Bug 701821 - Segmentation fault at tiff//libtiff/tif_dirinfo.c:513 in TIFFFindField
Summary: Segmentation fault at tiff//libtiff/tif_dirinfo.c:513 in TIFFFindField
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Default assignee
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-01 07:01 UTC by Suhwan
Modified: 2021-09-11 11:27 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
poc (99.59 KB, application/postscript)
2019-11-01 07:01 UTC, Suhwan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Suhwan 2019-11-01 07:01:55 UTC
Created attachment 18407 [details]
poc

Hello

I found a Segmentation fault bug in GhostScript.
Please confirm. 
Thanks.

OS:        Ubuntu 18.04 64bit
Version:   commit 9c196bb7f6873b4fe43a649fc87cba363c6af8e5

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with "make sanitize" using gcc.
3. Run following cmd.

gs -dBATCH -dNOPAUSE -sOutputFile=tmp -sDEVICE=tiffsep $PoC

Here's ASAN report.

==9722==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000400 (pc 0x5622f5d5279a bp 0x7ffeec399370 sp 0x7ffeec399270 T0)
==9722==The signal is caused by a READ memory access.
==9722==Hint: address points to the zero page.
    #0 0x5622f5d52799 in TIFFFindField tiff//libtiff/tif_dirinfo.c:513
    #1 0x5622f5d45fce in OkToChangeTag tiff//libtiff/tif_dir.c:762
    #2 0x5622f5d4685a in TIFFVSetField tiff//libtiff/tif_dir.c:853
    #3 0x5622f5d462e6 in TIFFSetField tiff//libtiff/tif_dir.c:798
    #4 0x5622f5e343c5 in tiff_set_fields_for_printer devices/gdevtifs.c:380
    #5 0x5622f604f45a in tiffsep_print_page devices/gdevtsep.c:2390
    #6 0x5622f5bf61c2 in gx_default_print_page_copies base/gdevprn.c:1231
    #7 0x5622f5bf5b91 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #8 0x5622f5bf5e5a in gdev_prn_output_page_seekable base/gdevprn.c:1175
    #9 0x5622f62d371a in gs_output_page base/gsdevice.c:212
    #10 0x5622f6932cc3 in zoutputpage psi/zdevice.c:416
    #11 0x5622f684fa2f in do_call_operator psi/interp.c:86
    #12 0x5622f68591ae in interp psi/interp.c:1300
    #13 0x5622f685157c in gs_call_interp psi/interp.c:520
    #14 0x5622f6850c21 in gs_interpret psi/interp.c:477
    #15 0x5622f6825178 in gs_main_interpret psi/imain.c:253
    #16 0x5622f682862d in gs_main_run_string_end psi/imain.c:791
    #17 0x5622f6827ff2 in gs_main_run_string_with_length psi/imain.c:735
    #18 0x5622f6827f64 in gs_main_run_string psi/imain.c:716
    #19 0x5622f6834c28 in run_string psi/imainarg.c:1117
    #20 0x5622f68349cb in runarg psi/imainarg.c:1086
    #21 0x5622f683424a in argproc psi/imainarg.c:1008
    #22 0x5622f682ea16 in gs_main_init_with_args01 psi/imainarg.c:241
    #23 0x5622f682ee7a in gs_main_init_with_args psi/imainarg.c:288
    #24 0x5622f683a3aa in psapi_init_with_args psi/psapi.c:272
    #25 0x5622f6a099c9 in gsapi_init_with_args psi/iapi.c:148
    #26 0x5622f55da6b8 in main psi/gs.c:95
    #27 0x7f2d4330eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x5622f55da459 in _start (gs+0x36c459)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV tiff//libtiff/tif_dirinfo.c:513 in TIFFFindField
Comment 1 Ken Sharp 2019-11-01 10:27:55 UTC
Fixed in commit aadb53eb834b3def3ef68d78865ff87a68901804
Comment 2 Mehmet gelisin 2021-09-11 11:27:47 UTC
I found a heap-buffer-overflow bug in GhostScript.

Please confirm.

Thanks.
http://www-look-4.com/ 
OS: Ubuntu 18.04 64bit

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with ASan.
3. Run following cmd.

gs -sOutputFile=tmp -sDEVICE=cif $PoC http://www.compilatori.com/ 

Here's ASAN report

=================================================================
==9496==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001d9a at pc 0x000001883541 bp 0x7ffded5d4480 sp 0x7ffded5d4478 http://www.wearelondonmade.com/ 
WRITE of size 1 at 0x606000001d9a thread T0
    #0 0x1883540 in cif_print_page ghostpdl/./devices/gdevcif.c:64:23
    #1 0x13f07d9 in gx_default_print_page_copies ghostpdl/./base/gdevprn.c:1231:12 http://www.jopspeech.com/ 
    #2 0x13ef028 in gdev_prn_output_page_aux ghostpdl/./base/gdevprn.c:1133:27
    #3 0x22b6f20 in gs_output_page ghostpdl/./base/gsdevice.c:212:17
    #4 0x3054b9f in zoutputpage ghostpdl/./psi/zdevice.c:416:12
    #5 0x2e8bdb6 in interp ghostpdl/./psi/interp.c:1300:28
    #6 0x2e8bdb6 in gs_call_interp ghostpdl/./psi/interp.c:520 http://joerg.li/ 
    #7 0x2e8bdb6 in gs_interpret ghostpdl/./psi/interp.c:477
    #8 0x2e3f451 in gs_main_interpret ghostpdl/./psi/imain.c:253:12
    #9 0x2e3f451 in gs_main_run_string_end ghostpdl/./psi/imain.c:791
    #10 0x2e3f451 in gs_main_run_string_with_length ghostpdl/./psi/imain.c:735
    #11 0x2e548f0 in run_string ghostpdl/./psi/imainarg.c:1117:12
    #12 0x2e548f0 in runarg ghostpdl/./psi/imainarg.c:1086
    #13 0x2e5302a in argproc ghostpdl/./psi/imainarg.c:1008:16 http://connstr.net/ 
    #14 0x2e479f7 in gs_main_init_with_args01 ghostpdl/./psi/imainarg.c:241:24
    #15 0x2e539d0 in gs_main_init_with_args ghostpdl/./psi/imainarg.c:288:16
    #16 0x57b86f in main ghostpdl/./psi/gs.c:95:16
    #17 0x7f6808d4fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #18 0x482e79 in _start (gs+0x482e79)

0x606000001d9a is located 0 bytes to the right of 58-byte region  http://embermanchester.uk/ [0x606000001d60,0x606000001d9a)
allocated by thread T0 here:
    #0 0x542d30 in __interceptor_malloc (gs+0x542d30)
    #1 0x23640fd in gs_heap_alloc_bytes ghostpdl/./base/gsmalloc.c:193:34

SUMMARY: AddressSanitizer: heap-buffer-overflow ghostpdl/./devices/gdevcif.c:64:23 in cif_print_page
Shadow bytes around the buggy address:
  0x0c0c7fff8360: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
  0x0c0c7fff8370: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff8380: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd http://www.slipstone.co.uk/ 
  0x0c0c7fff8390: fa fa fa fa 00 00 00 00 00 00 00 01 fa fa fa fa
  0x0c0c7fff83a0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
=>0x0c0c7fff83b0: 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00 http://www.logoarts.co.uk/ 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca http://www.acpirateradio.co.uk/ 
  Right alloca redzone:    cb

I found a heap-buffer-overflow bug in GhostScript.

Please confirm.

Thanks.

OS: Ubuntu 18.04 64bit
 https://waytowhatsnext.com/ 
Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with ASan.
3. Run following cmd.

gs -sOutputFile=tmp -sDEVICE=cif $PoC

Here's ASAN report

=================================================================
==9496==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000001d9a at pc 0x000001883541 bp 0x7ffded5d4480 sp 0x7ffded5d4478
WRITE of size 1 at 0x606000001d9a thread T0
    #0 0x1883540 in cif_print_page ghostpdl/./devices/gdevcif.c:64:23
    #1 0x13f07d9 in gx_default_print_page_copies ghostpdl/./base/gdevprn.c:1231:12
    #2 0x13ef028 in gdev_prn_output_page_aux ghostpdl/./base/gdevprn.c:1133:27
    #3 0x22b6f20 in gs_output_page ghostpdl/./base/gsdevice.c:212:17
    #4 0x3054b9f in zoutputpage ghostpdl/./psi/zdevice.c:416:12
    #5 0x2e8bdb6 in interp ghostpdl/./psi/interp.c:1300:28
    #6 0x2e8bdb6 in gs_call_interp ghostpdl/./psi/interp.c:520
    #7 0x2e8bdb6 in gs_interpret ghostpdl/./psi/interp.c:477 https://www.webb-dev.co.uk/ 
    #8 0x2e3f451 in gs_main_interpret ghostpdl/./psi/imain.c:253:12
    #9 0x2e3f451 in gs_main_run_string_end ghostpdl/./psi/imain.c:791
    #10 0x2e3f451 in gs_main_run_string_with_length ghostpdl/./psi/imain.c:735
    #11 0x2e548f0 in run_string ghostpdl/./psi/imainarg.c:1117:12
    #12 0x2e548f0 in runarg ghostpdl/./psi/imainarg.c:1086
    #13 0x2e5302a in argproc ghostpdl/./psi/imainarg.c:1008:16
    #14 0x2e479f7 in gs_main_init_with_args01 ghostpdl/./psi/imainarg.c:241:24
    #15 0x2e539d0 in gs_main_init_with_args ghostpdl/./psi/imainarg.c:288:16
    #16 0x57b86f in main ghostpdl/./psi/gs.c:95:16
    #17 0x7f6808d4fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #18 0x482e79 in _start (gs+0x482e79)

0x606000001d9a is located 0 bytes to the right of 58-byte region [0x606000001d60,0x606000001d9a)
allocated by thread T0 here:
    #0 0x542d30 in __interceptor_malloc (gs+0x542d30)
    #1 0x23640fd in gs_heap_alloc_bytes ghostpdl/./base/gsmalloc.c:193:34

SUMMARY: AddressSanitizer: heap-buffer-overflow ghostpdl/./devices/gdevcif.c:64:23 in cif_print_page
Shadow bytes around the buggy address: http://www.iu-bloomington.com/
  0x0c0c7fff8360: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
  0x0c0c7fff8370: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff8380: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8390: fa fa fa fa 00 00 00 00 00 00 00 01 fa fa fa fa
  0x0c0c7fff83a0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
=>0x0c0c7fff83b0: 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb