Bug 698066 - Potential null pointer dereference in mem_planar_get_bits_rectangle (gdevmpla.c)
Summary: Potential null pointer dereference in mem_planar_get_bits_rectangle (gdevmpla.c)
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Graphics Library (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 06:45 UTC by ruc.iser
Modified: 2017-06-18 23:27 UTC (History)
2 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ruc.iser 2017-06-16 06:45:47 UTC
We found that the function mem_planar_get_bits_rectangle() in file gdevmpla.c duplicates most of mem_get_bits_rectangle() which has already been reported having possibility to result in NULL pointer dereference in Bug #697676. So we have reason to say mem_planar_get_bits_rectangle() may have the same danger.

/base/gdevmpla.c
static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread)
{
    /* This duplicates most of mem_get_bits_rectangle.  Tant pgs. */
    ......  
    if (options == 0) {
        params->options =
            (GB_ALIGN_STANDARD | GB_ALIGN_ANY) |
            (GB_RETURN_COPY | GB_RETURN_POINTER) |
            (GB_OFFSET_0 | GB_OFFSET_SPECIFIED | GB_OFFSET_ANY) |
            (GB_RASTER_STANDARD | GB_RASTER_SPECIFIED | GB_RASTER_ANY) |
            GB_PACKING_CHUNKY |
            GB_COLORS_NATIVE | GB_ALPHA_NONE;
        return_error(gs_error_rangecheck);
    }
    if ((w <= 0) | (h <= 0)) {
        if ((w | h) < 0)
            return_error(gs_error_rangecheck);
        return 0;
    }
    if (x < 0 || w > dev->width - x || y < 0 || h > dev->height - y)
        return_error(gs_error_rangecheck);
    {
        gs_get_bits_params_t copy_params;
        byte **base = &scan_line_base(mdev, y);  // here may result in a null 
                                                 // pointer dereference
        ......
}


Advised Patch:
static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread)
{
            ......
            GB_COLORS_NATIVE | GB_ALPHA_NONE;
        return_error(gs_error_rangecheck);
    }

+	if (mdev→line_ptrs == 0x00)
+		return_error(gs_error_rangecheck);

    if ((w <= 0) | (h <= 0)) {
        if ((w | h) < 0)
            return_error(gs_error_rangecheck);
        return 0;
    }
    ......
}
Comment 1 Chris Liddell (chrisl) 2017-06-16 08:05:04 UTC
Applied in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e

Thanks for spotting that!
Comment 2 ruc.iser 2017-06-16 21:10:56 UTC
(In reply to Chris Liddell (chrisl) from comment #1)
> Applied in:
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e
> 
> Thanks for spotting that!

Actually, we used a technique based on similarity computing to detect other functions in Ghostscript that may have this problem as well. We'll report them soon . So please keep an eye on our following reports.