Bug 698078 - Null pointer dereference in mem_word_get_bits_rectangle(gdevmem.c)
Summary: Null pointer dereference in mem_word_get_bits_rectangle(gdevmem.c)
Status: RESOLVED DUPLICATE of bug 698073
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Graphics Library (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-19 18:17 UTC by ruc.iser
Modified: 2017-06-20 00:25 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ruc.iser 2017-06-19 18:17:34 UTC 
Function mem_word_get_bits_rectangle() is a 'wrapper' for mem_get_bits_rectangle(). The latter one checks the line_ptrs to protect it from null pointer dereference. But in mem_word_get_bits_rectangle(), the 'wrapper', it accesses line_ptrs before calling get_bits_rectangle(), so checking in get_bits_rectangle() cannot protect the 'wrapper' function. It still may result in null pointer dereference.

/base/gdevmem.c
int mem_word_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
                       gs_get_bits_params_t * params, gs_int_rect ** unread)
{
    ......
    bit_x = x * dev->color_info.depth;
    bit_w = w * dev->color_info.depth;

   /*here accesses mdev->line_ptrs without checking*/
==>  src = scan_line_base(mdev, y); 

    mem_swap_byte_rect(src, dev_raster, bit_x, bit_w, h, false);

   /*here calls the get_bits_rectangle(), it checks line_ptrs but the access has already happened*/
==>  code = mem_get_bits_rectangle(dev, prect, params, unread);  

    mem_swap_byte_rect(src, dev_raster, bit_x, bit_w, h, false);
    return code;
}
Comment 1 Ken Sharp 2017-06-20 00:25:32 UTC 

*** This bug has been marked as a duplicate of bug 698073 ***