702346 – heap-buffer-overflow at devices/vector/gdevtxtw.c:2139 (and maybe :2126) in txt_add_fragment

Bug 702346 - heap-buffer-overflow at devices/vector/gdevtxtw.c:2139 (and maybe :2126) in txt_add_fragment

Summary: heap-buffer-overflow at devices/vector/gdevtxtw.c:2139 (and maybe :2126) in t...

Status:	RESOLVED DUPLICATE of bug 702229

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	9.52
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-18 12:21 UTC by Bernhard Übelacker
Modified:	2020-05-20 07:27 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
triaging info from debian bug, valgrind run, rr run (49.53 KB, text/plain) 2020-04-18 12:21 UTC, Bernhard Übelacker	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernhard Übelacker 2020-04-18 12:21:15 UTC

Created attachment 19158 [details]
triaging info from debian bug, valgrind run, rr run

A user submitted https://bugs.debian.org/954901
Please find there also the example input file.

I could reproduce the crash inside a minimal debian unstable VM.

As far as I see the allocation in line 2134 is done with
penum->TextBufferIndex == 13.

The memcpy in line 2139 uses penum->text.size == 26, and
therefore writes beyond allocated memory.

The same situation might be in lines 2121 to 2126.

This got maybe introduced in the fix in bug #701877.

Please find full backtrace, a valdgrind run and rr reverse debugging
session in attached file.

For a reason unknown to me the original reporter closed the
debian bug with the same version fixing the issue as it got reported against.
Therefore I am not sure if there is already something in git fixing it.


devices/vector/gdevtxtw.c:
2134     unsorted_entry->Widths = (float *)gs_malloc(tdev->memory->stable_me...
2135         penum->TextBufferIndex, sizeof(float), "txtwrite alloc widths a...
2136     if (!unsorted_entry->Widths)
2137         return gs_note_error(gs_error_VMerror);
2138     memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeo...
2139     memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * si...
2140 
2141     unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_m...
2142         (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char...

Comment 1 Ray Johnston 2020-05-18 15:56:40 UTC


*** This bug has been marked as a duplicate of bug 702229 ***

Comment 2 Ken Sharp 2020-05-20 07:27:47 UTC

(In reply to Bernhard Übelacker from comment #0)

> A user submitted https://bugs.debian.org/954901
> Please find there also the example input file.

For future reference; please add all files and command lines to the report when filing bugs. It can be some time before we can investigate free user reports, and links can go stale in the interim making it impossible to investigate further.

In addition we can harvest the files attached to bug reports for testing, and if the files aren't in our bugzilla, they won't ever make it into our test repository.


> For a reason unknown to me the original reporter closed the
> debian bug with the same version fixing the issue as it got reported against.
> Therefore I am not sure if there is already something in git fixing it.

There have not been any recent bug fixes for txtwrite, so it seems pretty unlikely that there has been a fix.