Bug 699663 - .setdistillerkeys memory corruption
Summary: .setdistillerkeys memory corruption
Status: NOTIFIED DUPLICATE of bug 699656
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 major
Assignee: Chris Liddell (chrisl)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-21 19:33 UTC by Tavis Ormandy
Modified: 2019-10-10 10:56 UTC (History)
1 user (show)

See Also:
Customer: 501,641
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-21 19:33:07 UTC
This simple test doesn't seem to work, and causes what looks like exploitable memory corruption:

$ gs
GPL Ghostscript 9.23 (2018-03-21)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>.distillerparamkeys
GS<1>.setdistillerparams
Segmentation fault
Comment 1 Chris Liddell (chrisl) 2018-08-21 19:44:53 UTC
I can't reproduce this with the current code, I get:

Error: /typecheck in --setdistillerparams--
Operand stack:
   --dict:84/84(ro)(G)--
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue   --nostringval--   --nostringval--   false   1   %stopped_push   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   2017   1   3   %oparray_pop
Dictionary stack:
   --dict:982/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
Current allocation mode is local
Last OS error: Resource temporarily unavailable
Current file position is 20
Comment 2 Chris Liddell (chrisl) 2018-08-21 19:46:14 UTC
(In reply to Chris Liddell (chrisl) from comment #1)
> I can't reproduce this with the current code, I get:


Oh, scratch that... I can see it.
Comment 3 Ken Sharp 2018-08-22 13:31:08 UTC
This 'looks like' a duplicate of 695656, at least it crashes in the same place for me. Chris already has a fix for this so I'm going to let him commit that.

However, .setdistillerparams shouldn't be available, so I've made a change of my own to address that. It seems that this commit:

	971472c83a345a16dac9f90f91258bb22dd77f22

accidentally broke some of the operator hiding code, in the course of making it work with DELAYBIND.
Comment 4 Chris Liddell (chrisl) 2018-08-23 11:50:55 UTC
It's the same route cause as 699656 and the same fix solves this.

*** This bug has been marked as a duplicate of bug 699656 ***