Bug 101914

Summary: segfault in PostScript_Support::ConvertToDate()
Product: exempi Reporter: Jakub Wilk <jwilk>
Component: ProblemsAssignee: Hubert Figuiere <hub>
Status: RESOLVED FIXED QA Contact: Hubert Figuiere <hub>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard: [release:2.4.3]
i915 platform: i915 features:
Attachments: reproducer

Description Jakub Wilk 2017-07-25 10:18:03 UTC 
Created attachment 132950 [details]
reproducer

Exempi crashes on the attached PostScript file:

> $ exempi -x convertodate.ps
> processing file convertodate.ps
> dump_xmp for file convertodate.ps
> Segmentation fault

GDB says it's trying to dereference an invalid pointer:

> Program received signal SIGSEGV, Segmentation fault.
> PostScript_Support::ConvertToDate (inString=0x805a84c "deC") at PostScript_Support.cpp:817
> 817                     if(itr->token[0]=='+' ||itr->token[0]=='-')
> (gdb) print itr
> $1 = {token = <error reading variable: Cannot access memory at address 0xfffffff4>, noOfDelimiter = 1, delimiter = 0 '\000'}
> (gdb) bt
> #0  PostScript_Support::ConvertToDate (inString=0x805a84c "deC") at PostScript_Support.cpp:817
> #1  0xb7ecfc84 in PostScript_MetaHandler::ReconcileXMP (this=0x805a8d0, xmpStr="", outStr=0x805a8f8) at PostScript_Handler.cpp:1106
> #2  0xb7ed006a in PostScript_MetaHandler::ProcessXMP (this=0x805a8d0) at PostScript_Handler.cpp:1219
> #3  0xb7e9d793 in XMPFiles::GetXMP (this=0x805a720, xmpObj=0xbffff448, xmpPacket=0xbffff440, xmpPacketLen=0xbffff444, packetInfo=0x0) at XMPFiles.cpp:1471
> #4  0xb7e99d4b in WXMPFiles_GetXMP_1 (xmpObjRef=0x805a720, xmpRef=0x805ac40, clientPacket=0x0, packetInfo=0x0, SetClientString=0xb7e577ec <TXMPFiles<std::string>::SetClientString(void*, char const*, unsigned int)>, wResult=0xbffff494) at WXMPFiles.cpp:331
> #5  0xb7e5dd83 in TXMPFiles<std::string>::GetXMP (this=0x8057cf8, xmpObj=0x805a858, xmpPacket=0x0, packetInfo=0x0) at ../public/include/client-glue/TXMPFiles.incl_cpp:382
> #6  0xb7e5598b in xmp_files_get_new_xmp (xf=0x8057cf8) at exempi.cpp:330
> #7  0x0804936c in get_xmp_from_file (filename=filename@entry=0xbffff812 "convertodate.ps", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false) at main.cpp:237
> #8  0x080493e5 in dump_xmp (filename=filename@entry=0xbffff812 "convertodate.ps", no_reconcile=no_reconcile@entry=false, is_an_xmp=is_an_xmp@entry=false, outio=0xb7c0dd60 <_IO_2_1_stdout_>) at main.cpp:250
> #9  0x080499aa in process_file (filename=0xbffff812 "convertodate.ps", no_reconcile=<optimized out>, is_an_xmp=<optimized out>, write_in_place=false, dump_xml=true, action=0, value_name="", prop_value="", output="") at main.cpp:340
> #10 0x08049d66 in main (argc=<optimized out>, argv=<optimized out>) at main.cpp:187

Tested with git master (0320c32a388964498911d7ebdec6561687d2f6c6).

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
Comment 1 Hubert Figuiere 2017-08-03 03:38:00 UTC 
libasan catches this

==7296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000007ea0 at pc 0x7f40d17ccb26 bp 0x7ffeee318110 sp 0x7ffeee318100
Comment 2 Hubert Figuiere 2017-08-04 01:58:50 UTC 
Fixed in the 2.4 branch f19d0107fbae1fb41836cd110d4425e407e64048
Comment 3 Hubert Figuiere 2017-08-04 02:15:29 UTC 
and in master

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.