Created attachment 13783 [details] PoC File POC to trigger heap buffer overflow (gxps) I am experiencing a similar issue with Bug 698025. The function same, but the source code is different. Please confirm. Version 9.22 and Git Head: fe61712d5157066212d0fcee79b129d6ddcbd251 OS: Ubuntu 16.04.2 32bit Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE GDB:OUT: ================================================================= Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x88e4c162 EBX: 0x20 (' ') ECX: 0xbfffbb40 --> 0x8e4c140 --> 0x200 EDX: 0x80000022 ESI: 0xb7f42000 --> 0x1b1db0 EDI: 0xb7f42000 --> 0x1b1db0 EBP: 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...) ESP: 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...) EIP: 0x85e9a13 (<u16+6>: movzx eax,BYTE PTR [eax]) EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x85e9a0d <u16>: push ebp 0x85e9a0e <u16+1>: mov ebp,esp 0x85e9a10 <u16+3>: mov eax,DWORD PTR [ebp+0x8] => 0x85e9a13 <u16+6>: movzx eax,BYTE PTR [eax] 0x85e9a16 <u16+9>: movzx eax,al 0x85e9a19 <u16+12>: shl eax,0x8 0x85e9a1c <u16+15>: mov edx,eax 0x85e9a1e <u16+17>: mov eax,DWORD PTR [ebp+0x8] [------------------------------------stack-------------------------------------] 0000| 0xbfffbb08 --> 0xbfffbb88 --> 0xbfffbc48 --> 0xbfffbd88 --> 0xbfffbda8 --> 0xbfffbdf8 (--> ...) 0004| 0xbfffbb0c --> 0x85e9d56 (<xps_true_callback_glyph_name+492>: add esp,0x10) 0008| 0xbfffbb10 --> 0x88e4c162 0012| 0xbfffbb14 --> 0xedc 0016| 0xbfffbb18 --> 0x20 (' ') 0020| 0xbfffbb1c --> 0xbfffbb40 --> 0x8e4c140 --> 0x200 0024| 0xbfffbb20 --> 0x8e563a0 --> 0x8eb2574 --> 0x0 0028| 0xbfffbb24 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x085e9a13 in u16 (p=0x88e4c162 <error: Cannot access memory at address 0x88e4c162>) at ./xps/xpsttf.c:30 30 return (p[0] << 8) | p[1]; gdb-peda$ bt #0 0x085e9a13 in u16 (p=0x88e4c162 <error: Cannot access memory at address 0x88e4c162>) at ./xps/xpsttf.c:30 #1 0x085e9d56 in xps_true_callback_glyph_name (pfont=0x8e4d6b4, glyph=0xc0000000, pstr=0xbfffbc0c) at ./xps/xpsttf.c:203 #2 0x0836b00d in copy_glyph_type42 (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94, options=0x0) at ./devices/gxfcopy.c:1381 #3 0x0836d4d2 in gs_copy_glyph_options (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94, options=0x0) at ./devices/gxfcopy.c:2265 #4 0x0836d443 in gs_copy_glyph (font=0x8e4d6b4, glyph=0xc0000000, copied=0x8eafb94) at ./devices/gxfcopy.c:2252 #5 0x0836d76b in gs_copy_font_complete (font=0x8e4d6b4, copied=0x8eafb94) at ./devices/gxfcopy.c:2384 #6 0x0834a423 in pdf_base_font_alloc (pdev=0x8e33b74, ppbfont=0xbfffbed4, font=0x8e4d6b4, orig_matrix=0x8e4d6f4, is_standard=0x0) at ./devices/vector/gdevpdtb.c:321 #7 0x0834e7ea in pdf_font_descriptor_alloc (pdev=0x8e33b74, ppfd=0xbfffbf20, font=0x8e4d6b4, embed=0x1) at ./devices/vector/gdevpdtd.c:202 #8 0x0835ff1e in pdf_make_font_resource (pdev=0x8e33b74, font=0x8e4d6b4, ppdfont=0xbfffc120, cgp=0x8e50b44) at ./devices/vector/gdevpdtt.c:1518 #9 0x083611c7 in pdf_obtain_font_resource_encoded (pdev=0x8e33b74, font=0x8e4d6b4, ppdfont=0xbfffc120, cgp=0x8e50b44) at ./devices/vector/gdevpdtt.c:2053 #10 0x08361575 in pdf_obtain_font_resource (penum=0x8e4eba4, pstr=0xbfffcb20, ppdfont=0xbfffc120) at ./devices/vector/gdevpdtt.c:2159 #11 0x08351aaf in pdf_process_string (penum=0x8e4eba4, pstr=0xbfffcb20, pfmat=0x0, ppts=0xbfffcb28, gdata=0xbfffd96c) at ./devices/vector/gdevpdte.c:543 #12 0x08350442 in pdf_process_string_aux (penum=0x8e4eba4, pstr=0xbfffcb20, gdata=0xbfffd96c, pfmat=0x0, ppts=0xbfffcb28) at ./devices/vector/gdevpdte.c:79 #13 0x08355470 in process_plain_text (pte=0x8e4eba4, vbuf=0xbfffcc60, bsize=0x4) at ./devices/vector/gdevpdte.c:1504 #14 0x08364d72 in pdf_text_process (pte=0x8e4eba4) at ./devices/vector/gdevpdtt.c:3552 #15 0x08497f6c in gs_text_process (pte=0x8e4eba4) at ./base/gstext.c:574 #16 0x085e6a0c in xps_flush_text_buffer (ctx=0x8e03c14, font=0x8e4d664, buf=0xbfffd000, is_charpath=0x0) at ./xps/xpsglyphs.c:324 #17 0x085e7335 in xps_parse_glyphs_imp (ctx=0x8e03c14, font=0x8e4d664, size=18.7192993, originx=554.23999, originy=36.3199997, is_sideways=0x0, bidi_level=0x0, indices=0x8e439ad "36", unicode=0x8e439be "A", is_charpath=0x0, sim_bold=0x0) at ./xps/xpsglyphs.c:569 #18 0x085e7fba in xps_parse_glyphs (ctx=0x8e03c14, base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, root=0x8e43894) at ./xps/xpsglyphs.c:809 #19 0x085da425 in xps_parse_element (ctx=0x8e03c14, base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, node=0x8e43894) at ./xps/xpscommon.c:68 #20 0x085d96c6 in xps_parse_fixed_page (ctx=0x8e03c14, part=0x8e059c4) at ./xps/xpspage.c:279 #21 0x085d6758 in xps_read_and_process_page_part (ctx=0x8e03c14, name=0x8e43864 "/Documents/1/Pages/1.fpage") at ./xps/xpszip.c:539 #22 0x085d6ff2 in xps_process_file (ctx=0x8e03c14, filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754") at ./xps/xpszip.c:688 #23 0x0809a5eb in xps_imp_process_file (impl=0x8e02ba4, filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754") at ./xps/xpstop.c:228 #24 0x085c4894 in pl_process_file (impl=0x8e02ba4, filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754") at ./pcl/pl/pltop.c:70 #25 0x08650528 in pl_main_run_file (minst=0x8dfe5c4, filename=0x8dfe660 "in/id:000030,sig:06,src:000000,op:flip2,pos:30754") at ./pcl/pl/plmain.c:377 #26 0x08652ba3 in pl_main_process_options (pmi=0x8dfe5c4, pal=0x8dfe640, pjl_instance=0x8e01384) at ./pcl/pl/plmain.c:1313 #27 0x08650083 in pl_main_init_with_args (inst=0x8dfe5c4, argc=0x5, argv=0xbffff624) at ./pcl/pl/plmain.c:262 #28 0x085c4cb3 in plapi_init_with_args (lib=0x8dfe0e8, argc=0x5, argv=0xbffff624) at ./pcl/pl/plapi.c:58 #29 0x0864fd5d in main (argc=0x5, argv=0xbffff624) at ./pcl/pl/realmain.c:34 #30 0xb7da8637 in __libc_start_main (main=0x864fcfd <main>, argc=0x5, argv=0xbffff624, init=0x8653660 <__libc_csu_init>, fini=0x86536c0 <__libc_csu_fini>, rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff61c) at ../csu/libc-start.c:291 #31 0x0809a011 in _start () --------------- ASAN:SIGSEGV ================================================================= ==6999==ERROR: AddressSanitizer: SEGV on unknown address 0x2698acbb (pc 0x0 8fe535c bp 0xbfb8b6c8 sp 0xbfb8b6a0 T0) #0 0x8fe535b in u16 xps/xpsttf.c:30 #1 0x8fe5cc1 in xps_true_callback_glyph_name xps/xpsttf.c:203 #2 0x88c9f1c in copy_glyph_type42 devices/gxfcopy.c:1381 #3 0x88d0cf7 in gs_copy_glyph_options devices/gxfcopy.c:2265 #4 0x88d0b2b in gs_copy_glyph devices/gxfcopy.c:2252 #5 0x88d1299 in gs_copy_font_complete devices/gxfcopy.c:2384 #6 0x88637fe in pdf_base_font_alloc devices/vector/gdevpdtb.c:321 #7 0x886f366 in pdf_font_descriptor_alloc devices/vector/gdevpdtd.c:202 #8 0x88a7c80 in pdf_make_font_resource devices/vector/gdevpdtt.c:1518 #9 0x88abb0d in pdf_obtain_font_resource_encoded devices/vector/gdevpdtt.c:2053 #10 0x88ac5a6 in pdf_obtain_font_resource devices/vector/gdevpdtt.c:2159 #11 0x8878270 in pdf_process_string devices/vector/gdevpdte.c:543 #12 0x8873dad in pdf_process_string_aux devices/vector/gdevpdte.c:79 #13 0x88819c8 in process_plain_text devices/vector/gdevpdte.c:1504 #14 0x88b83a9 in pdf_text_process devices/vector/gdevpdtt.c:3552 #15 0x8bf8189 in gs_text_process base/gstext.c:574 #16 0x8fdf196 in xps_flush_text_buffer xps/xpsglyphs.c:324 #17 0x8fe0668 in xps_parse_glyphs_imp xps/xpsglyphs.c:569 #18 0x8fe196d in xps_parse_glyphs xps/xpsglyphs.c:809 #19 0x8fc1771 in xps_parse_element xps/xpscommon.c:68 #20 0x8fbfb96 in xps_parse_fixed_page xps/xpspage.c:279 #21 0x8fb93bc in xps_read_and_process_page_part xps/xpszip.c:539 #22 0x8fba00f in xps_process_file xps/xpszip.c:688 #23 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #24 0x8f8aaad in pl_process_file pcl/pl/pltop.c:70 #25 0x911df5c in pl_main_run_file pcl/pl/plmain.c:377 #26 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313 #27 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262 #28 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58 #29 0x911d04b in main pcl/pl/realmain.c:34 #30 0xb6f6b636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #31 0x8099f90 (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV xps/xpsttf.c:30 u16 ==6999==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c53183d4
This was assigned CVE-2017-9619.