Mishandle NULL pointer in the converter (#3) · Issues · GNOME / libgxps

Mishandle NULL pointer in the converter

Description

During fuzzing, we found gxps_converter_print_converter_end_document() in gxps-print-converter.c doesn't check if converter->surface == NULL, which could lead to DoS if someone use this routine.

Affected

master branch, 19 Aug 2020, 6bf9be28
Ubuntu: 20.04.2 LTS, Package: libgxps-dev, libgxps-utils, Version: 0.3.1-1

Reproduce

Reproduce with the package libgxps-utils:

qiuhao@XPS-13-9360:~$ sudo apt install libgxps-utils
qiuhao@XPS-13-9360:~$ xpstopdf ./PoC.xps # xpstops, xpstops, xpstosvg
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
Segmentation fault (core dumped)

Reproduce with an executable built with ASAN:

PoC.xps

qiuhao@xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null 
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4153405==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ffff7ac9694 bp 0x7fffffffe730 sp 0x7fffffffe5f8 T0)
==4153405==The signal is caused by a READ memory access.
==4153405==Hint: address points to the zero page.
    #0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694)
    #1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18
    #2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17
    #3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9
    #4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9
    #5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) in cairo_surface_status
==4153405==ABORTING

Patch

From 2d2e27caaa951697baf4846bfb13f85fcb8c5110 Mon Sep 17 00:00:00 2001
From: Qiuhao Li <Qiuhao.Li@outlook.com>
Date: Wed, 3 Feb 2021 22:58:51 +0800
Subject: [PATCH] tools: check whether converter->surface is NULL

---
 tools/gxps-print-converter.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/gxps-print-converter.c b/tools/gxps-print-converter.c
index a4f2e13..807ce8e 100644
--- a/tools/gxps-print-converter.c
+++ b/tools/gxps-print-converter.c
@@ -212,6 +212,8 @@ gxps_converter_print_converter_end_document (GXPSConverter *converter)
         GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter);
         cairo_status_t      status;
 
+        if (converter->surface == NULL)
+                return;
         cairo_surface_finish (converter->surface);
         status = cairo_surface_status (converter->surface);
         if (status)
-- 
2.25.1

Thank you. Qiuhao Li