Bug 701842 - heap-buffer-overflow at devices/gdevlxm.c:303 in lxm5700m_print_page
Summary: heap-buffer-overflow at devices/gdevlxm.c:303 in lxm5700m_print_page
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Julian Smith
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-05 15:14 UTC by Suhwan
Modified: 2019-11-06 12:19 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
poc (2.11 KB, application/postscript)
2019-11-05 16:57 UTC, Suhwan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Suhwan 2019-11-05 15:14:19 UTC
Hello

I found a heap-buffer-overflow bug in GhostScript.
Please confirm. 
Thanks.

OS:        Ubuntu 18.04 64bit
Version:   commit f38c6b08c6582872af25fc669a5fd3bde9f32753

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with "make sanitize" using gcc.
3. Run following cmd.

gs -dBATCH -sOutputFile=tmp -sDEVICE=lxm5700m $PoC

Here's ASAN report.

==21160==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef65a6fe90 at pc 0x559e07921a43 bp 0x7ffe42c071d0 sp 0x7ffe42c071c0
READ of size 1 at 0x7fef65a6fe90 thread T0
    #0 0x559e07921a42 in lxm5700m_print_page devices/gdevlxm.c:303
    #1 0x559e073a38d2 in gx_default_print_page_copies base/gdevprn.c:1231
    #2 0x559e073a32a1 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #3 0x559e073a359b in gdev_prn_bg_output_page base/gdevprn.c:1181
    #4 0x559e07a8170e in gs_output_page base/gsdevice.c:212
    #5 0x559e080e0cc8 in zoutputpage psi/zdevice.c:416
    #6 0x559e07ffda23 in do_call_operator psi/interp.c:86
    #7 0x559e080071a2 in interp psi/interp.c:1300
    #8 0x559e07fff570 in gs_call_interp psi/interp.c:520
    #9 0x559e07ffec15 in gs_interpret psi/interp.c:477
    #10 0x559e07fd316c in gs_main_interpret psi/imain.c:253
    #11 0x559e07fd6621 in gs_main_run_string_end psi/imain.c:791
    #12 0x559e07fd5fe6 in gs_main_run_string_with_length psi/imain.c:735
    #13 0x559e07fd5f58 in gs_main_run_string psi/imain.c:716
    #14 0x559e07fe2c1c in run_string psi/imainarg.c:1117
    #15 0x559e07fe29bf in runarg psi/imainarg.c:1086
    #16 0x559e07fe223e in argproc psi/imainarg.c:1008
    #17 0x559e07fdca0a in gs_main_init_with_args01 psi/imainarg.c:241
    #18 0x559e07fdce6e in gs_main_init_with_args psi/imainarg.c:288
    #19 0x559e07fe839e in psapi_init_with_args psi/psapi.c:272
    #20 0x559e081b79ce in gsapi_init_with_args psi/iapi.c:148
    #21 0x559e06d87dc8 in main psi/gs.c:95
    #22 0x7fef6d4feb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #23 0x559e06d87b69 in _start (gs+0x36cb69)

0x7fef65a6fe90 is located 0 bytes to the right of 132752-byte region [0x7fef65a4f800,0x7fef65a6fe90)
allocated by thread T0 here:
    #0 0x7fef6ede8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x559e07ae7167 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x559e07ae7674 in gs_heap_alloc_byte_array base/gsmalloc.c:252
    #3 0x559e07920f97 in lxm5700m_print_page devices/gdevlxm.c:154
    #4 0x559e073a38d2 in gx_default_print_page_copies base/gdevprn.c:1231
    #5 0x559e073a32a1 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #6 0x559e073a359b in gdev_prn_bg_output_page base/gdevprn.c:1181
    #7 0x559e07a8170e in gs_output_page base/gsdevice.c:212
    #8 0x559e080e0cc8 in zoutputpage psi/zdevice.c:416
    #9 0x559e07ffda23 in do_call_operator psi/interp.c:86
    #10 0x559e080071a2 in interp psi/interp.c:1300
    #11 0x559e07fff570 in gs_call_interp psi/interp.c:520
    #12 0x559e07ffec15 in gs_interpret psi/interp.c:477
    #13 0x559e07fd316c in gs_main_interpret psi/imain.c:253
    #14 0x559e07fd6621 in gs_main_run_string_end psi/imain.c:791
    #15 0x559e07fd5fe6 in gs_main_run_string_with_length psi/imain.c:735
    #16 0x559e07fd5f58 in gs_main_run_string psi/imain.c:716
    #17 0x559e07fe2c1c in run_string psi/imainarg.c:1117
    #18 0x559e07fe29bf in runarg psi/imainarg.c:1086
    #19 0x559e07fe223e in argproc psi/imainarg.c:1008
    #20 0x559e07fdca0a in gs_main_init_with_args01 psi/imainarg.c:241
    #21 0x559e07fdce6e in gs_main_init_with_args psi/imainarg.c:288
    #22 0x559e07fe839e in psapi_init_with_args psi/psapi.c:272
    #23 0x559e081b79ce in gsapi_init_with_args psi/iapi.c:148
    #24 0x559e06d87dc8 in main psi/gs.c:95
    #25 0x7fef6d4feb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow devices/gdevlxm.c:303 in lxm5700m_print_page
Shadow bytes around the buggy address:
  0x0ffe6cb45f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffe6cb45f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffe6cb45fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffe6cb45fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffe6cb45fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffe6cb45fd0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffe6cb45fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffe6cb45ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffe6cb46000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffe6cb46010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffe6cb46020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Comment 1 Suhwan 2019-11-05 16:57:51 UTC
Created attachment 18447 [details]
poc
Comment 2 Robin Watts 2019-11-05 19:27:15 UTC
A git commit has gone in that incorrectly references this bug:

commit 027c546e0dd11e0526f1780a7f3c2c66acffe209 (golden/master)
Author: Robin Watts <Robin.Watts@artifex.com>
Date:   Tue Nov 5 18:18:50 2019 +0000

    Bug 701842: Fix misindexing in gxicolor.c

    We were incorrectly decrementing position per-component, rather
    than per-pixel (in 2 places).

    Also, take care of some whitespace oddities.

That is actually a bugfix for bug 701816. Apologies for the confusion.