** Description changed: -- [ Description During fuzzing, we found `gxps_converter_print_converter_end_document()` in `libgxps-dev` doesn't check if converter->surface == NULL, which - could lead to DoS if someone use this routine. This also affects the - tools in `libgxps-utils`. + could lead to DoS if someone use this routine. `libgxps-utils` is + affected, too. + This flaw hasn't been reported elsewhere or assigned a CVE ID. -- [ Affected * master branch, 19 Aug 2020, 6bf9be28 * Ubuntu: 20.04.2 LTS, Package: libgxps-dev, libgxps-utils, Version: 0.3.1-1 - -- [ Reproduce * Reproduce with libgxps-utils: qiuhao@XPS-13-9360:~$ sudo apt install libgxps-utils qiuhao@XPS-13-9360:~$ xpstopdf ./PoC.xps # xpstops, xpstops, xpstosvg Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive Segmentation fault (core dumped) - * ASAN report: - qiuhao@xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null + qiuhao@xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive AddressSanitizer:DEADLYSIGNAL ================================================================= ==4153405==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ffff7ac9694 bp 0x7fffffffe730 sp 0x7fffffffe5f8 T0) ==4153405==The signal is caused by a READ memory access. ==4153405==Hint: address points to the zero page. - #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) - #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18 - #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17 - #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9 - #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9 - #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad) + #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) + #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18 + #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17 + #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9 + #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9 + #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 + #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) in cairo_surface_status ==4153405==ABORTING - -- [ Patch From 2d2e27caaa951697baf4846bfb13f85fcb8c5110 Mon Sep 17 00:00:00 2001 From: Qiuhao Li <qiuhao...@outlook.com> Date: Wed, 3 Feb 2021 22:58:51 +0800 Subject: [PATCH] tools: check whether converter->surface is NULL --- - tools/gxps-print-converter.c | 2 ++ - 1 file changed, 2 insertions(+) + tools/gxps-print-converter.c | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/tools/gxps-print-converter.c b/tools/gxps-print-converter.c index a4f2e13..807ce8e 100644 --- a/tools/gxps-print-converter.c +++ b/tools/gxps-print-converter.c @@ -212,6 +212,8 @@ gxps_converter_print_converter_end_document (GXPSConverter *converter) - GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter); - cairo_status_t status; - + GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter); + cairo_status_t status; + + if (converter->surface == NULL) + return; - cairo_surface_finish (converter->surface); - status = cairo_surface_status (converter->surface); - if (status) - -- + cairo_surface_finish (converter->surface); + status = cairo_surface_status (converter->surface); + if (status) + -- 2.25.1 - Thank you. - Qiuhao Li + Qiuhao Li
** Project changed: precise-backports => ubuntu-ubuntu-server ** Project changed: ubuntu-ubuntu-server => libgxps (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Backporters, which is subscribed to Precise Backports. https://bugs.launchpad.net/bugs/1914440 Title: libgxps-dev: Failed to check NULL in gxps-print-converter.c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libgxps/+bug/1914440/+subscriptions -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
