http://bugs.ghostscript.com/show_bug.cgi?id=696378

Ken Sharp <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|***@artifex.com |***@artifex.com
Priority|P4 |P1

--- Comment #1 from Ken Sharp <***@artifex.com> ---
For me this actually seg faults in the PDF14 device, although the code has
changed in recent versions, it continues to seg fault with the current HEAD.
This is true even if I comment out the lines :

code = install_internal_subclass_devices(&pdev, &update_procs);
if (code < 0)
return code;

in gdevprn.c, so that the subclass devices are not loaded. The exact error is
different in this case though. With the subclassing devices the error occurs
at:

In pdf14_spot_get_color_comp_index() at around line 8492 we do:

if (component_type == NO_COMP_NAME_TYPE)

return (*target_get_color_comp_index)(tdev, pname, name_size,
component_type);

Notice that we do not check 'target_get_color_comp_index' and in this case it
is NULL. This is because its set from:

((pdf14_clist_device *)pdev)->saved_target_get_color_comp_index;

which appears to just assume the device is a pdf14 clist device, in fact its
the psdcmyk device. I'm not sure if this is correct or not..... In any event
the 'saved_target_get_color_comp_index is NULL.

I can guard against that, but doing so simply leads to a seg fault later on
(much later on) in check_pcm_and_separation_names(), because the ink name
doesn't seem to be a string. Presumably because 'pparams' ins't really a
gs_devn_params structure. This is the same seg fault as seen when the
subclassing devices are not loaded.

This appears to be because the device is psdcmyk and its 'devn_params' member
is garbage. Neither NULL nor anything sensible. Again this seems to be because
we are casting the device to a pdf14 device and *assuming* it really is a
device of that type.

I'm guessing that the large numbers of errors in the corrupted PDF file lead to
some kind of mismatch in the PDF14 transparency code.

In any event, this is not my area and I'm kind of out of my depth, so
reassigning to Michael


Making P1 for a crash

http://bugs.ghostscript.com/show_bug.cgi?id=696378

Michael Vrhel <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |IN_PROGRESS
Assignee|***@artifex.com |***@artifex.com

--- Comment #2 from Michael Vrhel <***@artifex.com> ---
So I am seeing the following from the interpreter

DevicePush
Begin Group
Begin Text Group
End Text Group
Begin Group
Begin Group
Begin Mask
Begin Group
***Error
End Group
***Error
End Group
***Error
End Group
***Error
End Group
Pop Device
Fill -> leads to segv

So here we need to clean up the pdf14 device as we should have had a
endtransparencymask from the interpreter or a abortpdf14devicefilter.

Sending to Ray to have a look.

http://bugs.ghostscript.com/show_bug.cgi?id=696378

Chris Liddell (chrisl) <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Version|master |unspecified
Group| |Security
Component|Fuzzing |Security
Severity|normal |blocker
Product|Ghostscript |Security

http://bugs.ghostscript.com/show_bug.cgi?id=696378

Ray Johnston <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|IN_PROGRESS |RESOLVED

--- Comment #3 from Ray Johnston <***@artifex.com> ---
The fix in progress for 696372 also fixes this one.

*** This bug has been marked as a duplicate of bug 696372 ***