Bug 105206 (CVE-2018-7729) - heap-buffer-overflow in PostScript_MetaHandler::ParsePSFile() of exempi 2.4.4
Summary: heap-buffer-overflow in PostScript_MetaHandler::ParsePSFile() of exempi 2.4.4
Status: RESOLVED FIXED
Alias: CVE-2018-7729
Product: exempi
Classification: Unclassified
Component: Problems (show other bugs)
Version: unspecified
Hardware: Other Linux (All)
: medium critical
Assignee: Hubert Figuiere
QA Contact: Hubert Figuiere
URL:
Whiteboard: [release:2.4.5]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-22 10:02 UTC by Leon
Modified: 2018-03-08 03:24 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
POC file that crashing FreeXL in PostScript_Handler.cpp:888 PostScript_MetaHandler::ParsePSFile() (226.87 KB, image/x-eps)
2018-02-22 10:02 UTC, Leon
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Leon 2018-02-22 10:02:40 UTC
Created attachment 137527 [details]
POC file that crashing FreeXL in PostScript_Handler.cpp:888 PostScript_MetaHandler::ParsePSFile()

Description of problem:
The PostScript_MetaHandler::ParsePSFile() function at PostScript_Handler.cpp:888 in exempi 2.4.4 may result a heap-buffer-overflow via a crafted file.

Version-Release number of selected component (if applicable):
2.4.4

Steps to Reproduce:
./exempi -x $POC

Additional info:
Ubuntu 16.04, x64
The output of exempi with address sanitizer enabled

/opt/asan/exempi/bin/exempi -x exempi-PostScript_Handler-888-overflow 
processing file exempi-PostScript_Handler-888-overflow
dump_xmp for file exempi-PostScript_Handler-888-overflow
=================================================================
==60144==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdf7132d90 at pc 0x000000541e23 bp 0x7ffdf7112ce0 sp 0x7ffdf7112cd0
READ of size 1 at 0x7ffdf7132d90 thread T0
    #0 0x541e22 in PostScript_MetaHandler::ParsePSFile() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PostScript_Handler.cpp:888
    #1 0x54385b in PostScript_MetaHandler::CacheFileData() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PostScript_Handler.cpp:1182
    #2 0x491ad4 in DoOpenFile /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:908
    #3 0x49230e in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1011
    #4 0x488c27 in WXMPFiles_OpenFile_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:234
    #5 0x41dc70 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/opt/asan/exempi/bin/exempi+0x41dc70)
    #6 0x40b797 in xmp_files_open_new /root/exempi-2.4.4/exempi/exempi.cpp:280
    #7 0x4086f4 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:235
    #8 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #9 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #10 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #11 0x7f76a49b482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x4074d8 in _start (/opt/asan/exempi/bin/exempi+0x4074d8)

Address 0x7ffdf7132d90 is located in stack of thread T0 at offset 131136 in frame
    #0 0x5407d1 in PostScript_MetaHandler::ParsePSFile() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PostScript_Handler.cpp:641

  This frame has 1 object(s):
    [32, 131136) 'ioBuf' <== Memory access at offset 131136 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PostScript_Handler.cpp:888 PostScript_MetaHandler::ParsePSFile()
Shadow bytes around the buggy address:
  0x10003ee1e560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ee1e570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ee1e580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ee1e590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ee1e5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003ee1e5b0: 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x10003ee1e5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10003ee1e5d0: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2
  0x10003ee1e5e0: f2 f2 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00
  0x10003ee1e5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003ee1e600: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==60144==ABORTING

Weiran Labs, Zhaoliang
leon.zhao.7@gmail.com
Comment 1 Hubert Figuiere 2018-02-25 17:18:23 UTC
Fixed in baa4b8a02c1ffab9645d13f0bfb1c0d10d311a0c

Thank you so much for the report!
Comment 2 Alan Coopersmith 2018-03-06 21:07:49 UTC
Mitre has assigned this CVE-2018-7729:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7729


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.