GNOME Bugzilla – Bug 785479
NULL pointer dereference in gxps_archive_initable_init
Last modified: 2017-08-10 03:41:21 UTC
Created attachment 356458 [details] [review] Patch by Marek Kasik <mkasik@redhat.com> We get a report sent to security@ about a downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1473167 Copy and paste from there: There is a NULL pointer dereference in gxps-archive.c in libgxps library . Version-Release number of selected component (if applicable): <= latest version How reproducible: ./xpstojpeg POC1 /dev/null Steps to Reproduce: The output information is as follows: $ ./xpstojpeg POC1 /dev/null (xpstojpeg:122488): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale. (xpstojpeg:122488): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed Segmentation fault ASAN output information: $ ./xpstojpeg POC1 /dev/null ASAN:SIGSEGV ================================================================= ==51273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe62668a810 sp 0x7ffda3dbc728 bp 0x000000000000 T0) ==51273==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x7fe62668a80f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3980f) #1 0x7fe6271f2a44 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x18a44) #2 0x7fe62668947a (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3847a) #3 0x7fe6271f24fa (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x184fa) #4 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e) #5 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5) #6 0x7fe62722e6c1 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x546c1) #7 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e) #8 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5) #9 0x7fe62722bb74 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x51b74) #10 0x48673a (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x48673a) #11 0x47fe79 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47fe79) #12 0x47ced6 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ced6) #13 0x7fe624865a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #14 0x47ccc8 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ccc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==51273==ABORTING GDB backtrace information is as follows: (gdb) set args fuzz/xps2jpeg_out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:271 /dev/null (gdb) r ... Breakpoint 1, caseless_hash (v=0x0) at gxps-archive.c:196 196 ret = g_str_hash (lower); (xpstojpeg:55531): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale. (xpstojpeg:55531): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6fb4810 in g_str_hash () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 (gdb) bt
+ Trace 237707
This vulnerability was triggered in caseless_hash () at libgxps/gxps-archive.c:196 190 caseless_hash (gconstpointer v) 191 { 192 gchar *lower; 193 guint ret; 194 195 lower = g_ascii_strdown (v, -1); 196 ret = g_str_hash (lower); 197 g_free (lower); 198 199 return ret; 200 } Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment on attachment 356458 [details] [review] Patch by Marek Kasik <mkasik@redhat.com> Thanks!
Comment on attachment 356458 [details] [review] Patch by Marek Kasik <mkasik@redhat.com> Thank you for the review (and the push of the patch).