| Summary: | double free with .setdevice | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Tavis Ormandy <taviso> |
| Component: | General | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | chris.liddell, fan.xin, fw, omarandemad |
| Priority: | P4 | ||
| Version: | 9.20 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
I see the problem, and I have a solution, but I need to make sure it doesn't introduce a memory leak. I notice that the following patch is not exist. http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02 The fix patch link is: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commit;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf Probably better using the "central" repo: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e |
This causes a double free and memory corruption for me in 9.20, even with -dSAFER: $ gs -sDEVICE=pngalpha -dSAFER GPL Ghostscript 9.20 (2016-09-26) Copyright (C) 2016 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>{ currentdevice false .copydevice2 .setdevice } stopped { showpage } if Segmentation fault (core dumped) This is most likely a security issue.