Created attachment 26897 [details]
Proof of concept

# Title: Heap overflow in ocr_line8
# Date Found: 2025-06-13
# Version: Tested on commit f148541cd19b82006bd2dd5acbd294449b668351
# Author: Piotr Kajda
# Tested On: Arch Linux

I found heap buffer overflow in function ocr_line8 devices/gdevpdfocr.c:461. Reason for this bug is integer overflow in ocr_begin_page devices/gdevpdfocr.c:526 during memory allocation.

Step to reproduce with asan output:
$ sanbin/gs -sDEVICE=pdfocr8 -sOutputFile=test.pdf poc.pdf
==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x79bc0971c65b at pc 0x6146ddfda00c bp 0x7ffca44e37d0 sp 0x7ffca44e37c0
WRITE of size 1 at 0x79bc0971c65b thread T0
    #0 0x6146ddfda00b in ocr_line8 devices/gdevpdfocr.c:461
    #1 0x6146dd84c47d in pdf_image_downscale_and_print_page devices/gdevpdfimg.c:531
    #2 0x6146dd8505b4 in pdf_image_print_page devices/gdevpdfimg.c:857
    #3 0x6146dd3d0f42 in gx_default_print_page_copies base/gdevprn.c:1165
    #4 0x6146dd3d0905 in gdev_prn_output_page_aux base/gdevprn.c:1067
    #5 0x6146dd3d0bd3 in gdev_prn_output_page_seekable base/gdevprn.c:1109
    #6 0x6146de025b48 in gs_output_page base/gsdevice.c:207
    #7 0x6146de69d8eb in zoutputpage psi/zdevice.c:509
    #8 0x6146de5acea6 in do_call_operator psi/interp.c:91
    #9 0x6146de5b75df in interp psi/interp.c:1384
    #10 0x6146de5aeccf in gs_call_interp psi/interp.c:535
    #11 0x6146de5ae2f2 in gs_interpret psi/interp.c:488
    #12 0x6146de580f27 in gs_main_interpret psi/imain.c:257
    #13 0x6146de585dd6 in gs_main_run_string_end psi/imain.c:945
    #14 0x6146de585782 in gs_main_run_string_with_length psi/imain.c:889
    #15 0x6146de5856f4 in gs_main_run_string psi/imain.c:870
    #16 0x6146de592deb in run_string psi/imainarg.c:1195
    #17 0x6146de592af9 in runarg psi/imainarg.c:1154
    #18 0x6146de592357 in argproc psi/imainarg.c:1076
    #19 0x6146de58c643 in gs_main_init_with_args01 psi/imainarg.c:257
    #20 0x6146de58cbb5 in gs_main_init_with_args psi/imainarg.c:311
    #21 0x6146de5985cf in psapi_init_with_args psi/psapi.c:294
    #22 0x6146de995009 in gsapi_init_with_args psi/iapi.c:253
    #23 0x6146dd046721 in main psi/gs.c:104
    #24 0x79bc18035487  (/usr/lib/libc.so.6+0x27487) (BuildId: 0b707b217b15b106c25fe51df3724b25848310c0)
    #25 0x79bc1803554b in __libc_start_main (/usr/lib/libc.so.6+0x2754b) (BuildId: 0b707b217b15b106c25fe51df3724b25848310c0)
    #26 0x6146dd046404 in _start (/home/zxcv/ghostpdl1/sanbin/gs+0x3b0404) (BuildId: 74bd9de6e3eb63e96e4832534869ea91d70c72b4)

0x79bc0971c65b is located 3 bytes after 919166552-byte region [0x79bbd2a86800,0x79bc0971c658)
allocated by thread T0 here:
    #0 0x79bc192fd721 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x6146de096322 in gs_heap_alloc_bytes base/gsmalloc.c:192
    #2 0x6146ddff1e2c in alloc_acquire_clump base/gsalloc.c:2446
    #3 0x6146ddfef111 in alloc_obj base/gsalloc.c:1911
    #4 0x6146ddfe9f2f in i_alloc_bytes base/gsalloc.c:1162
    #5 0x6146ddfda58d in ocr_begin_page devices/gdevpdfocr.c:526
    #6 0x6146dd84b72e in pdf_image_downscale_and_print_page devices/gdevpdfimg.c:459
    #7 0x6146dd8505b4 in pdf_image_print_page devices/gdevpdfimg.c:857
    #8 0x6146dd3d0f42 in gx_default_print_page_copies base/gdevprn.c:1165
    #9 0x6146dd3d0905 in gdev_prn_output_page_aux base/gdevprn.c:1067
    #10 0x6146dd3d0bd3 in gdev_prn_output_page_seekable base/gdevprn.c:1109
    #11 0x6146de025b48 in gs_output_page base/gsdevice.c:207
    #12 0x6146de69d8eb in zoutputpage psi/zdevice.c:509
    #13 0x6146de5acea6 in do_call_operator psi/interp.c:91
    #14 0x6146de5b75df in interp psi/interp.c:1384
    #15 0x6146de5aeccf in gs_call_interp psi/interp.c:535
    #16 0x6146de5ae2f2 in gs_interpret psi/interp.c:488
    #17 0x6146de580f27 in gs_main_interpret psi/imain.c:257
    #18 0x6146de585dd6 in gs_main_run_string_end psi/imain.c:945
    #19 0x6146de585782 in gs_main_run_string_with_length psi/imain.c:889
    #20 0x6146de5856f4 in gs_main_run_string psi/imain.c:870
    #21 0x6146de592deb in run_string psi/imainarg.c:1195
    #22 0x6146de592af9 in runarg psi/imainarg.c:1154
    #23 0x6146de592357 in argproc psi/imainarg.c:1076
    #24 0x6146de58c643 in gs_main_init_with_args01 psi/imainarg.c:257
    #25 0x6146de58cbb5 in gs_main_init_with_args psi/imainarg.c:311
    #26 0x6146de5985cf in psapi_init_with_args psi/psapi.c:294
    #27 0x6146de995009 in gsapi_init_with_args psi/iapi.c:253
    #28 0x6146dd046721 in main psi/gs.c:104
    #29 0x79bc18035487  (/usr/lib/libc.so.6+0x27487) (BuildId: 0b707b217b15b106c25fe51df3724b25848310c0)

Fix to the problem:
diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
index f27dc11db..581dc0b71 100644
--- a/devices/gdevpdfocr.c
+++ b/devices/gdevpdfocr.c
@@ -522,8 +522,10 @@ static int
 ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
 {
     int raster = (w+3)&~3;
+       if(raster > max_int/h)
+               return_error(gs_error_rangecheck);

    dev->ocr.data = gs_alloc_bytes(dev->memory, raster*h, "ocr_begin_page");
     if (dev->ocr.data == NULL)
         return_error(gs_error_VMerror);
     dev->ocr.w = w;