Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 272314 - app-text/ghostscript-8.70 (and later?): NULL pointer dereference
Summary: app-text/ghostscript-8.70 (and later?): NULL pointer dereference
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-02 21:46 UTC by Hanno Böck
Modified: 2011-06-08 10:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
A proposed patch to fix the NULL-pointer dereferencing. (ghostscript-8.64.jbig2fix.patch,6.61 KB, patch)
2009-06-12 01:21 UTC, Mansour Moufid
no flags Details | Diff
Redhat patch by Tim Waugh. (ghostscript-jbig2dec-nullderef.patch,3.51 KB, patch)
2009-12-13 01:21 UTC, Mansour Moufid
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2009-06-02 21:46:44 UTC
pdf2ps in ghostscript produces a segfault with this file:
https://bugzilla.redhat.com/attachment.cgi?id=334044

Corresponding redhat-bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=501710
https://bugzilla.redhat.com/show_bug.cgi?id=503785

CVE is requested on oss-security.
Comment 1 Mansour Moufid 2009-06-12 01:21:11 UTC
Created attachment 194334 [details, diff]
A proposed patch to fix the NULL-pointer dereferencing.

As mentioned in the Redhat Bugzilla, the output of pdf2ps with the crafted
PDF file is:

$ pdf2ps 2009-41414141.pdf 
   **** Warning: Fonts with Subtype = /TrueType should be embedded.
                 But ArialMT is not embedded.
   **** Warning: Fonts with Subtype = /TrueType should be embedded.
                 But ArialMT is not embedded.
   **** Warning: Fonts with Subtype = /TrueType should be embedded.
                 But ArialMT is not embedded.
   **** Warning: Fonts with Subtype = /TrueType should be embedded.
                 But ArialMT is not embedded.
jbig2dec FATAL ERROR decoding image: could not allocate image data buffer!
[-14580 bytes]

Segmentation fault


This bug is due to a couple reasons:

1. There is a integer overrun in the function jbig2_image_new as defined in
jbig2.h. The last two parameters are values of image width and height. Both
variables can hold values no larger than INT_MAX. Hence the "-14580 bytes"
in the output as the int storage is overrun into a large negative.
   The proposed patch addresses this by changing the types here to
unsigned long.

2. The return value of the function jbig2_image_new is not checked
(consistently) -- it returns NULL upon error. Hence the NULL pointer
dereference.
   The proposed patch attempts to address this issue as much as possible (lack
of documentation as to function return values, error codes, etc. in the source
code makes this difficult).


Attempting to convert the crafted PDF file with the proposed patch applied
gives the following output:

$ pdf2ps 2009-41414141.pdf
jbig2dec FATAL ERROR decoding image: invalid image dimensions! [28x4294963651]
 
jbig2dec FATAL ERROR decoding image: unable to allocate image storage (segment 0x03)

   **** Warning: File has insufficient data for an image.

   **** This file had errors that were repaired or ignored.
   **** The file was produced by: 
   **** >>>> Image to PDF Converter (http://www.imagepdf.com) <<<<
   **** Please notify the author of the software that produced this
   **** file that it does not conform to Adobe's published PDF
   **** specification.

with no segmentation fault. : )

The proposed patch therefore solves the NULL pointer dereferencing, but
probably creates some memory leaks -- which IMHO the upstream developers
can fix easily.
Comment 2 Mansour Moufid 2009-12-13 01:21:24 UTC
Created attachment 212839 [details, diff]
Redhat patch by Tim Waugh.
Comment 3 Mansour Moufid 2009-12-13 01:22:47 UTC
(In reply to comment #0)
> CVE is requested on oss-security.

Redhat didn't consider it a security issue apparently... [1]

Anyway, Tim Waugh did write a patch for this [2] (see attached):

> * Thu Jun 04 2009 Tim Waugh <twaugh@redhat.com> 8.64-7
> - Applied patch to fix NULL dereference in JBIG2 decoder (bug #503995).

Perhaps it can be used here.

[1] <http://seclists.org/oss-sec/2009/q4/106>
[2] <http://koji.fedoraproject.org/koji/buildinfo?buildID=125374>
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2011-06-02 18:08:32 UTC
From Redhat bugzilla, https://bugzilla.redhat.com/show_bug.cgi?id=503785

---
Vincent Danen 2010-12-21 17:40:37 EST
A CVE name was never assigned to this and as we do not consider this a security
flaw, I'm closing the bug.
---

@security: how to proceed? Note that this is about ghostscript-8.70; I checked and 8.71 vanilla includes part of the patch but not all.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-06-08 05:27:30 UTC
(In reply to comment #4)
> 
> @security: how to proceed? Note that this is about ghostscript-8.70; I checked
> and 8.71 vanilla includes part of the patch but not all.

I agree this is not a security bug. If a second member of the security team agrees, we'll close this bug. 

@security(-tim), ping.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-06-08 10:21:22 UTC
ack