Hello I found a heap-buffer-overflow bug in GhostScript. Please confirm. Thanks. OS: Ubuntu 18.04 64bit Version: commit f38c6b08c6582872af25fc669a5fd3bde9f32753 Steps to reproduce: 1. Download the .POC files. 2. Compile the source code with "make sanitize" using gcc. 3. Run following cmd. gs -dBATCH -sOutputFile=tmp -sDEVICE=lxm5700m $PoC Here's ASAN report. ==21160==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef65a6fe90 at pc 0x559e07921a43 bp 0x7ffe42c071d0 sp 0x7ffe42c071c0 READ of size 1 at 0x7fef65a6fe90 thread T0 #0 0x559e07921a42 in lxm5700m_print_page devices/gdevlxm.c:303 #1 0x559e073a38d2 in gx_default_print_page_copies base/gdevprn.c:1231 #2 0x559e073a32a1 in gdev_prn_output_page_aux base/gdevprn.c:1133 #3 0x559e073a359b in gdev_prn_bg_output_page base/gdevprn.c:1181 #4 0x559e07a8170e in gs_output_page base/gsdevice.c:212 #5 0x559e080e0cc8 in zoutputpage psi/zdevice.c:416 #6 0x559e07ffda23 in do_call_operator psi/interp.c:86 #7 0x559e080071a2 in interp psi/interp.c:1300 #8 0x559e07fff570 in gs_call_interp psi/interp.c:520 #9 0x559e07ffec15 in gs_interpret psi/interp.c:477 #10 0x559e07fd316c in gs_main_interpret psi/imain.c:253 #11 0x559e07fd6621 in gs_main_run_string_end psi/imain.c:791 #12 0x559e07fd5fe6 in gs_main_run_string_with_length psi/imain.c:735 #13 0x559e07fd5f58 in gs_main_run_string psi/imain.c:716 #14 0x559e07fe2c1c in run_string psi/imainarg.c:1117 #15 0x559e07fe29bf in runarg psi/imainarg.c:1086 #16 0x559e07fe223e in argproc psi/imainarg.c:1008 #17 0x559e07fdca0a in gs_main_init_with_args01 psi/imainarg.c:241 #18 0x559e07fdce6e in gs_main_init_with_args psi/imainarg.c:288 #19 0x559e07fe839e in psapi_init_with_args psi/psapi.c:272 #20 0x559e081b79ce in gsapi_init_with_args psi/iapi.c:148 #21 0x559e06d87dc8 in main psi/gs.c:95 #22 0x7fef6d4feb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #23 0x559e06d87b69 in _start (gs+0x36cb69) 0x7fef65a6fe90 is located 0 bytes to the right of 132752-byte region [0x7fef65a4f800,0x7fef65a6fe90) allocated by thread T0 here: #0 0x7fef6ede8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x559e07ae7167 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0x559e07ae7674 in gs_heap_alloc_byte_array base/gsmalloc.c:252 #3 0x559e07920f97 in lxm5700m_print_page devices/gdevlxm.c:154 #4 0x559e073a38d2 in gx_default_print_page_copies base/gdevprn.c:1231 #5 0x559e073a32a1 in gdev_prn_output_page_aux base/gdevprn.c:1133 #6 0x559e073a359b in gdev_prn_bg_output_page base/gdevprn.c:1181 #7 0x559e07a8170e in gs_output_page base/gsdevice.c:212 #8 0x559e080e0cc8 in zoutputpage psi/zdevice.c:416 #9 0x559e07ffda23 in do_call_operator psi/interp.c:86 #10 0x559e080071a2 in interp psi/interp.c:1300 #11 0x559e07fff570 in gs_call_interp psi/interp.c:520 #12 0x559e07ffec15 in gs_interpret psi/interp.c:477 #13 0x559e07fd316c in gs_main_interpret psi/imain.c:253 #14 0x559e07fd6621 in gs_main_run_string_end psi/imain.c:791 #15 0x559e07fd5fe6 in gs_main_run_string_with_length psi/imain.c:735 #16 0x559e07fd5f58 in gs_main_run_string psi/imain.c:716 #17 0x559e07fe2c1c in run_string psi/imainarg.c:1117 #18 0x559e07fe29bf in runarg psi/imainarg.c:1086 #19 0x559e07fe223e in argproc psi/imainarg.c:1008 #20 0x559e07fdca0a in gs_main_init_with_args01 psi/imainarg.c:241 #21 0x559e07fdce6e in gs_main_init_with_args psi/imainarg.c:288 #22 0x559e07fe839e in psapi_init_with_args psi/psapi.c:272 #23 0x559e081b79ce in gsapi_init_with_args psi/iapi.c:148 #24 0x559e06d87dc8 in main psi/gs.c:95 #25 0x7fef6d4feb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow devices/gdevlxm.c:303 in lxm5700m_print_page Shadow bytes around the buggy address: 0x0ffe6cb45f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffe6cb45f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffe6cb45fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffe6cb45fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffe6cb45fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ffe6cb45fd0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffe6cb45fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffe6cb45ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffe6cb46000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffe6cb46010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffe6cb46020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Created attachment 18447 [details] poc
A git commit has gone in that incorrectly references this bug: commit 027c546e0dd11e0526f1780a7f3c2c66acffe209 (golden/master) Author: Robin Watts <Robin.Watts@artifex.com> Date: Tue Nov 5 18:18:50 2019 +0000 Bug 701842: Fix misindexing in gxicolor.c We were incorrectly decrementing position per-component, rather than per-pixel (in 2 places). Also, take care of some whitespace oddities. That is actually a bugfix for bug 701816. Apologies for the confusion.
Fixed in: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ce2afc4f02617dee51f3322ae8386c4b46047c18