b***@artifex.com
2017-12-09 21:18:34 UTC
http://bugs.ghostscript.com/show_bug.cgi?id=698805
Bug ID: 698805
Summary: NULL pointer dereference in cursor_output_inrange_tr
Product: Ghostscript
Version: master
Hardware: PC
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P4
Component: Fuzzing
Assignee: ghostpdl-***@artifex.com
Reporter: ***@gmail.com
QA Contact: gs-***@ghostscript.com
Word Size: ---
Created attachment 14516
--> http://bugs.ghostscript.com/attachment.cgi?id=14516&action=edit
PoC
Hello.
I found a NULL pointer dereference bug in Ghostscript.
Please confirm.
Thanks.
OS: Ubuntu 16.04 32bit
Version: Ghostscript version 9.23
Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with ASan.
3. ./gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER $PoC
```
ASAN:SIGSEGV
=================================================================
==27682==ERROR: AddressSanitizer: SEGV on unknown address 0x96da3334 (pc
0x08d08ebf bp 0xbfbf7ac0 sp 0xbfbf7940 T0)
#0 0x8d08ebe in cursor_output_inrange_tr base/gxscanc.c:2831
#1 0x8d08ebe in cursor_always_inrange_step_left_tr base/gxscanc.c:2945
#2 0x8d08ebe in mark_line_tr_app base/gxscanc.c:3564
#3 0x8d15cdc in gx_scan_convert_tr_app base/gxscanc.c:3749
#4 0x8c3adfb in gx_general_fill_path base/gxfill.c:509
#5 0x8c3adfb in gx_default_fill_path base/gxfill.c:716
#6 0x8bd3757 in gx_cpath_intersect_path_slow base/gxacpath.c:248
#7 0x8c17093 in gx_cpath_intersect_with_params base/gxcpath.c:721
#8 0x8c17da9 in gx_cpath_intersect base/gxcpath.c:743
#9 0x8c17da9 in gx_cpath_clip base/gxcpath.c:604
#10 0x8ee7cbf in common_viewclip base/gsdps.c:77
#11 0x8db2e0a in interp psi/interp.c:1584
#12 0x8db5f06 in gs_call_interp psi/interp.c:517
#13 0x8db5f06 in gs_interpret psi/interp.c:474
#14 0x8d8f746 in gs_main_interpret psi/imain.c:235
#15 0x8d8f746 in gs_main_run_string_end psi/imain.c:651
#16 0x8d8f746 in gs_main_run_string_with_length psi/imain.c:609
#17 0x8d8f7e6 in gs_main_run_string psi/imain.c:591
#18 0x8d94964 in run_string psi/imainarg.c:1033
#19 0x8d94dd8 in runarg psi/imainarg.c:1023
#20 0x8d94fe3 in argproc psi/imainarg.c:956
#21 0x8d988a6 in gs_main_init_with_args psi/imainarg.c:238
#22 0x80b5300 in main psi/gs.c:96
#23 0xb6e10636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#24 0x80bbc1b (/home/karas/ghostpdl/bin/gs+0x80bbc1b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV base/gxscanc.c:2831 cursor_output_inrange_tr
==27682==ABORTING
```
Bug ID: 698805
Summary: NULL pointer dereference in cursor_output_inrange_tr
Product: Ghostscript
Version: master
Hardware: PC
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P4
Component: Fuzzing
Assignee: ghostpdl-***@artifex.com
Reporter: ***@gmail.com
QA Contact: gs-***@ghostscript.com
Word Size: ---
Created attachment 14516
--> http://bugs.ghostscript.com/attachment.cgi?id=14516&action=edit
PoC
Hello.
I found a NULL pointer dereference bug in Ghostscript.
Please confirm.
Thanks.
OS: Ubuntu 16.04 32bit
Version: Ghostscript version 9.23
Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with ASan.
3. ./gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER $PoC
```
ASAN:SIGSEGV
=================================================================
==27682==ERROR: AddressSanitizer: SEGV on unknown address 0x96da3334 (pc
0x08d08ebf bp 0xbfbf7ac0 sp 0xbfbf7940 T0)
#0 0x8d08ebe in cursor_output_inrange_tr base/gxscanc.c:2831
#1 0x8d08ebe in cursor_always_inrange_step_left_tr base/gxscanc.c:2945
#2 0x8d08ebe in mark_line_tr_app base/gxscanc.c:3564
#3 0x8d15cdc in gx_scan_convert_tr_app base/gxscanc.c:3749
#4 0x8c3adfb in gx_general_fill_path base/gxfill.c:509
#5 0x8c3adfb in gx_default_fill_path base/gxfill.c:716
#6 0x8bd3757 in gx_cpath_intersect_path_slow base/gxacpath.c:248
#7 0x8c17093 in gx_cpath_intersect_with_params base/gxcpath.c:721
#8 0x8c17da9 in gx_cpath_intersect base/gxcpath.c:743
#9 0x8c17da9 in gx_cpath_clip base/gxcpath.c:604
#10 0x8ee7cbf in common_viewclip base/gsdps.c:77
#11 0x8db2e0a in interp psi/interp.c:1584
#12 0x8db5f06 in gs_call_interp psi/interp.c:517
#13 0x8db5f06 in gs_interpret psi/interp.c:474
#14 0x8d8f746 in gs_main_interpret psi/imain.c:235
#15 0x8d8f746 in gs_main_run_string_end psi/imain.c:651
#16 0x8d8f746 in gs_main_run_string_with_length psi/imain.c:609
#17 0x8d8f7e6 in gs_main_run_string psi/imain.c:591
#18 0x8d94964 in run_string psi/imainarg.c:1033
#19 0x8d94dd8 in runarg psi/imainarg.c:1023
#20 0x8d94fe3 in argproc psi/imainarg.c:956
#21 0x8d988a6 in gs_main_init_with_args psi/imainarg.c:238
#22 0x80b5300 in main psi/gs.c:96
#23 0xb6e10636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#24 0x80bbc1b (/home/karas/ghostpdl/bin/gs+0x80bbc1b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV base/gxscanc.c:2831 cursor_output_inrange_tr
==27682==ABORTING
```
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are receiving this mail because:
You are the QA Contact for the bug.