Created attachment 13791 [details] PoC File Hi. I found a crashing test case. Crash does not occur in the no-ASan environment. Memory corruption occur in the ASan environment or in Valgrind. Please confirm. Thanks. Version 9.22 and Git Head: f887813ad00d680e2ea5d81606fd21d1b68067af OS: Ubuntu 16.04.2 32bit Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE --------------- Valgrind OUT --------------- ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8348B60: copy_glyph_name (gxfcopy.c:560) ==13445== by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396) ==13445== by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265) ==13445== by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==13445== by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363) ==13445== by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272) ==13445== by 0x8334A40: process_text_modify_width (gdevpdte.c:1157) ==13445== by 0x8332D4D: pdf_process_string (gdevpdte.c:699) ==13445== by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79) ==13445== by 0x8335AA8: process_plain_text (gdevpdte.c:1504) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x84394A9: gs_c_name_glyph (gscencs.c:145) ==13445== by 0x8348B60: copy_glyph_name (gxfcopy.c:560) ==13445== by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396) ==13445== by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265) ==13445== by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==13445== by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363) ==13445== by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272) ==13445== by 0x8334A40: process_text_modify_width (gdevpdte.c:1157) ==13445== by 0x8332D4D: pdf_process_string (gdevpdte.c:699) ==13445== by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79) ==13445== by 0x8335AA8: process_plain_text (gdevpdte.c:1504) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x84394CC: gs_c_name_glyph (gscencs.c:147) ==13445== by 0x8348B60: copy_glyph_name (gxfcopy.c:560) ==13445== by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396) ==13445== by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265) ==13445== by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==13445== by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363) ==13445== by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272) ==13445== by 0x8334A40: process_text_modify_width (gdevpdte.c:1157) ==13445== by 0x8332D4D: pdf_process_string (gdevpdte.c:699) ==13445== by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79) ==13445== by 0x8335AA8: process_plain_text (gdevpdte.c:1504) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8348B60: copy_glyph_name (gxfcopy.c:560) ==13445== by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396) ==13445== by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265) ==13445== by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==13445== by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363) ==13445== by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272) ==13445== by 0x8334A40: process_text_modify_width (gdevpdte.c:1157) ==13445== by 0x8332D4D: pdf_process_string (gdevpdte.c:699) ==13445== by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79) ==13445== by 0x8335AA8: process_plain_text (gdevpdte.c:1504) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8348B60: copy_glyph_name (gxfcopy.c:560) ==13445== by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396) ==13445== by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265) ==13445== by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==13445== by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363) ==13445== by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272) ==13445== by 0x8334A40: process_text_modify_width (gdevpdte.c:1157) ==13445== by 0x8332D4D: pdf_process_string (gdevpdte.c:699) ==13445== by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79) ==13445== by 0x8335AA8: process_plain_text (gdevpdte.c:1504) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==13445== by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==13445== by 0x8335A03: process_plain_text (gdevpdte.c:1476) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== by 0x8467A83: gs_text_process (gstext.c:574) ==13445== by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324) ==13445== by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569) ==13445== by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809) ==13445== by 0x8599AD4: xps_parse_element (xpscommon.c:68) ==13445== by 0x8598D75: xps_parse_fixed_page (xpspage.c:279) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x84394A9: gs_c_name_glyph (gscencs.c:145) ==13445== by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==13445== by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==13445== by 0x8335A03: process_plain_text (gdevpdte.c:1476) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== by 0x8467A83: gs_text_process (gstext.c:574) ==13445== by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324) ==13445== by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569) ==13445== by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809) ==13445== by 0x8599AD4: xps_parse_element (xpscommon.c:68) ==13445== by 0x8598D75: xps_parse_fixed_page (xpspage.c:279) ==13445== by 0x859607D: xps_read_and_process_page_part (xpszip.c:539) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x84394CC: gs_c_name_glyph (gscencs.c:147) ==13445== by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==13445== by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==13445== by 0x8335A03: process_plain_text (gdevpdte.c:1476) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== by 0x8467A83: gs_text_process (gstext.c:574) ==13445== by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324) ==13445== by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569) ==13445== by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809) ==13445== by 0x8599AD4: xps_parse_element (xpscommon.c:68) ==13445== by 0x8598D75: xps_parse_fixed_page (xpspage.c:279) ==13445== by 0x859607D: xps_read_and_process_page_part (xpszip.c:539) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==13445== by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==13445== by 0x8335A03: process_plain_text (gdevpdte.c:1476) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== by 0x8467A83: gs_text_process (gstext.c:574) ==13445== by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324) ==13445== by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569) ==13445== by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809) ==13445== by 0x8599AD4: xps_parse_element (xpscommon.c:68) ==13445== by 0x8598D75: xps_parse_fixed_page (xpspage.c:279) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Conditional jump or move depends on uninitialised value(s) ==13445== at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x843949E: gs_c_name_glyph (gscencs.c:144) ==13445== by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==13445== by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==13445== by 0x8335A03: process_plain_text (gdevpdte.c:1476) ==13445== by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552) ==13445== by 0x8467A83: gs_text_process (gstext.c:574) ==13445== by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324) ==13445== by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569) ==13445== by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809) ==13445== by 0x8599AD4: xps_parse_element (xpscommon.c:68) ==13445== by 0x8598D75: xps_parse_fixed_page (xpspage.c:279) ==13445== Uninitialised value was created by a stack allocation ==13445== at 0x843948E: gs_c_name_glyph (gscencs.c:144) ==13445== ==13445== Invalid read of size 4 ==13445== at 0x80EC5B9: Ins_MDRP (ttinterp.c:3784) ==13445== by 0x80EE127: RunIns (ttinterp.c:5035) ==13445== by 0x80EF666: Context_Run (ttobjs.c:457) ==13445== by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827) ==13445== by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874) ==13445== by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033) ==13445== by 0x80F23E8: gx_ttf_outline (gxttfb.c:787) ==13445== by 0x80E2666: append_outline_fitted (gstype42.c:1595) ==13445== by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991) ==13445== by 0x844F912: gs_default_glyph_info (gsfont.c:1036) ==13445== by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017) ==13445== by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088) ==13445== Address 0x4360f44 is 372 bytes inside a block of size 2,072 free'd ==13445== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358) ==13445== by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83) ==13445== by 0x81B6791: _cmsFree (cmserr.c:294) ==13445== by 0x81B855C: cmsFreeToneCurve (cmsgamma.c:759) ==13445== by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200) ==13445== by 0x81C6FAB: cmsStageFree (cmslut.c:1202) ==13445== by 0x81C74AD: cmsPipelineFree (cmslut.c:1402) ==13445== by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157) ==13445== by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131) ==13445== by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273) ==13445== by 0x81DB533: cmsDetectDestinationBlackPoint (cmssamp.c:404) ==13445== Block was alloc'd at ==13445== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193) ==13445== by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62) ==13445== by 0x81B66C9: _cmsMalloc (cmserr.c:265) ==13445== by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104) ==13445== by 0x81B66F8: _cmsMallocZero (cmserr.c:272) ==13445== by 0x81B64B3: _cmsCallocDefaultFn (cmserr.c:158) ==13445== by 0x81B672A: _cmsCalloc (cmserr.c:279) ==13445== by 0x81B738A: AllocateToneCurveStruct (cmsgamma.c:255) ==13445== by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804) ==13445== by 0x81C5164: CurveSetDup (cmslut.c:226) ==13445== by 0x81C7088: cmsStageDup (cmslut.c:1254) ==13445== ==13445== Invalid read of size 4 ==13445== at 0x80EC5E7: Ins_MDRP (ttinterp.c:3784) ==13445== by 0x80EE127: RunIns (ttinterp.c:5035) ==13445== by 0x80EF666: Context_Run (ttobjs.c:457) ==13445== by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827) ==13445== by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874) ==13445== by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033) ==13445== by 0x80F23E8: gx_ttf_outline (gxttfb.c:787) ==13445== by 0x80E2666: append_outline_fitted (gstype42.c:1595) ==13445== by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991) ==13445== by 0x844F912: gs_default_glyph_info (gsfont.c:1036) ==13445== by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017) ==13445== by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088) ==13445== Address 0x4360d04 is 92 bytes inside a block of size 144 free'd ==13445== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358) ==13445== by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83) ==13445== by 0x81B6791: _cmsFree (cmserr.c:294) ==13445== by 0x81BB2D1: _cmsFreeInterpParams (cmsintrp.c:171) ==13445== by 0x81B853D: cmsFreeToneCurve (cmsgamma.c:756) ==13445== by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200) ==13445== by 0x81C6FAB: cmsStageFree (cmslut.c:1202) ==13445== by 0x81C74AD: cmsPipelineFree (cmslut.c:1402) ==13445== by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157) ==13445== by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131) ==13445== by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273) ==13445== Block was alloc'd at ==13445== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193) ==13445== by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62) ==13445== by 0x81B66C9: _cmsMalloc (cmserr.c:265) ==13445== by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104) ==13445== by 0x81B66F8: _cmsMallocZero (cmserr.c:272) ==13445== by 0x81BB115: _cmsComputeInterpParamsEx (cmsintrp.c:119) ==13445== by 0x81BB29E: _cmsComputeInterpParams (cmsintrp.c:164) ==13445== by 0x81B7595: AllocateToneCurveStruct (cmsgamma.c:297) ==13445== by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804) ==13445== by 0x81C5164: CurveSetDup (cmslut.c:226) ==13445== by 0x81C7088: cmsStageDup (cmslut.c:1254) ==13445== ==13445== Invalid read of size 4 ==13445== at 0x80EC75E: Ins_MDRP (ttinterp.c:3827) ==13445== by 0x80EE127: RunIns (ttinterp.c:5035) ==13445== by 0x80EF666: Context_Run (ttobjs.c:457) ==13445== by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827) ==13445== by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874) ==13445== by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033) ==13445== by 0x80F23E8: gx_ttf_outline (gxttfb.c:787) ==13445== by 0x80E2666: append_outline_fitted (gstype42.c:1595) ==13445== by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991) ==13445== by 0x844F912: gs_default_glyph_info (gsfont.c:1036) ==13445== by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017) ==13445== by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088) ==13445== Address 0x4361184 is 948 bytes inside a block of size 2,072 free'd ==13445== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358) ==13445== by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83) ==13445== by 0x81B6791: _cmsFree (cmserr.c:294) ==13445== by 0x81B855C: cmsFreeToneCurve (cmsgamma.c:759) ==13445== by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200) ==13445== by 0x81C6FAB: cmsStageFree (cmslut.c:1202) ==13445== by 0x81C74AD: cmsPipelineFree (cmslut.c:1402) ==13445== by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157) ==13445== by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131) ==13445== by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273) ==13445== by 0x81DB533: cmsDetectDestinationBlackPoint (cmssamp.c:404) ==13445== Block was alloc'd at ==13445== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13445== by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193) ==13445== by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62) ==13445== by 0x81B66C9: _cmsMalloc (cmserr.c:265) ==13445== by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104) ==13445== by 0x81B66F8: _cmsMallocZero (cmserr.c:272) ==13445== by 0x81B64B3: _cmsCallocDefaultFn (cmserr.c:158) ==13445== by 0x81B672A: _cmsCalloc (cmserr.c:279) ==13445== by 0x81B738A: AllocateToneCurveStruct (cmsgamma.c:255) ==13445== by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804) ==13445== by 0x81C5164: CurveSetDup (cmslut.c:226) ==13445== by 0x81C7088: cmsStageDup (cmslut.c:1254) ==13445== ==13445== ==13445== HEAP SUMMARY: ==13445== in use at exit: 0 bytes in 0 blocks ==13445== total heap usage: 749 allocs, 749 frees, 2,015,383 bytes allocated ==13445== ==13445== All heap blocks were freed -- no leaks are possible ==13445== ==13445== For counts of detected and suppressed errors, rerun with: -v ==13445== ERROR SUMMARY: 201 errors from 13 contexts (suppressed: 0 from 0) ------------------ ASan:OUT ================================================================= ==21375==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4c9453c at pc 0x08191d31 bp 0xbfaf6b88 sp 0xbfaf6b78 READ of size 4 at 0xb4c9453c thread T0 #0 0x8191d30 in Ins_MDRP base/ttinterp.c:3784 #1 0x8198e8e in RunIns base/ttinterp.c:5035 #2 0x819e7a5 in Context_Run base/ttobjs.c:457 #3 0x817aa32 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827 #4 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874 #5 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033 #6 0x81a8c29 in gx_ttf_outline base/gxttfb.c:787 #7 0x816e1fa in append_outline_fitted base/gstype42.c:1595 #8 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991 #9 0x8ba4a25 in gs_default_glyph_info base/gsfont.c:1036 #10 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017 #11 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088 #12 0x8870b4a in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457 #13 0x8871ed8 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636 #14 0x88bcedd in pdf_finish_resources devices/vector/gdevpdtw.c:677 #15 0x877d771 in do_pdf_close devices/vector/gdevpdf.c:2569 #16 0x87844ce in pdf_close devices/vector/gdevpdf.c:3281 #17 0x8b83b4b in gs_closedevice base/gsdevice.c:720 #18 0x911ecd8 in pl_main_universe_dnit pcl/pl/plmain.c:557 #19 0x911e426 in pl_main_delete_instance pcl/pl/plmain.c:436 #20 0x8f8bd14 in plapi_delete_instance pcl/pl/plapi.c:89 #21 0x911d2cf in main pcl/pl/realmain.c:50 #22 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #23 0x8099f90 (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90) 0xb4c9453c is located 32060 bytes inside of 65576-byte region [0xb4c8c800,0xb4c9c828) freed by thread T0 here: #0 0xb7287a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84) #1 0x8bc86fe in gs_heap_free_object base/gsmalloc.c:358 #2 0x865509b in chunk_free_object base/gsmchunk.c:1092 #3 0x8665389 in s_zlib_free base/szlibc.c:110 #4 0x82e4cb0 in deflateEnd zlib/deflate.c:1000 #5 0x8665f37 in s_zlibE_release base/szlibe.c:88 #6 0x86215a4 in sclose base/stream.c:434 #7 0x88113de in stream_to_none devices/vector/gdevpdfu.c:1092 #8 0x881179a in pdf_open_contents devices/vector/gdevpdfu.c:1118 #9 0x8811990 in pdf_close_contents devices/vector/gdevpdfu.c:1142 #10 0x876a0ff in pdf_close_page devices/vector/gdevpdf.c:973 #11 0x876e1ef in pdf_output_page devices/vector/gdevpdf.c:1395 #12 0x8b8043f in gs_output_page base/gsdevice.c:210 #13 0x912486f in pl_finish_page pcl/pl/plmain.c:1488 #14 0x809c204 in xps_show_page xps/xpstop.c:428 #15 0x8fc001d in xps_parse_fixed_page xps/xpspage.c:306 #16 0x8fb951a in xps_read_and_process_page_part xps/xpszip.c:539 #17 0x8fba16d in xps_process_file xps/xpszip.c:688 #18 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #19 0x8f8ac0b in pl_process_file pcl/pl/pltop.c:70 #20 0x911e117 in pl_main_run_file pcl/pl/plmain.c:377 #21 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313 #22 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262 #23 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58 #24 0x911d206 in main pcl/pl/realmain.c:34 #25 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) previously allocated by thread T0 here: #0 0xb7287dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x8bc7a55 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0x8653afb in chunk_obj_alloc base/gsmchunk.c:789 #3 0x86549d2 in chunk_alloc_bytes base/gsmchunk.c:977 #4 0x8654a9d in chunk_alloc_byte_array_immovable base/gsmchunk.c:998 #5 0x8665032 in s_zlib_alloc base/szlibc.c:87 #6 0x82dd804 in deflateInit2_ zlib/deflate.c:294 #7 0x8665924 in s_zlibE_init base/szlibe.c:31 #8 0x88109bb in none_to_stream devices/vector/gdevpdfu.c:996 #9 0x881179a in pdf_open_contents devices/vector/gdevpdfu.c:1118 #10 0x8815c32 in pdf_open_page devices/vector/gdevpdfu.c:1877 #11 0x889fa66 in pdf_prepare_text_drawing devices/vector/gdevpdtt.c:417 #12 0x88b5065 in pdf_text_process devices/vector/gdevpdtt.c:3112 #13 0x8bf81ca in gs_text_process base/gstext.c:574 #14 0x8fdf2fa in xps_flush_text_buffer xps/xpsglyphs.c:324 #15 0x8fe07cc in xps_parse_glyphs_imp xps/xpsglyphs.c:569 #16 0x8fe1ad1 in xps_parse_glyphs xps/xpsglyphs.c:809 #17 0x8fc18cf in xps_parse_element xps/xpscommon.c:68 #18 0x8fbfcf4 in xps_parse_fixed_page xps/xpspage.c:279 #19 0x8fb951a in xps_read_and_process_page_part xps/xpszip.c:539 #20 0x8fba16d in xps_process_file xps/xpszip.c:688 #21 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #22 0x8f8ac0b in pl_process_file pcl/pl/pltop.c:70 #23 0x911e117 in pl_main_run_file pcl/pl/plmain.c:377 #24 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313 #25 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262 #26 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58 #27 0x911d206 in main pcl/pl/realmain.c:34 #28 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-use-after-free base/ttinterp.c:3784 Ins_MDRP Shadow bytes around the buggy address: 0x36992850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x36992860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x36992870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x36992880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x36992890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x369928a0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x369928b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x369928c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x369928d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x369928e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x369928f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==21375==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7755e671