Mishandle NULL pointer in the converter
Description
During fuzzing, we found gxps_converter_print_converter_end_document() in gxps-print-converter.c doesn't check if converter->surface == NULL, which could lead to DoS if someone use this routine.
Affected
-
master branch, 19 Aug 2020, 6bf9be28
-
Ubuntu: 20.04.2 LTS, Package: libgxps-dev, libgxps-utils, Version: 0.3.1-1
Reproduce
- Reproduce with the package libgxps-utils:
qiuhao@XPS-13-9360:~$ sudo apt install libgxps-utils
qiuhao@XPS-13-9360:~$ xpstopdf ./PoC.xps # xpstops, xpstops, xpstosvg
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
Segmentation fault (core dumped)
- Reproduce with an executable built with ASAN:
qiuhao@xps-13-9360:~$ ./libgxps/builddir_asan/tools/xpstopdf ./PoC.xps /dev/null
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4153405==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7ffff7ac9694 bp 0x7fffffffe730 sp 0x7fffffffe5f8 T0)
==4153405==The signal is caused by a READ memory access.
==4153405==Hint: address points to the zero page.
#0 0x7ffff7ac9694 in cairo_surface_status (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694)
#1 0x305734 in gxps_converter_print_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-print-converter.c:216:18
#2 0x302333 in gxps_converter_end_document /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:188:17
#3 0x302333 in gxps_converter_run /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter.c:332:9
#4 0x2fe031 in main /home/ubuntu/libgxps/builddir_asan/../tools/gxps-converter-main.c:40:9
#5 0x7ffff76e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x2528ad in _start (/home/ubuntu/libgxps/builddir_asan/tools/xpstopdf+0x2528ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libcairo.so.2+0x77694) in cairo_surface_status
==4153405==ABORTING
Patch
From 2d2e27caaa951697baf4846bfb13f85fcb8c5110 Mon Sep 17 00:00:00 2001
From: Qiuhao Li <Qiuhao.Li@outlook.com>
Date: Wed, 3 Feb 2021 22:58:51 +0800
Subject: [PATCH] tools: check whether converter->surface is NULL
---
tools/gxps-print-converter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/gxps-print-converter.c b/tools/gxps-print-converter.c
index a4f2e13..807ce8e 100644
--- a/tools/gxps-print-converter.c
+++ b/tools/gxps-print-converter.c
@@ -212,6 +212,8 @@ gxps_converter_print_converter_end_document (GXPSConverter *converter)
GXPSPrintConverter *print_converter = GXPS_PRINT_CONVERTER (converter);
cairo_status_t status;
+ if (converter->surface == NULL)
+ return;
cairo_surface_finish (converter->surface);
status = cairo_surface_status (converter->surface);
if (status)
--
2.25.1
Thank you. Qiuhao Li