2 in gs_copy_glyph_options (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94,
    options=0x0) at ./devices/gxfcopy.c:2265
#4  0x0836d443 in gs_copy_glyph (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94)
    at ./devices/gxfcopy.c:2252
#5  0x0836d76b in gs_copy_font_complete (font=0x8e4d6b4, copied=0x8eafb94)
    at ./devices/gxfcopy.c:2384
#6  0x0834a423 in pdf_base_font_alloc (pdev=0x8e33b74, ppbfont=0xbfffbed4, font=0x8e4d6b4,
    orig_matrix=0x8e4d6f4, is_standard=0x0) at ./devices/vector/gdevpdtb.c:321
#7  0x0834e7ea in pdf_font_descriptor_alloc (pdev=0x8e33b74, ppfd=0xbfffbf20,
    font=0x8e4d6b4, embed=0x1) at ./devices/vector/gdevpdtd.c:202
#8  0x0835ff1e in pdf_make_font_resource (pdev=0x8e33b74, font=0x8e4d6b4,
    ppdfont=0xbfffc120, cgp=0x8e50b44) at ./devices/vector/gdevpdtt.c:1518
#9  0x083611c7 in pdf_obtain_font_resource_encoded (pdev=0x8e33b74, font=0x8e4d6b4,
    ppdfont=0xbfffc120, cgp=0x8e50b44) at ./devices/vector/gdevpdtt.c:2053
#10 0x08361575 in pdf_obtain_font_resource (penum=0x8e4eba4, pstr=0xbfffcb20,
    ppdfont=0xbfffc120) at ./devices/vector/gdevpdtt.c:2159
#11 0x08351aaf in pdf_process_string (penum=0x8e4eba4, pstr=0xbfffcb20, pfmat=0x0,
    ppts=0xbfffcb28, gdata=0xbfffd96c) at ./devices/vector/gdevpdte.c:543
#12 0x08350442 in pdf_process_string_aux (penum=0x8e4eba4, pstr=0xbfffcb20,
    gdata=0xbfffd96c, pfmat=0x0, ppts=0xbfffcb28) at ./devices/vector/gdevpdte.c:79
#13 0x08355470 in process_plain_text (pte=0x8e4eba4, vbuf=0xbfffcc60, bsize=0x4)
    at ./devices/vector/gdevpdte.c:1504
#14 0x08364d72 in pdf_text_process (pte=0x8e4eba4) at ./devices/vector/gdevpdtt.c:3552
#15 0x08497f6c in gs_text_process (pte=0x8e4eba4) at ./base/gstext.c:574
#16 0x085e6a0c in xps_flush_text_buffer (ctx=0x8e03c14, font=0x8e4d664, buf=0xbfffd000,
    is_charpath=0x0) at ./xps/xpsglyphs.c:324
#17 0x085e7335 in xps_parse_glyphs_imp (ctx=0x8e03c14, font=0x8e4d664, size=18.7192993,
    originx=554.23999, originy=36.3199997, is_sideways=0x0, bidi_level=0x0,
    indices=0x8e439ad "36", unicode=0x8e439be "A", is_charpath=0x0, sim_bold=0x0)
    at ./xps/xpsglyphs.c:569
#18 0x085e7fba in xps_parse_glyphs (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, root=0x8e43894)
    at ./xps/xpsglyphs.c:809
#19 0x085da425 in xps_parse_element (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, node=0x8e43894)
    at ./xps/xpscommon.c:68
#20 0x085d96c6 in xps_parse_fixed_page (ctx=0x8e03c14, part=0x8e059c4) at ./xps/xpspage.c:279
#21 0x085d6758 in xps_read_and_process_page_part (ctx=0x8e03c14,
    name=0x8e43864 "/Documents/1/Pages/1.fpage") at ./xps/xpszip.c:539
#22 0x085d6ff2 in xps_process_file (ctx=0x8e03c14,
    filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754")
    at ./xps/xpszip.c:688
#23 0x0809a5eb in xps_imp_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754")
    at ./xps/xpstop.c:228
#24 0x085c4894 in pl_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754")
    at ./pcl/pl/pltop.c:70
#25 0x08650528 in pl_main_run_file (minst=0x8dfe5c4,
    filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754")
    at ./pcl/pl/plmain.c:377
#26 0x08652ba3 in pl_main_process_options (pmi=0x8dfe5c4, pal=0x8dfe640,
    pjl_instance=0x8e01384) at ./pcl/pl/plmain.c:1313
#27 0x08650083 in pl_main_init_with_args (inst=0x8dfe5c4, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plmain.c:262
#28 0x085c4cb3 in plapi_init_with_args (lib=0x8dfe0e8, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plapi.c:58
#29 0x0864fd5d in main (argc=0x5, argv=0xbffff624) at ./pcl/pl/realmain.c:34
#30 0xb7da8637 in __libc_start_main (main=0x864fcfd <main>, argc=0x5, argv=0xbffff624,
    init=0x8653660 <__libc_csu_init>, fini=0x86536c0 <__libc_csu_fini>,
    rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff61c) at ../csu/libc-start.c:291
#31 0x0809a011 in _start ()
==6999==ERROR: AddressSanitizer: SEGV on unknown address 0x2698acbb (pc 0x0 8fe535c bp 0xbfb8b6c8 sp 0xbfb8b6a0 T0)
    #0 0x8fe535b in u16 xps/xpsttf.c:30
    #1 0x8fe5cc1 in xps_true_callback_glyph_name xps/xpsttf.c:203
    #2 0x88c9f1c in copy_glyph_type42 devices/gxfcopy.c:1381
    #3 0x88d0cf7 in gs_copy_glyph_options devices/gxfcopy.c:2265
    #4 0x88d0b2b in gs_copy_glyph devices/gxfcopy.c:2252
    #5 0x88d1299 in gs_copy_font_complete devices/gxfcopy.c:2384
    #6 0x88637fe in pdf_base_font_alloc devices/vector/gdevpdtb.c:321
    #7 0x886f366 in pdf_font_descriptor_alloc devices/vector/gdevpdtd.c:202
    #8 0x88a7c80 in pdf_make_font_resource devices/vector/gdevpdtt.c:1518
    #9 0x88abb0d in pdf_obtain_font_resource_encoded devices/vector/gdevpdtt.c:2053
    #10 0x88ac5a6 in pdf_obtain_font_resource devices/vector/gdevpdtt.c:2159
    #11 0x8878270 in pdf_process_string devices/vector/gdevpdte.c:543
    #12 0x8873dad in pdf_process_string_aux devices/vector/gdevpdte.c:79
    #13 0x88819c8 in process_plain_text devices/vector/gdevpdte.c:1504
    #14 0x88b83a9 in pdf_text_process devices/vector/gdevpdtt.c:3552
    #15 0x8bf8189 in gs_text_process base/gstext.c:574
    #16 0x8fdf196 in xps_flush_text_buffer xps/xpsglyphs.c:324
    #17 0x8fe0668 in xps_parse_glyphs_imp xps/xpsglyphs.c:569
    #18 0x8fe196d in xps_parse_glyphs xps/xpsglyphs.c:809
    #19 0x8fc1771 in xps_parse_element xps/xpscommon.c:68
    #20 0x8fbfb96 in xps_parse_fixed_page xps/xpspage.c:279
    #21 0x8fb93bc in xps_read_and_process_page_part xps/xpszip.c:539
    #22 0x8fba00f in xps_process_file xps/xpszip.c:688
    #23 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #24 0x8f8aaad in pl_process_file pcl/pl/pltop.c:70
    #25 0x911df5c in pl_main_run_file pcl/pl/plmain.c:377
    #26 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313
    #27 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262
    #28 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58
    #29 0x911d04b in main pcl/pl/realmain.c:34
    #30 0xb6f6b636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #31 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV xps/xpsttf.c:30 u16
Comment 1 Chris Liddell (chrisl) 2017-06-14 03:13:39 UTC
Comment 2 Kim Gwan Yeong 2017-06-15 16:50:11 UTC
This was assigned CVE-2017-9619.