698044 – memcpy-param-overlap in xps_load_sfnt_name(xps/xpsfont.c)

Bug 698044 - memcpy-param-overlap in xps_load_sfnt_name(xps/xpsfont.c)

Summary: memcpy-param-overlap in xps_load_sfnt_name(xps/xpsfont.c)

Status:	RESOLVED FIXED

Alias:	None

Product:	GhostXPS
Classification:	Unclassified
Component:	General (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-06-13 19:14 UTC by Kim Gwan Yeong
Modified:	2017-07-25 04:19 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
PoC File (37.22 KB, application/zip) 2017-06-13 19:14 UTC, Kim Gwan Yeong	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kim Gwan Yeong 2017-06-13 19:14:55 UTC

Created attachment 13785 [details]
PoC File

I found a crashing test case.

Please confirm.

Version 9.22 and Git Head: fe61712d5157066212d0fcee79b129d6ddcbd251

OS: Ubuntu 16.04.2 32bit

Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

GDB:OUT:
=================================================================
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x3160007
EBX: 0x8dfe620 --> 0x8a31000 --> 0x8464e8a (<c_param_read_typed>:       push   ebp)
ECX: 0x1
EDX: 0x8dfe4f8 (0x08dfe4f8)
ESI: 0xb7f42000 --> 0x1b1db0
EDI: 0xb7f42000 --> 0x1b1db0
EBP: 0xbfffda48 --> 0xbfffda68 --> 0xbfffda88 --> 0xbfffdde8 --> 0xbfffde18 --> 0xbfffde48 (--> ...)
ESP: 0xbfffda00 --> 0x8e66fac --> 0x0
EIP: 0x8293a85 (<chunk_obj_alloc+195>:  mov    eax,DWORD PTR [eax+0x10])
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8293a7a <chunk_obj_alloc+184>:     mov    DWORD PTR [ebp-0x38],eax
   0x8293a7d <chunk_obj_alloc+187>:     jmp    0x8293cb3 <chunk_obj_alloc+753>
   0x8293a82 <chunk_obj_alloc+192>:     mov    eax,DWORD PTR [ebp-0x20]
=> 0x8293a85 <chunk_obj_alloc+195>:     mov    eax,DWORD PTR [eax+0x10]
   0x8293a88 <chunk_obj_alloc+198>:     cmp    eax,DWORD PTR [ebp-0x34]
   0x8293a8b <chunk_obj_alloc+201>:     jb     0x8293b16 <chunk_obj_alloc+340>
   0x8293a91 <chunk_obj_alloc+207>:     mov    eax,DWORD PTR [ebp-0x20]
   0x8293a94 <chunk_obj_alloc+210>:     mov    eax,DWORD PTR [eax+0x8]
[------------------------------------stack-------------------------------------]
0000| 0xbfffda00 --> 0x8e66fac --> 0x0
0004| 0xbfffda04 --> 0x8e6bc28 --> 0x8e6bc58 --> 0x0
0008| 0xbfffda08 --> 0x81e4ae3 (<Pack3Words>:   push   ebp)
0012| 0xbfffda0c --> 0x8dfe574 --> 0x8e4d884 --> 0x4150061
0016| 0xbfffda10 --> 0x0
0020| 0xbfffda14 --> 0x350
0024| 0xbfffda18 --> 0x0
0028| 0xbfffda1c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x08293a85 in chunk_obj_alloc (mem=0x8dfe4f8, size=0x334, type=0x8a34120 <st_bytes>,
    cname=0x8669464 "gs_type42_font_init") at ./base/gsmchunk.c:804
804                     if (b->size >= newsize) {
gdb-peda$ bt
#0  0x08293a85 in chunk_obj_alloc (mem=0x8dfe4f8, size=0x334, type=0x8a34120 <st_bytes>,
    cname=0x8669464 "gs_type42_font_init") at ./base/gsmchunk.c:804
#1  0x08293f16 in chunk_alloc_bytes (mem=0x8dfe4f8, size=0x334,
    cname=0x8669464 "gs_type42_font_init") at ./base/gsmchunk.c:977
#2  0x08293f96 in chunk_alloc_byte_array (mem=0x8dfe4f8, num_elements=0xcd, elt_size=0x4,
    cname=0x8669464 "gs_type42_font_init") at ./base/gsmchunk.c:1005
#3  0x080e4e9e in gs_type42_font_init (pfont=0x8e4d6b4, subfontID=0x0)
    at ./base/gstype42.c:337
#4  0x085ea4b4 in xps_init_truetype_font (ctx=0x8e03c14, font=0x8e4d664)
    at ./xps/xpsttf.c:411
#5  0x085e847d in xps_new_font (ctx=0x8e03c14, buf=0x8e4b264 "", buflen=0x23e4, index=0x0)
    at ./xps/xpsfont.c:79
#6  0x085e7a0d in xps_parse_glyphs (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, root=0x8e43894)
    at ./xps/xpsglyphs.c:711
#7  0x085da425 in xps_parse_element (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, node=0x8e43894)
    at ./xps/xpscommon.c:68
#8  0x085d96c6 in xps_parse_fixed_page (ctx=0x8e03c14, part=0x8e059c4) at ./xps/xpspage.c:279
#9  0x085d6758 in xps_read_and_process_page_part (ctx=0x8e03c14,
    name=0x8e43864 "/Documents/1/Pages/1.fpage") at ./xps/xpszip.c:539
#10 0x085d6ff2 in xps_process_file (ctx=0x8e03c14,
    filename=0x8dfe660 "in/id:000025,sig:06,src:000000,op:flip1,pos:31950")
    at ./xps/xpszip.c:688
#11 0x0809a5eb in xps_imp_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000025,sig:06,src:000000,op:flip1,pos:31950")
    at ./xps/xpstop.c:228
#12 0x085c4894 in pl_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000025,sig:06,src:000000,op:flip1,pos:31950")
    at ./pcl/pl/pltop.c:70
#13 0x08650528 in pl_main_run_file (minst=0x8dfe5c4,
    filename=0x8dfe660 "in/id:000025,sig:06,src:000000,op:flip1,pos:31950")
    at ./pcl/pl/plmain.c:377
#14 0x08652ba3 in pl_main_process_options (pmi=0x8dfe5c4, pal=0x8dfe640,
    pjl_instance=0x8e01384) at ./pcl/pl/plmain.c:1313
#15 0x08650083 in pl_main_init_with_args (inst=0x8dfe5c4, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plmain.c:262
#16 0x085c4cb3 in plapi_init_with_args (lib=0x8dfe0e8, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plapi.c:58
#17 0x0864fd5d in main (argc=0x5, argv=0xbffff624) at ./pcl/pl/realmain.c:34
#18 0xb7da8637 in __libc_start_main (main=0x864fcfd <main>, argc=0x5, argv=0xbffff624,
    init=0x8653660 <__libc_csu_init>, fini=0x86536c0 <__libc_csu_fini>,
    rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff61c) at ../csu/libc-start.c:291
#19 0x0809a011 in _start ()
---------------
ASAN:SIGSEGV
=================================================================
==24411==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0xb4d57be0,0xb4d5f010) and [0xb4d59c76, 0xb4d610a6) overlap
    #0 0xb72cd8ca in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8a8ca)
    #1 0xb72cdc2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x8fe31c7 in xps_load_sfnt_name xps/xpsfont.c:229
    #3 0x8fe753b in xps_init_truetype_font xps/xpsttf.c:384
    #4 0x8fe2675 in xps_new_font xps/xpsfont.c:79
    #5 0x8fe1099 in xps_parse_glyphs xps/xpsglyphs.c:711
    #6 0x8fc1771 in xps_parse_element xps/xpscommon.c:68
    #7 0x8fbfb96 in xps_parse_fixed_page xps/xpspage.c:279
    #8 0x8fb93bc in xps_read_and_process_page_part xps/xpszip.c:539
    #9 0x8fba00f in xps_process_file xps/xpszip.c:688
    #10 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #11 0x8f8aaad in pl_process_file pcl/pl/pltop.c:70
    #12 0x911df5c in pl_main_run_file pcl/pl/plmain.c:377
    #13 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313
    #14 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262
    #15 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58
    #16 0x911d04b in main pcl/pl/realmain.c:34
    #17 0xb702e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #18 0x8099f90  (/home/karas/gwanyeong/bin/gxps+0x8099f90)

0xb4d57be0 is located 29664 bytes inside of 65560-byte region [0xb4d50800,0xb4d60818)
allocated by thread T0 here:
    #0 0xb72d9dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7a14 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8654534 in chunk_obj_alloc base/gsmchunk.c:909
    #3 0x8654b6d in chunk_alloc_struct_array base/gsmchunk.c:1019
    #4 0x8e05e8a in gx_char_cache_alloc base/gxccman.c:87
    #5 0x8b9fd57 in gs_font_dir_alloc2_limits base/gsfont.c:255
    #6 0x8b9fbf5 in gs_font_dir_alloc2 base/gsfont.c:228
    #7 0x876920a in pdf_open devices/vector/gdevpdf.c:834
    #8 0x8b81d40 in gs_opendevice base/gsdevice.c:456
    #9 0x911ed8c in pl_main_universe_select pcl/pl/plmain.c:581
    #10 0x911dd58 in pl_main_run_file pcl/pl/plmain.c:341
    #11 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313
    #12 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262
    #13 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58
    #14 0x911d04b in main pcl/pl/realmain.c:34
    #15 0xb702e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

0xb4d60818 is located 0 bytes to the right of 65560-byte region [0xb4d50800,0xb4d60818)
allocated by thread T0 here:
    #0 0xb72d9dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7a14 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8654534 in chunk_obj_alloc base/gsmchunk.c:909
    #3 0x8654b6d in chunk_alloc_struct_array base/gsmchunk.c:1019
    #4 0x8e05e8a in gx_char_cache_alloc base/gxccman.c:87
    #5 0x8b9fd57 in gs_font_dir_alloc2_limits base/gsfont.c:255
    #6 0x8b9fbf5 in gs_font_dir_alloc2 base/gsfont.c:228
    #7 0x876920a in pdf_open devices/vector/gdevpdf.c:834
    #8 0x8b81d40 in gs_opendevice base/gsdevice.c:456
    #9 0x911ed8c in pl_main_universe_select pcl/pl/plmain.c:581
    #10 0x911dd58 in pl_main_run_file pcl/pl/plmain.c:341
    #11 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313
    #12 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262
    #13 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58
    #14 0x911d04b in main pcl/pl/realmain.c:34
    #15 0xb702e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: memcpy-param-overlap ??:0 __asan_memcpy
==24411==ABORTING

Comment 1 Chris Liddell (chrisl) 2017-06-14 03:14:07 UTC

Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3c2aebbed

Comment 2 Kim Gwan Yeong 2017-06-15 16:49:48 UTC

This was assigned CVE-2017-9618