[Bug 1914440] Re: libgxps-dev: Failed to check NULL in gxps-print-converter.c

Qiuhao Li 1914440 at bugs.launchpad.net
Wed Feb 3 15:55:32 UTC 2021 

** Description changed:

  -- [ Description
  
  During fuzzing, we found `gxps_converter_print_converter_end_document()`
  in `libgxps-dev` doesn't check if converter->surface == NULL, which
- could lead to DoS if someone use this routine. This also affects the
- tools in `libgxps-utils`.
+ could lead to DoS if someone use this routine. `libgxps-utils` is
+ affected, too.
  
+ This flaw hasn't been reported elsewhere or assigned a CVE ID.
  
  -- [ Affected
  
  * master branch, 19 Aug 2020, 6bf9be28
  
  * Ubuntu: 20.04.2 LTS, Package: libgxps-dev, libgxps-utils, Version:
  0.3.1-1
- 
  
  -- [ Reproduce
  
  * Reproduce with libgxps-utils:
  
  qiuhao at XPS-13-9360:~$ sudo apt install libgxps-utils
  qiuhao at XPS-13-9360:~$ xpstopdf ./PoC.xps # xpstops, xpstops, xpstosvg
  Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
  Segmentation fault (core dumped)
  
- 
  * ASAN report:
  
- qiuhao at xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null 
+ qiuhao at xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null
  Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==4153405==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ffff7ac9694 bp 0x7fffffffe730 sp 0x7fffffffe5f8 T0)
  ==4153405==The signal is caused by a READ memory access.
  ==4153405==Hint: address points to the zero page.
-     #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694)
-     #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18
-     #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17
-     #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9
-     #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9
-     #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
-     #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad)
+     #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694)
+     #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18
+     #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17
+     #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9
+     #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9
+     #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+     #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad)
  
  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) in cairo_surface_status
  ==4153405==ABORTING
- 
  
  -- [ Patch
  
  From 2d2e27caaa951697baf4846bfb13f85fcb8c5110 Mon Sep 17 00:00:00 2001
  From: Qiuhao Li <Qiuhao.Li at outlook.com>
  Date: Wed, 3 Feb 2021 22:58:51 +0800
  Subject: [PATCH] tools: check whether converter->surface is NULL
  
  ---
-  tools/gxps-print-converter.c | 2 ++
-  1 file changed, 2 insertions(+)
+  tools/gxps-print-converter.c | 2 ++
+  1 file changed, 2 insertions(+)
  
  diff --git a/tools/gxps-print-converter.c b/tools/gxps-print-converter.c
  index a4f2e13..807ce8e 100644
  --- a/tools/gxps-print-converter.c
  +++ b/tools/gxps-print-converter.c
  @@ -212,6 +212,8 @@ gxps_converter_print_converter_end_document (GXPSConverter *converter)
-          GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter);
-          cairo_status_t      status;
-  
+          GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter);
+          cairo_status_t      status;
+ 
  +        if (converter->surface == NULL)
  +                return;
-          cairo_surface_finish (converter->surface);
-          status = cairo_surface_status (converter->surface);
-          if (status)
- -- 
+          cairo_surface_finish (converter->surface);
+          status = cairo_surface_status (converter->surface);
+          if (status)
+ --
  2.25.1
  
- 
  Thank you.
-   Qiuhao Li
+   Qiuhao Li

** Project changed: precise-backports => ubuntu-ubuntu-server

** Project changed: ubuntu-ubuntu-server => libgxps (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Backporters, which is subscribed to Precise Backports.
https://bugs.launchpad.net/bugs/1914440

Title:
  libgxps-dev: Failed to check NULL in gxps-print-converter.c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgxps/+bug/1914440/+subscriptions

More information about the ubuntu-backports mailing list