Bug 698158 - Ghostscript - Out of bounds read in igc_reloc_struct_ptr()
Summary: Ghostscript - Out of bounds read in igc_reloc_struct_ptr()
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Fuzzing (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-01 05:50 UTC by Kamil Frankowicz
Modified: 2019-07-22 07:10 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
POC to trigger out of bounds read (gs) (97 bytes, text/plain)
2017-07-01 05:50 UTC, Kamil Frankowicz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2017-07-01 05:50:05 UTC
Created attachment 13878 [details]
POC to trigger out of bounds read (gs)

After some fuzz testing I found a crashing test case.

Git Head: 0b7fa9293f43dce8aea028e4d2b32da1d8fc18c8

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_oobr_igc_reloc_struct_ptr -c quit

ASAN:

==6596==ERROR: AddressSanitizer: SEGV on unknown address 0x629fffffffe0 (pc 0x000001bf15aa bp 0x7ffdaf7cd170 sp 0x7ffdaf7cd070 T0)
==6596==The signal is caused by a READ memory access.
    #0 0x1bf15a9 in igc_reloc_struct_ptr XYZ/ghostpdl/./psi/igc.c:1307:68
    #1 0x1bfb71a in igc_reloc_refs XYZ/ghostpdl/./psi/igcref.c:434:21
    #2 0x1bf60e9 in gc_do_reloc XYZ/ghostpdl/./psi/igc.c:1246:17
    #3 0x1bf60e9 in gs_gc_reclaim XYZ/ghostpdl/./psi/igc.c:450
    #4 0x1cdce57 in context_reclaim XYZ/ghostpdl/./psi/zcontext.c:290:5
    #5 0x1aecbdf in gs_vmreclaim XYZ/ghostpdl/./psi/ireclaim.c:163:9
    #6 0x1aecbdf in ireclaim XYZ/ghostpdl/./psi/ireclaim.c:80
    #7 0x1ad35ac in interp_reclaim XYZ/ghostpdl/./psi/interp.c:447:12
    #8 0x1aaae7e in gs_main_finit XYZ/ghostpdl/./psi/imain.c:914:20
    #9 0x56c040 in main XYZ/ghostpdl/./psi/gs.c:139:9
    #10 0x7f7ec6757439 in __libc_start_main (/usr/lib/libc.so.6+0x20439)
    #11 0x47d4e9 in _start (/usr/local/bin/gs+0x47d4e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./psi/igc.c:1307:68 in igc_reloc_struct_ptr
==6596==ABORTING

BTW, please unlock recently fixed issues and request for a some CVEs for them :)
Comment 1 Chris Liddell (chrisl) 2017-07-25 01:08:01 UTC
Fixed in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=671fd59eb