Juergen Daubert
11f86218d2
See - https://www.kb.cert.org/vuls/id/332928 - http://seclists.org/oss-sec/2018/q3/142
49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
From: Ken Sharp <ken.sharp@artifex.com>
|
|
Date: Thu, 23 Aug 2018 14:42:02 +0000 (+0100)
|
|
Subject: Bug 699665 "memory corruption in aesdecode"
|
|
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=8e9ce501
|
|
|
|
Bug 699665 "memory corruption in aesdecode"
|
|
|
|
The specimen file calls aesdecode without specifying the key to be
|
|
used, though it does manage to do enough work with the PDF interpreter
|
|
routines to get access to aesdecode (which isn't normally available).
|
|
|
|
This causes us to read uninitialised memory, which can (and often does)
|
|
lead to a segmentation fault.
|
|
|
|
In this commit we set the key to NULL explicitly during intialisation
|
|
and then check it before we read it. If its NULL we just return.
|
|
|
|
It seems bizarre that we don't return error codes, we should probably
|
|
look into that at some point, but this prevents the code trying to
|
|
read uninitialised memory.
|
|
---
|
|
|
|
diff --git a/base/aes.c b/base/aes.c
|
|
index a6bce93..e86f000 100644
|
|
--- a/base/aes.c
|
|
+++ b/base/aes.c
|
|
@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
|
|
}
|
|
#endif
|
|
|
|
+ if (ctx == NULL || ctx->rk == NULL)
|
|
+ return;
|
|
+
|
|
RK = ctx->rk;
|
|
|
|
GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
|
|
diff --git a/base/saes.c b/base/saes.c
|
|
index 6db0e8b..307ed74 100644
|
|
--- a/base/saes.c
|
|
+++ b/base/saes.c
|
|
@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
|
|
gs_throw(gs_error_VMerror, "could not allocate aes context");
|
|
return ERRC;
|
|
}
|
|
+ memset(state->ctx, 0x00, sizeof(aes_context));
|
|
if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
|
|
gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
|
|
state->keylength);
|