pdf2ps in ghostscript produces a segfault with this file: https://bugzilla.redhat.com/attachment.cgi?id=334044 Corresponding redhat-bugs: https://bugzilla.redhat.com/show_bug.cgi?id=501710 https://bugzilla.redhat.com/show_bug.cgi?id=503785 CVE is requested on oss-security.
Created attachment 194334 [details, diff] A proposed patch to fix the NULL-pointer dereferencing. As mentioned in the Redhat Bugzilla, the output of pdf2ps with the crafted PDF file is: $ pdf2ps 2009-41414141.pdf **** Warning: Fonts with Subtype = /TrueType should be embedded. But ArialMT is not embedded. **** Warning: Fonts with Subtype = /TrueType should be embedded. But ArialMT is not embedded. **** Warning: Fonts with Subtype = /TrueType should be embedded. But ArialMT is not embedded. **** Warning: Fonts with Subtype = /TrueType should be embedded. But ArialMT is not embedded. jbig2dec FATAL ERROR decoding image: could not allocate image data buffer! [-14580 bytes] Segmentation fault This bug is due to a couple reasons: 1. There is a integer overrun in the function jbig2_image_new as defined in jbig2.h. The last two parameters are values of image width and height. Both variables can hold values no larger than INT_MAX. Hence the "-14580 bytes" in the output as the int storage is overrun into a large negative. The proposed patch addresses this by changing the types here to unsigned long. 2. The return value of the function jbig2_image_new is not checked (consistently) -- it returns NULL upon error. Hence the NULL pointer dereference. The proposed patch attempts to address this issue as much as possible (lack of documentation as to function return values, error codes, etc. in the source code makes this difficult). Attempting to convert the crafted PDF file with the proposed patch applied gives the following output: $ pdf2ps 2009-41414141.pdf jbig2dec FATAL ERROR decoding image: invalid image dimensions! [28x4294963651] jbig2dec FATAL ERROR decoding image: unable to allocate image storage (segment 0x03) **** Warning: File has insufficient data for an image. **** This file had errors that were repaired or ignored. **** The file was produced by: **** >>>> Image to PDF Converter (http://www.imagepdf.com) <<<< **** Please notify the author of the software that produced this **** file that it does not conform to Adobe's published PDF **** specification. with no segmentation fault. : ) The proposed patch therefore solves the NULL pointer dereferencing, but probably creates some memory leaks -- which IMHO the upstream developers can fix easily.
Created attachment 212839 [details, diff] Redhat patch by Tim Waugh.
(In reply to comment #0) > CVE is requested on oss-security. Redhat didn't consider it a security issue apparently... [1] Anyway, Tim Waugh did write a patch for this [2] (see attached): > * Thu Jun 04 2009 Tim Waugh <twaugh@redhat.com> 8.64-7 > - Applied patch to fix NULL dereference in JBIG2 decoder (bug #503995). Perhaps it can be used here. [1] <http://seclists.org/oss-sec/2009/q4/106> [2] <http://koji.fedoraproject.org/koji/buildinfo?buildID=125374>
From Redhat bugzilla, https://bugzilla.redhat.com/show_bug.cgi?id=503785 --- Vincent Danen 2010-12-21 17:40:37 EST A CVE name was never assigned to this and as we do not consider this a security flaw, I'm closing the bug. --- @security: how to proceed? Note that this is about ghostscript-8.70; I checked and 8.71 vanilla includes part of the patch but not all.
(In reply to comment #4) > > @security: how to proceed? Note that this is about ghostscript-8.70; I checked > and 8.71 vanilla includes part of the patch but not all. I agree this is not a security bug. If a second member of the security team agrees, we'll close this bug. @security(-tim), ping.
ack