Bug 699668

Summary: .definemodifiedfont memory corruption if /typecheck is handled
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED QA Contact: gs-security
Severity: normal    
Priority: P4 CC: cbuissar, dkaspar, dr, jsmeix, scorneli, till.kamppeter
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Tavis Ormandy 2018-08-22 23:13:52 UTC
$ gdb -q --args ./gs -q -sDEVICE=ppmraw -dSAFER 
Reading symbols from ./gs...done.
(gdb) r
Starting program: /usr/local/google/home/taviso/projects/ghostscript/ghostscript-9.23/bin/gs -q -sDEVICE=ppmraw -dSAFER
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
GS>errordict /typecheck { (typecheck\n) print } put
GS>1 /Foo .definemodifiedfont
typecheck
...
(lots of output)
Program received signal SIGSEGV, Segmentation fault.
0x0000555555c5615e in dstack_find_name_by_index (pds=0x55555702ce40, nidx=1019) at ./psi/idstack.c:187
187	        name_index_ref(mem, nidx, &key);
Comment 1 Chris Liddell (chrisl) 2018-08-23 11:46:36 UTC
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42