Bug 697179

Summary: double free with .setdevice
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Severity: normal CC: chris.liddell, fan.xin, fw, omarandemad
Priority: P4    
Version: 9.20   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Tavis Ormandy 2016-09-30 18:24:03 UTC
This causes a double free and memory corruption for me in 9.20, even with -dSAFER:

$ gs -sDEVICE=pngalpha  -dSAFER
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ currentdevice false .copydevice2 .setdevice } stopped { showpage } if
Segmentation fault (core dumped)

This is most likely a security issue.
Comment 1 Chris Liddell (chrisl) 2016-10-01 04:08:52 UTC
I see the problem, and I have a solution, but I need to make sure it doesn't introduce a memory leak.
Comment 2 Chris Liddell (chrisl) 2016-10-05 08:48:39 UTC
Fixed in:
Comment 4 Chris Liddell (chrisl) 2017-06-08 02:03:50 UTC
Probably better using the "central" repo: