Bug 699665 - memory corruption in aesdecode
Summary: memory corruption in aesdecode
Status: NOTIFIED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-21 22:12 UTC by Tavis Ormandy
Modified: 2019-05-08 13:44 UTC (History)
6 users (show)

See Also:
Customer: 501,641
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-21 22:12:12 UTC 
This was found by fuzzing, memory corruption in aesdecode operator

$ ./gs -q -sDEVICE=ppmraw -dSAFER 
GS>{ runpdfbegin } stopped {} if
GS>.writepdfmarkdict
GS<1>{ PDFsetpattern } stopped {} if
GS<7>resolveopdict
GS<8>{ .copydict } stopped {} if
GS<10>{ pdf_gen_user_password_R2 } stopped {} if
GS<12>aesdecode
Segmentation fault
Comment 1 Ken Sharp 2018-08-24 08:18:43 UTC 
Fixed in this commit:

8e9ce5016db968b40e4ec255a3005f2786cce45f

Basically, make sure we have set an AES key before we try to use it, otherwise we can try to access an uninitialised pointer.