Bug 698050 - heap-buffer-overflow in xps_encode_font_char_imp(xps/xpsfont.c)
Summary: heap-buffer-overflow in xps_encode_font_char_imp(xps/xpsfont.c)
Status: RESOLVED FIXED
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-13 23:53 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
PoC File (37.22 KB, application/zip)
2017-06-13 23:53 UTC, Kim Gwan Yeong
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-13 23:53:35 UTC
Created attachment 13788 [details]
PoC File

I found a crashing test case.

Please confirm.

Version 9.22 and Git Head: fe61712d5157066212d0fcee79b129d6ddcbd251

OS: Ubuntu 16.04.2 32bit

Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

GDB:OUT:
=================================================================
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x9e5b734
EBX: 0x0
ECX: 0x1
EDX: 0x8e4b264 --> 0x100
ESI: 0xb7f42000 --> 0x1b1db0
EDI: 0xb7f42000 --> 0x1b1db0
EBP: 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...)
ESP: 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...)
EIP: 0x85e82ea (<u16+6>:        movzx  eax,BYTE PTR [eax])
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x85e82e4 <u16>:     push   ebp
   0x85e82e5 <u16+1>:   mov    ebp,esp
   0x85e82e7 <u16+3>:   mov    eax,DWORD PTR [ebp+0x8]
=> 0x85e82ea <u16+6>:   movzx  eax,BYTE PTR [eax]
   0x85e82ed <u16+9>:   movzx  eax,al
   0x85e82f0 <u16+12>:  shl    eax,0x8
   0x85e82f3 <u16+15>:  mov    edx,eax
   0x85e82f5 <u16+17>:  mov    eax,DWORD PTR [ebp+0x8]
[------------------------------------stack-------------------------------------]
0000| 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...)
0004| 0xbfffc9a8 --> 0x85e8dce (<xps_encode_font_char_imp+48>:  add    esp,0x4)
0008| 0xbfffc9ac --> 0x9e5b734
0012| 0xbfffc9b0 --> 0x0
0016| 0xbfffc9b4 --> 0x0
0020| 0xbfffc9b8 --> 0x8a56940 --> 0x8a34120 --> 0x1
0024| 0xbfffc9bc --> 0x0
0028| 0xbfffc9c0 --> 0x7f00
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x085e82ea in u16 (p=0x9e5b734 <error: Cannot access memory at address 0x9e5b734>)
    at ./xps/xpsfont.c:34
34          return (p[0] << 8) | p[1];
gdb-peda$ bt
#0  0x085e82ea in u16 (p=0x9e5b734 <error: Cannot access memory at address 0x9e5b734>)
    at ./xps/xpsfont.c:34
#1  0x085e8dce in xps_encode_font_char_imp (font=0x8e4d664, code=0x0) at ./xps/xpsfont.c:363
#2  0x085e94cf in xps_encode_font_char (font=0x8e4d664, code=0x0) at ./xps/xpsfont.c:586
#3  0x085e9afc in xps_true_callback_encode_char (pfont=0x8e4d6b4, chr=0x0,
    spc=GLYPH_SPACE_NAME) at ./xps/xpsttf.c:111
#4  0x08355031 in pdf_encode_glyph (bfont=0x8e4d6b4, glyph0=0x24,
    buf=0xbfffcc60 "\377\377\377\377", buf_size=0x1, char_code_length=0xbfffcb28)
    at ./devices/vector/gdevpdte.c:1359
#5  0x0835530a in process_plain_text (pte=0x8e4eba4, vbuf=0xbfffcc60, bsize=0x4)
    at ./devices/vector/gdevpdte.c:1448
#6  0x08364d72 in pdf_text_process (pte=0x8e4eba4) at ./devices/vector/gdevpdtt.c:3552
#7  0x08497f6c in gs_text_process (pte=0x8e4eba4) at ./base/gstext.c:574
#8  0x085e6a0c in xps_flush_text_buffer (ctx=0x8e03c14, font=0x8e4d664, buf=0xbfffd000,
    is_charpath=0x0) at ./xps/xpsglyphs.c:324
#9  0x085e7335 in xps_parse_glyphs_imp (ctx=0x8e03c14, font=0x8e4d664, size=18.7192993,
    originx=554.23999, originy=36.3199997, is_sideways=0x0, bidi_level=0x0,
    indices=0x8e439ad "36", unicode=0x8e439be "A", is_charpath=0x0, sim_bold=0x0)
    at ./xps/xpsglyphs.c:569
#10 0x085e7fba in xps_parse_glyphs (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, root=0x8e43894)
    at ./xps/xpsglyphs.c:809
#11 0x085da425 in xps_parse_element (ctx=0x8e03c14,
    base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, node=0x8e43894)
    at ./xps/xpscommon.c:68
#12 0x085d96c6 in xps_parse_fixed_page (ctx=0x8e03c14, part=0x8e059c4) at ./xps/xpspage.c:279
#13 0x085d6758 in xps_read_and_process_page_part (ctx=0x8e03c14,
    name=0x8e43864 "/Documents/1/Pages/1.fpage") at ./xps/xpszip.c:539
#14 0x085d6ff2 in xps_process_file (ctx=0x8e03c14,
    filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646")
    at ./xps/xpszip.c:688
#15 0x0809a5eb in xps_imp_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646")
    at ./xps/xpstop.c:228
#16 0x085c4894 in pl_process_file (impl=0x8e02ba4,
    filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646")
    at ./pcl/pl/pltop.c:70
#17 0x08650528 in pl_main_run_file (minst=0x8dfe5c4,
    filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646")
    at ./pcl/pl/plmain.c:377
#18 0x08652ba3 in pl_main_process_options (pmi=0x8dfe5c4, pal=0x8dfe640,
    pjl_instance=0x8e01384) at ./pcl/pl/plmain.c:1313
#19 0x08650083 in pl_main_init_with_args (inst=0x8dfe5c4, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plmain.c:262
#20 0x085c4cb3 in plapi_init_with_args (lib=0x8dfe0e8, argc=0x5, argv=0xbffff624)
    at ./pcl/pl/plapi.c:58
#21 0x0864fd5d in main (argc=0x5, argv=0xbffff624) at ./pcl/pl/realmain.c:34
#22 0xb7da8637 in __libc_start_main (main=0x864fcfd <main>, argc=0x5, argv=0xbffff624,
    init=0x8653660 <__libc_csu_init>, fini=0x86536c0 <__libc_csu_fini>,
    rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff61c) at ../csu/libc-start.c:291
#23 0x0809a011 in _start ()
---------------
ASAN:SIGSEGV
=================================================================
==23867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c65b7c at pc 0x08fe208c bp 0xbfca0198 sp 0xbfca0188
READ of size 1 at 0xb5c65b7c thread T0
    #0 0x8fe208b in u16 xps/xpsfont.c:34
    #1 0x8fe3dba in xps_encode_font_char_imp xps/xpsfont.c:363
    #2 0x8fe466c in xps_encode_font_char xps/xpsfont.c:586
    #3 0x8fe56b2 in xps_true_callback_encode_char xps/xpsttf.c:111
    #4 0x8880e32 in pdf_encode_glyph devices/vector/gdevpdte.c:1359
    #5 0x888165f in process_plain_text devices/vector/gdevpdte.c:1448
    #6 0x88b83a9 in pdf_text_process devices/vector/gdevpdtt.c:3552
    #7 0x8bf8189 in gs_text_process base/gstext.c:574
    #8 0x8fdf196 in xps_flush_text_buffer xps/xpsglyphs.c:324
    #9 0x8fe0668 in xps_parse_glyphs_imp xps/xpsglyphs.c:569
    #10 0x8fe196d in xps_parse_glyphs xps/xpsglyphs.c:809
    #11 0x8fc1771 in xps_parse_element xps/xpscommon.c:68
    #12 0x8fbfb96 in xps_parse_fixed_page xps/xpspage.c:279
    #13 0x8fb93bc in xps_read_and_process_page_part xps/xpszip.c:539
    #14 0x8fba00f in xps_process_file xps/xpszip.c:688
    #15 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #16 0x8f8aaad in pl_process_file pcl/pl/pltop.c:70
    #17 0x911df5c in pl_main_run_file pcl/pl/plmain.c:377
    #18 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313
    #19 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262
    #20 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58
    #21 0x911d04b in main pcl/pl/realmain.c:34
    #22 0xb6f74636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #23 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow xps/xpsfont.c:34 u16
Shadow bytes around the buggy address:
  0x36b8cb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36b8cb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x36b8cb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b8cbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==23867==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-14 03:14:30 UTC
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ee556374
Comment 2 Kim Gwan Yeong 2017-06-15 16:50:37 UTC
This was assigned CVE-2017-9620