Bug 698056 - heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
Summary: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
Status: RESOLVED FIXED
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 17:56 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
PoC (37.22 KB, application/zip)
2017-06-14 17:56 UTC, Kim Gwan Yeong
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-14 17:56:58 UTC
Created attachment 13792 [details]
PoC

Hi.

I found a crashing test case.

Crash does not occur in the no-ASan environment.

Memory corruption occur in the ASan environment or in Valgrind.

Please confirm.

Thanks.

Version 9.22 and Git Head: f887813ad00d680e2ea5d81606fd21d1b68067af
OS: Ubuntu 16.04.2 32bit
Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

=================================================================
ASan:OUT
=================================================================
==24934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4c60818 at pc 0xb7273a75 bp 0xbfda6298 sp 0xbfda5e6c
READ of size 2 at 0xb4c60818 thread T0
    #0 0xb7273a74 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8aa74)
    #1 0xb7273c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x81a2a36 in gx_ttfReader__Read base/gxttfb.c:85
    #3 0x8171423 in ttfReader__Short base/ttfinp.c:42
    #4 0x8179f1e in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:787
    #5 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874
    #6 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033
    #7 0x81a8c29 in gx_ttf_outline base/gxttfb.c:787
    #8 0x816e1fa in append_outline_fitted base/gstype42.c:1595
    #9 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991
    #10 0x8ba4a25 in gs_default_glyph_info base/gsfont.c:1036
    #11 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017
    #12 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088
    #13 0x8870b4a in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457
    #14 0x8871ed8 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636
    #15 0x88bcedd in pdf_finish_resources devices/vector/gdevpdtw.c:677
    #16 0x877d771 in do_pdf_close devices/vector/gdevpdf.c:2569
    #17 0x87844ce in pdf_close devices/vector/gdevpdf.c:3281
    #18 0x8b83b4b in gs_closedevice base/gsdevice.c:720
    #19 0x911ecd8 in pl_main_universe_dnit pcl/pl/plmain.c:557
    #20 0x911e426 in pl_main_delete_instance pcl/pl/plmain.c:436
    #21 0x8f8bd14 in plapi_delete_instance pcl/pl/plapi.c:89
    #22 0x911d2cf in main pcl/pl/realmain.c:50
    #23 0xb6fd4636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #24 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

0xb4c60818 is located 0 bytes to the right of 65560-byte region [0xb4c50800,0xb4c60818)
allocated by thread T0 here:
    #0 0xb727fdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7a55 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8654534 in chunk_obj_alloc base/gsmchunk.c:909
    #3 0x8654b6d in chunk_alloc_struct_array base/gsmchunk.c:1019
    #4 0x8e05fe8 in gx_char_cache_alloc base/gxccman.c:87
    #5 0x8b9fd98 in gs_font_dir_alloc2_limits base/gsfont.c:255
    #6 0x8b9fc36 in gs_font_dir_alloc2 base/gsfont.c:228
    #7 0x876924b in pdf_open devices/vector/gdevpdf.c:834
    #8 0x8b81d81 in gs_opendevice base/gsdevice.c:456
    #9 0x911ef47 in pl_main_universe_select pcl/pl/plmain.c:581
    #10 0x911df13 in pl_main_run_file pcl/pl/plmain.c:341
    #11 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313
    #12 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262
    #13 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58
    #14 0x911d206 in main pcl/pl/realmain.c:34
    #15 0xb6fd4636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x3698c0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3698c100: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==24934==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-15 07:06:00 UTC
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac