Created attachment 13788 [details] PoC File I found a crashing test case. Please confirm. Version 9.22 and Git Head: fe61712d5157066212d0fcee79b129d6ddcbd251 OS: Ubuntu 16.04.2 32bit Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE GDB:OUT: ================================================================= Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x9e5b734 EBX: 0x0 ECX: 0x1 EDX: 0x8e4b264 --> 0x100 ESI: 0xb7f42000 --> 0x1b1db0 EDI: 0xb7f42000 --> 0x1b1db0 EBP: 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...) ESP: 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...) EIP: 0x85e82ea (<u16+6>: movzx eax,BYTE PTR [eax]) EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x85e82e4 <u16>: push ebp 0x85e82e5 <u16+1>: mov ebp,esp 0x85e82e7 <u16+3>: mov eax,DWORD PTR [ebp+0x8] => 0x85e82ea <u16+6>: movzx eax,BYTE PTR [eax] 0x85e82ed <u16+9>: movzx eax,al 0x85e82f0 <u16+12>: shl eax,0x8 0x85e82f3 <u16+15>: mov edx,eax 0x85e82f5 <u16+17>: mov eax,DWORD PTR [ebp+0x8] [------------------------------------stack-------------------------------------] 0000| 0xbfffc9a4 --> 0xbfffca18 --> 0xbfffca48 --> 0xbfffca78 --> 0xbfffcaa8 --> 0xbfffcb68 (--> ...) 0004| 0xbfffc9a8 --> 0x85e8dce (<xps_encode_font_char_imp+48>: add esp,0x4) 0008| 0xbfffc9ac --> 0x9e5b734 0012| 0xbfffc9b0 --> 0x0 0016| 0xbfffc9b4 --> 0x0 0020| 0xbfffc9b8 --> 0x8a56940 --> 0x8a34120 --> 0x1 0024| 0xbfffc9bc --> 0x0 0028| 0xbfffc9c0 --> 0x7f00 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x085e82ea in u16 (p=0x9e5b734 <error: Cannot access memory at address 0x9e5b734>) at ./xps/xpsfont.c:34 34 return (p[0] << 8) | p[1]; gdb-peda$ bt #0 0x085e82ea in u16 (p=0x9e5b734 <error: Cannot access memory at address 0x9e5b734>) at ./xps/xpsfont.c:34 #1 0x085e8dce in xps_encode_font_char_imp (font=0x8e4d664, code=0x0) at ./xps/xpsfont.c:363 #2 0x085e94cf in xps_encode_font_char (font=0x8e4d664, code=0x0) at ./xps/xpsfont.c:586 #3 0x085e9afc in xps_true_callback_encode_char (pfont=0x8e4d6b4, chr=0x0, spc=GLYPH_SPACE_NAME) at ./xps/xpsttf.c:111 #4 0x08355031 in pdf_encode_glyph (bfont=0x8e4d6b4, glyph0=0x24, buf=0xbfffcc60 "\377\377\377\377", buf_size=0x1, char_code_length=0xbfffcb28) at ./devices/vector/gdevpdte.c:1359 #5 0x0835530a in process_plain_text (pte=0x8e4eba4, vbuf=0xbfffcc60, bsize=0x4) at ./devices/vector/gdevpdte.c:1448 #6 0x08364d72 in pdf_text_process (pte=0x8e4eba4) at ./devices/vector/gdevpdtt.c:3552 #7 0x08497f6c in gs_text_process (pte=0x8e4eba4) at ./base/gstext.c:574 #8 0x085e6a0c in xps_flush_text_buffer (ctx=0x8e03c14, font=0x8e4d664, buf=0xbfffd000, is_charpath=0x0) at ./xps/xpsglyphs.c:324 #9 0x085e7335 in xps_parse_glyphs_imp (ctx=0x8e03c14, font=0x8e4d664, size=18.7192993, originx=554.23999, originy=36.3199997, is_sideways=0x0, bidi_level=0x0, indices=0x8e439ad "36", unicode=0x8e439be "A", is_charpath=0x0, sim_bold=0x0) at ./xps/xpsglyphs.c:569 #10 0x085e7fba in xps_parse_glyphs (ctx=0x8e03c14, base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, root=0x8e43894) at ./xps/xpsglyphs.c:809 #11 0x085da425 in xps_parse_element (ctx=0x8e03c14, base_uri=0xbfffe47c "/Documents/1/Pages/", dict=0x0, node=0x8e43894) at ./xps/xpscommon.c:68 #12 0x085d96c6 in xps_parse_fixed_page (ctx=0x8e03c14, part=0x8e059c4) at ./xps/xpspage.c:279 #13 0x085d6758 in xps_read_and_process_page_part (ctx=0x8e03c14, name=0x8e43864 "/Documents/1/Pages/1.fpage") at ./xps/xpszip.c:539 #14 0x085d6ff2 in xps_process_file (ctx=0x8e03c14, filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646") at ./xps/xpszip.c:688 #15 0x0809a5eb in xps_imp_process_file (impl=0x8e02ba4, filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646") at ./xps/xpstop.c:228 #16 0x085c4894 in pl_process_file (impl=0x8e02ba4, filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646") at ./pcl/pl/pltop.c:70 #17 0x08650528 in pl_main_run_file (minst=0x8dfe5c4, filename=0x8dfe660 "in/id:000005,sig:06,src:000000,op:flip1,pos:30646") at ./pcl/pl/plmain.c:377 #18 0x08652ba3 in pl_main_process_options (pmi=0x8dfe5c4, pal=0x8dfe640, pjl_instance=0x8e01384) at ./pcl/pl/plmain.c:1313 #19 0x08650083 in pl_main_init_with_args (inst=0x8dfe5c4, argc=0x5, argv=0xbffff624) at ./pcl/pl/plmain.c:262 #20 0x085c4cb3 in plapi_init_with_args (lib=0x8dfe0e8, argc=0x5, argv=0xbffff624) at ./pcl/pl/plapi.c:58 #21 0x0864fd5d in main (argc=0x5, argv=0xbffff624) at ./pcl/pl/realmain.c:34 #22 0xb7da8637 in __libc_start_main (main=0x864fcfd <main>, argc=0x5, argv=0xbffff624, init=0x8653660 <__libc_csu_init>, fini=0x86536c0 <__libc_csu_fini>, rtld_fini=0xb7fea780 <_dl_fini>, stack_end=0xbffff61c) at ../csu/libc-start.c:291 #23 0x0809a011 in _start () --------------- ASAN:SIGSEGV ================================================================= ==23867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c65b7c at pc 0x08fe208c bp 0xbfca0198 sp 0xbfca0188 READ of size 1 at 0xb5c65b7c thread T0 #0 0x8fe208b in u16 xps/xpsfont.c:34 #1 0x8fe3dba in xps_encode_font_char_imp xps/xpsfont.c:363 #2 0x8fe466c in xps_encode_font_char xps/xpsfont.c:586 #3 0x8fe56b2 in xps_true_callback_encode_char xps/xpsttf.c:111 #4 0x8880e32 in pdf_encode_glyph devices/vector/gdevpdte.c:1359 #5 0x888165f in process_plain_text devices/vector/gdevpdte.c:1448 #6 0x88b83a9 in pdf_text_process devices/vector/gdevpdtt.c:3552 #7 0x8bf8189 in gs_text_process base/gstext.c:574 #8 0x8fdf196 in xps_flush_text_buffer xps/xpsglyphs.c:324 #9 0x8fe0668 in xps_parse_glyphs_imp xps/xpsglyphs.c:569 #10 0x8fe196d in xps_parse_glyphs xps/xpsglyphs.c:809 #11 0x8fc1771 in xps_parse_element xps/xpscommon.c:68 #12 0x8fbfb96 in xps_parse_fixed_page xps/xpspage.c:279 #13 0x8fb93bc in xps_read_and_process_page_part xps/xpszip.c:539 #14 0x8fba00f in xps_process_file xps/xpszip.c:688 #15 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #16 0x8f8aaad in pl_process_file pcl/pl/pltop.c:70 #17 0x911df5c in pl_main_run_file pcl/pl/plmain.c:377 #18 0x9123536 in pl_main_process_options pcl/pl/plmain.c:1313 #19 0x911d76f in pl_main_init_with_args pcl/pl/plmain.c:262 #20 0x8f8ba70 in plapi_init_with_args pcl/pl/plapi.c:58 #21 0x911d04b in main pcl/pl/realmain.c:34 #22 0xb6f74636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #23 0x8099f90 (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow xps/xpsfont.c:34 u16 Shadow bytes around the buggy address: 0x36b8cb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36b8cb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x36b8cb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b8cbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==23867==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ee556374
This was assigned CVE-2017-9620