segfault / null pointer in function psscan()
Submitted by Hanno Böck
Assigned to Carlos Campos @carlosgc
Description
Created attachment 127045 sample file that crashes the libspectre ps parser
The attached file crashes libspectre with a null pointer access. This can be tested with the parser-test command line tool that ships with libspectre or with evince.
This was found with the tool american fuzzy lop.
The content of the file:
%%DocumentMedia 0 6 7
%%Page: %%PageMedia:
Here's a stack trace from asan: ==24184==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000047a05d bp 0x7ffd191b9b50 sp 0x7ffd191b92d0 T0) #0 0x47a05c in __interceptor_strcmp (/r/libspectre/parser-test+0x47a05c) #1 0x5018cc in psscan /mnt/ram/libspectre-0.2.8/libspectre/ps.c:1068:11 #2 0x4f272f in main /mnt/ram/libspectre-0.2.8/test/parser-test.c:61:8 #3 0x7f5ec4c6378f in __libc_start_main (/lib64/libc.so.6+0x2078f) #4 0x419d28 in _start (/r/libspectre/parser-test+0x419d28)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/r/libspectre/parser-test+0x47a05c) in __interceptor_strcmp ==24184==ABORTING
Attachment 127045, "sample file that crashes the libspectre ps parser":
libspectre-nullptr.ps