Bug 1473167
| Summary: | There is a NULL pointer dereference in gxps-archive.c in libgxps library . | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | libgxps | Assignee: | Marek Kašík <mkasik> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | carnil, jkoten, mboisver, tpelka | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libgxps-0.3.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 10:19:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1475734 | ||||||
| Attachments: |
|
||||||
Verified based on #c8. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3140 |
Created attachment 1301548 [details] Triggered by "./xpstojpeg POC1 /dev/null " Description of problem: There is a NULL pointer dereference in gxps-archive.c in libgxps library . Version-Release number of selected component (if applicable): <= latest version How reproducible: ./xpstojpeg POC1 /dev/null Steps to Reproduce: The output information is as follows: $ ./xpstojpeg POC1 /dev/null (xpstojpeg:122488): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale. (xpstojpeg:122488): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed Segmentation fault ASAN output information: $ ./xpstojpeg POC1 /dev/null ASAN:SIGSEGV ================================================================= ==51273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe62668a810 sp 0x7ffda3dbc728 bp 0x000000000000 T0) ==51273==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x7fe62668a80f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3980f) #1 0x7fe6271f2a44 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x18a44) #2 0x7fe62668947a (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3847a) #3 0x7fe6271f24fa (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x184fa) #4 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e) #5 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5) #6 0x7fe62722e6c1 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x546c1) #7 0x7fe626c1010e (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d10e) #8 0x7fe626c101c5 (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0x5d1c5) #9 0x7fe62722bb74 (/home/company/secreal/libgxps-0.2.5-asan/install/lib/libgxps.so.2+0x51b74) #10 0x48673a (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x48673a) #11 0x47fe79 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47fe79) #12 0x47ced6 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ced6) #13 0x7fe624865a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #14 0x47ccc8 (/home/company/secreal/libgxps-0.2.5-asan/install/bin/xpstojpeg+0x47ccc8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==51273==ABORTING GDB backtrace information is as follows: (gdb) set args fuzz/xps2jpeg_out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:271 /dev/null (gdb) r ... Breakpoint 1, caseless_hash (v=0x0) at gxps-archive.c:196 196 ret = g_str_hash (lower); (xpstojpeg:55531): GXPS-WARNING **: Error: Pathname cannot be converted from UTF-8 to current locale. (xpstojpeg:55531): GLib-CRITICAL **: g_ascii_strdown: assertion 'str != NULL' failed Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6fb4810 in g_str_hash () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 (gdb) bt #0 0x00007ffff6fb4810 in g_str_hash () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #1 0x00007ffff7b1ca45 in caseless_hash (v=0x0) at gxps-archive.c:196 #2 0x00007ffff6fb347b in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007ffff7b1c4fb in gxps_archive_initable_init (initable=<optimized out>, error=<optimized out>, cancellable=<optimized out>) at gxps-archive.c:283 #4 0x00007ffff753a10f in g_initable_new_valist () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #5 0x00007ffff753a1c6 in g_initable_new () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #6 0x00007ffff7b586c2 in gxps_file_initable_init (initable=<optimized out>, error=<optimized out>, cancellable=<optimized out>) at gxps-file.c:310 #7 0x00007ffff753a10f in g_initable_new_valist () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #8 0x00007ffff753a1c6 in g_initable_new () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #9 0x00007ffff7b55b75 in gxps_file_new (filename=<optimized out>, error=<optimized out>) at gxps-file.c:368 #10 0x000000000048673b in gxps_converter_real_init_with_args (converter=0x62100001c020, argc=<optimized out>, argv=<optimized out>, option_groups=<optimized out>) at gxps-converter.c:104 #11 0x000000000047fe7a in gxps_converter_init_with_args (converter=<optimized out>, argc=0x7fffffffe3b0, argv=0x7fffffffe3a0) at gxps-converter.c:230 #12 0x000000000047ced7 in main (argc=<optimized out>, argv=0x7fffffffe3a0) at gxps-converter-main.c:36 This vulnerability was triggered in caseless_hash () at libgxps/gxps-archive.c:196 190 caseless_hash (gconstpointer v) 191 { 192 gchar *lower; 193 guint ret; 194 195 lower = g_ascii_strdown (v, -1); 196 ret = g_str_hash (lower); 197 g_free (lower); 198 199 return ret; 200 } Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.