Bug 698055

Summary: heap-use-after-free in Ins_MDRP(base/ttinterp.c)
Product: GhostXPS Reporter: Kim Gwan Yeong <gy741.kim>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Windows NT   
Customer: Word Size: ---
Attachments: PoC File

Description Kim Gwan Yeong 2017-06-14 17:49:36 UTC 
Created attachment 13791 [details]
PoC File

Hi.

I found a crashing test case.

Crash does not occur in the no-ASan environment.

Memory corruption occur in the ASan environment or in Valgrind.

Please confirm.

Thanks.

Version 9.22 and Git Head: f887813ad00d680e2ea5d81606fd21d1b68067af
OS: Ubuntu 16.04.2 32bit
Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

---------------
Valgrind OUT
---------------
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8348B60: copy_glyph_name (gxfcopy.c:560)
==13445==    by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396)
==13445==    by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265)
==13445==    by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428)
==13445==    by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363)
==13445==    by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272)
==13445==    by 0x8334A40: process_text_modify_width (gdevpdte.c:1157)
==13445==    by 0x8332D4D: pdf_process_string (gdevpdte.c:699)
==13445==    by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79)
==13445==    by 0x8335AA8: process_plain_text (gdevpdte.c:1504)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x84394A9: gs_c_name_glyph (gscencs.c:145)
==13445==    by 0x8348B60: copy_glyph_name (gxfcopy.c:560)
==13445==    by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396)
==13445==    by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265)
==13445==    by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428)
==13445==    by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363)
==13445==    by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272)
==13445==    by 0x8334A40: process_text_modify_width (gdevpdte.c:1157)
==13445==    by 0x8332D4D: pdf_process_string (gdevpdte.c:699)
==13445==    by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79)
==13445==    by 0x8335AA8: process_plain_text (gdevpdte.c:1504)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x84394CC: gs_c_name_glyph (gscencs.c:147)
==13445==    by 0x8348B60: copy_glyph_name (gxfcopy.c:560)
==13445==    by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396)
==13445==    by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265)
==13445==    by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428)
==13445==    by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363)
==13445==    by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272)
==13445==    by 0x8334A40: process_text_modify_width (gdevpdte.c:1157)
==13445==    by 0x8332D4D: pdf_process_string (gdevpdte.c:699)
==13445==    by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79)
==13445==    by 0x8335AA8: process_plain_text (gdevpdte.c:1504)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8348B60: copy_glyph_name (gxfcopy.c:560)
==13445==    by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396)
==13445==    by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265)
==13445==    by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428)
==13445==    by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363)
==13445==    by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272)
==13445==    by 0x8334A40: process_text_modify_width (gdevpdte.c:1157)
==13445==    by 0x8332D4D: pdf_process_string (gdevpdte.c:699)
==13445==    by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79)
==13445==    by 0x8335AA8: process_plain_text (gdevpdte.c:1504)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8348B60: copy_glyph_name (gxfcopy.c:560)
==13445==    by 0x834AEB2: copy_glyph_type42 (gxfcopy.c:1396)
==13445==    by 0x834D0F9: gs_copy_glyph_options (gxfcopy.c:2265)
==13445==    by 0x832B02B: pdf_base_font_copy_glyph (gdevpdtb.c:428)
==13445==    by 0x832F366: pdf_font_used_glyph (gdevpdtd.c:363)
==13445==    by 0x83312A3: pdf_encode_string_element (gdevpdte.c:272)
==13445==    by 0x8334A40: process_text_modify_width (gdevpdte.c:1157)
==13445==    by 0x8332D4D: pdf_process_string (gdevpdte.c:699)
==13445==    by 0x8330BE2: pdf_process_string_aux (gdevpdte.c:79)
==13445==    by 0x8335AA8: process_plain_text (gdevpdte.c:1504)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856)
==13445==    by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198)
==13445==    by 0x8335A03: process_plain_text (gdevpdte.c:1476)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==    by 0x8467A83: gs_text_process (gstext.c:574)
==13445==    by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324)
==13445==    by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569)
==13445==    by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809)
==13445==    by 0x8599AD4: xps_parse_element (xpscommon.c:68)
==13445==    by 0x8598D75: xps_parse_fixed_page (xpspage.c:279)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x84394A9: gs_c_name_glyph (gscencs.c:145)
==13445==    by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856)
==13445==    by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198)
==13445==    by 0x8335A03: process_plain_text (gdevpdte.c:1476)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==    by 0x8467A83: gs_text_process (gstext.c:574)
==13445==    by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324)
==13445==    by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569)
==13445==    by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809)
==13445==    by 0x8599AD4: xps_parse_element (xpscommon.c:68)
==13445==    by 0x8598D75: xps_parse_fixed_page (xpspage.c:279)
==13445==    by 0x859607D: xps_read_and_process_page_part (xpszip.c:539)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x84394CC: gs_c_name_glyph (gscencs.c:147)
==13445==    by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856)
==13445==    by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198)
==13445==    by 0x8335A03: process_plain_text (gdevpdte.c:1476)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==    by 0x8467A83: gs_text_process (gstext.c:574)
==13445==    by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324)
==13445==    by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569)
==13445==    by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809)
==13445==    by 0x8599AD4: xps_parse_element (xpscommon.c:68)
==13445==    by 0x8598D75: xps_parse_fixed_page (xpspage.c:279)
==13445==    by 0x859607D: xps_read_and_process_page_part (xpszip.c:539)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856)
==13445==    by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198)
==13445==    by 0x8335A03: process_plain_text (gdevpdte.c:1476)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==    by 0x8467A83: gs_text_process (gstext.c:574)
==13445==    by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324)
==13445==    by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569)
==13445==    by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809)
==13445==    by 0x8599AD4: xps_parse_element (xpscommon.c:68)
==13445==    by 0x8598D75: xps_parse_fixed_page (xpspage.c:279)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Conditional jump or move depends on uninitialised value(s)
==13445==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x843949E: gs_c_name_glyph (gscencs.c:144)
==13445==    by 0x8340C9E: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856)
==13445==    by 0x83418D6: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198)
==13445==    by 0x8335A03: process_plain_text (gdevpdte.c:1476)
==13445==    by 0x8344EB6: pdf_text_process (gdevpdtt.c:3552)
==13445==    by 0x8467A83: gs_text_process (gstext.c:574)
==13445==    by 0x85A60B2: xps_flush_text_buffer (xpsglyphs.c:324)
==13445==    by 0x85A69DB: xps_parse_glyphs_imp (xpsglyphs.c:569)
==13445==    by 0x85A7660: xps_parse_glyphs (xpsglyphs.c:809)
==13445==    by 0x8599AD4: xps_parse_element (xpscommon.c:68)
==13445==    by 0x8598D75: xps_parse_fixed_page (xpspage.c:279)
==13445==  Uninitialised value was created by a stack allocation
==13445==    at 0x843948E: gs_c_name_glyph (gscencs.c:144)
==13445==
==13445== Invalid read of size 4
==13445==    at 0x80EC5B9: Ins_MDRP (ttinterp.c:3784)
==13445==    by 0x80EE127: RunIns (ttinterp.c:5035)
==13445==    by 0x80EF666: Context_Run (ttobjs.c:457)
==13445==    by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827)
==13445==    by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874)
==13445==    by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033)
==13445==    by 0x80F23E8: gx_ttf_outline (gxttfb.c:787)
==13445==    by 0x80E2666: append_outline_fitted (gstype42.c:1595)
==13445==    by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991)
==13445==    by 0x844F912: gs_default_glyph_info (gsfont.c:1036)
==13445==    by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017)
==13445==    by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088)
==13445==  Address 0x4360f44 is 372 bytes inside a block of size 2,072 free'd
==13445==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358)
==13445==    by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83)
==13445==    by 0x81B6791: _cmsFree (cmserr.c:294)
==13445==    by 0x81B855C: cmsFreeToneCurve (cmsgamma.c:759)
==13445==    by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200)
==13445==    by 0x81C6FAB: cmsStageFree (cmslut.c:1202)
==13445==    by 0x81C74AD: cmsPipelineFree (cmslut.c:1402)
==13445==    by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157)
==13445==    by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131)
==13445==    by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273)
==13445==    by 0x81DB533: cmsDetectDestinationBlackPoint (cmssamp.c:404)
==13445==  Block was alloc'd at
==13445==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193)
==13445==    by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62)
==13445==    by 0x81B66C9: _cmsMalloc (cmserr.c:265)
==13445==    by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104)
==13445==    by 0x81B66F8: _cmsMallocZero (cmserr.c:272)
==13445==    by 0x81B64B3: _cmsCallocDefaultFn (cmserr.c:158)
==13445==    by 0x81B672A: _cmsCalloc (cmserr.c:279)
==13445==    by 0x81B738A: AllocateToneCurveStruct (cmsgamma.c:255)
==13445==    by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804)
==13445==    by 0x81C5164: CurveSetDup (cmslut.c:226)
==13445==    by 0x81C7088: cmsStageDup (cmslut.c:1254)
==13445==
==13445== Invalid read of size 4
==13445==    at 0x80EC5E7: Ins_MDRP (ttinterp.c:3784)
==13445==    by 0x80EE127: RunIns (ttinterp.c:5035)
==13445==    by 0x80EF666: Context_Run (ttobjs.c:457)
==13445==    by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827)
==13445==    by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874)
==13445==    by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033)
==13445==    by 0x80F23E8: gx_ttf_outline (gxttfb.c:787)
==13445==    by 0x80E2666: append_outline_fitted (gstype42.c:1595)
==13445==    by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991)
==13445==    by 0x844F912: gs_default_glyph_info (gsfont.c:1036)
==13445==    by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017)
==13445==    by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088)
==13445==  Address 0x4360d04 is 92 bytes inside a block of size 144 free'd
==13445==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358)
==13445==    by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83)
==13445==    by 0x81B6791: _cmsFree (cmserr.c:294)
==13445==    by 0x81BB2D1: _cmsFreeInterpParams (cmsintrp.c:171)
==13445==    by 0x81B853D: cmsFreeToneCurve (cmsgamma.c:756)
==13445==    by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200)
==13445==    by 0x81C6FAB: cmsStageFree (cmslut.c:1202)
==13445==    by 0x81C74AD: cmsPipelineFree (cmslut.c:1402)
==13445==    by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157)
==13445==    by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131)
==13445==    by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273)
==13445==  Block was alloc'd at
==13445==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193)
==13445==    by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62)
==13445==    by 0x81B66C9: _cmsMalloc (cmserr.c:265)
==13445==    by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104)
==13445==    by 0x81B66F8: _cmsMallocZero (cmserr.c:272)
==13445==    by 0x81BB115: _cmsComputeInterpParamsEx (cmsintrp.c:119)
==13445==    by 0x81BB29E: _cmsComputeInterpParams (cmsintrp.c:164)
==13445==    by 0x81B7595: AllocateToneCurveStruct (cmsgamma.c:297)
==13445==    by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804)
==13445==    by 0x81C5164: CurveSetDup (cmslut.c:226)
==13445==    by 0x81C7088: cmsStageDup (cmslut.c:1254)
==13445==
==13445== Invalid read of size 4
==13445==    at 0x80EC75E: Ins_MDRP (ttinterp.c:3827)
==13445==    by 0x80EE127: RunIns (ttinterp.c:5035)
==13445==    by 0x80EF666: Context_Run (ttobjs.c:457)
==13445==    by 0x80E69AE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827)
==13445==    by 0x80E6C12: ttfOutliner__BuildGlyphOutline (ttfmain.c:874)
==13445==    by 0x80E7A63: ttfOutliner__Outline (ttfmain.c:1033)
==13445==    by 0x80F23E8: gx_ttf_outline (gxttfb.c:787)
==13445==    by 0x80E2666: append_outline_fitted (gstype42.c:1595)
==13445==    by 0x80E1A13: gs_type42_glyph_outline (gstype42.c:991)
==13445==    by 0x844F912: gs_default_glyph_info (gsfont.c:1036)
==13445==    by 0x80E1B7F: gs_type42_glyph_info_by_gid (gstype42.c:1017)
==13445==    by 0x80E1E74: gs_type42_glyph_info (gstype42.c:1088)
==13445==  Address 0x4361184 is 948 bytes inside a block of size 2,072 free'd
==13445==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x845A0FB: gs_heap_free_object (gsmalloc.c:358)
==13445==    by 0x81A1859: gs_lcms2_free (gsicc_lcms2.c:83)
==13445==    by 0x81B6791: _cmsFree (cmserr.c:294)
==13445==    by 0x81B855C: cmsFreeToneCurve (cmsgamma.c:759)
==13445==    by 0x81C5086: CurveSetElemTypeFree (cmslut.c:200)
==13445==    by 0x81C6FAB: cmsStageFree (cmslut.c:1202)
==13445==    by 0x81C74AD: cmsPipelineFree (cmslut.c:1402)
==13445==    by 0x81E9E32: cmsDeleteTransform (cmsxform.c:157)
==13445==    by 0x81DAC1B: BlackPointAsDarkerColorant (cmssamp.c:131)
==13445==    by 0x81DAF25: cmsDetectBlackPoint (cmssamp.c:273)
==13445==    by 0x81DB533: cmsDetectDestinationBlackPoint (cmssamp.c:404)
==13445==  Block was alloc'd at
==13445==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13445==    by 0x8459D0D: gs_heap_alloc_bytes (gsmalloc.c:193)
==13445==    by 0x81A1815: gs_lcms2_malloc (gsicc_lcms2.c:62)
==13445==    by 0x81B66C9: _cmsMalloc (cmserr.c:265)
==13445==    by 0x81B63D7: _cmsMallocZeroDefaultFn (cmserr.c:104)
==13445==    by 0x81B66F8: _cmsMallocZero (cmserr.c:272)
==13445==    by 0x81B64B3: _cmsCallocDefaultFn (cmserr.c:158)
==13445==    by 0x81B672A: _cmsCalloc (cmserr.c:279)
==13445==    by 0x81B738A: AllocateToneCurveStruct (cmsgamma.c:255)
==13445==    by 0x81B8730: cmsDupToneCurve (cmsgamma.c:804)
==13445==    by 0x81C5164: CurveSetDup (cmslut.c:226)
==13445==    by 0x81C7088: cmsStageDup (cmslut.c:1254)
==13445==
==13445==
==13445== HEAP SUMMARY:
==13445==     in use at exit: 0 bytes in 0 blocks
==13445==   total heap usage: 749 allocs, 749 frees, 2,015,383 bytes allocated
==13445==
==13445== All heap blocks were freed -- no leaks are possible
==13445==
==13445== For counts of detected and suppressed errors, rerun with: -v
==13445== ERROR SUMMARY: 201 errors from 13 contexts (suppressed: 0 from 0)
------------------
ASan:OUT
=================================================================
==21375==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4c9453c at pc 0x08191d31 bp 0xbfaf6b88 sp 0xbfaf6b78
READ of size 4 at 0xb4c9453c thread T0
    #0 0x8191d30 in Ins_MDRP base/ttinterp.c:3784
    #1 0x8198e8e in RunIns base/ttinterp.c:5035
    #2 0x819e7a5 in Context_Run base/ttobjs.c:457
    #3 0x817aa32 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827
    #4 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874
    #5 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033
    #6 0x81a8c29 in gx_ttf_outline base/gxttfb.c:787
    #7 0x816e1fa in append_outline_fitted base/gstype42.c:1595
    #8 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991
    #9 0x8ba4a25 in gs_default_glyph_info base/gsfont.c:1036
    #10 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017
    #11 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088
    #12 0x8870b4a in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457
    #13 0x8871ed8 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636
    #14 0x88bcedd in pdf_finish_resources devices/vector/gdevpdtw.c:677
    #15 0x877d771 in do_pdf_close devices/vector/gdevpdf.c:2569
    #16 0x87844ce in pdf_close devices/vector/gdevpdf.c:3281
    #17 0x8b83b4b in gs_closedevice base/gsdevice.c:720
    #18 0x911ecd8 in pl_main_universe_dnit pcl/pl/plmain.c:557
    #19 0x911e426 in pl_main_delete_instance pcl/pl/plmain.c:436
    #20 0x8f8bd14 in plapi_delete_instance pcl/pl/plapi.c:89
    #21 0x911d2cf in main pcl/pl/realmain.c:50
    #22 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #23 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

0xb4c9453c is located 32060 bytes inside of 65576-byte region [0xb4c8c800,0xb4c9c828)
freed by thread T0 here:
    #0 0xb7287a84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
    #1 0x8bc86fe in gs_heap_free_object base/gsmalloc.c:358
    #2 0x865509b in chunk_free_object base/gsmchunk.c:1092
    #3 0x8665389 in s_zlib_free base/szlibc.c:110
    #4 0x82e4cb0 in deflateEnd zlib/deflate.c:1000
    #5 0x8665f37 in s_zlibE_release base/szlibe.c:88
    #6 0x86215a4 in sclose base/stream.c:434
    #7 0x88113de in stream_to_none devices/vector/gdevpdfu.c:1092
    #8 0x881179a in pdf_open_contents devices/vector/gdevpdfu.c:1118
    #9 0x8811990 in pdf_close_contents devices/vector/gdevpdfu.c:1142
    #10 0x876a0ff in pdf_close_page devices/vector/gdevpdf.c:973
    #11 0x876e1ef in pdf_output_page devices/vector/gdevpdf.c:1395
    #12 0x8b8043f in gs_output_page base/gsdevice.c:210
    #13 0x912486f in pl_finish_page pcl/pl/plmain.c:1488
    #14 0x809c204 in xps_show_page xps/xpstop.c:428
    #15 0x8fc001d in xps_parse_fixed_page xps/xpspage.c:306
    #16 0x8fb951a in xps_read_and_process_page_part xps/xpszip.c:539
    #17 0x8fba16d in xps_process_file xps/xpszip.c:688
    #18 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #19 0x8f8ac0b in pl_process_file pcl/pl/pltop.c:70
    #20 0x911e117 in pl_main_run_file pcl/pl/plmain.c:377
    #21 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313
    #22 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262
    #23 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58
    #24 0x911d206 in main pcl/pl/realmain.c:34
    #25 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

previously allocated by thread T0 here:
    #0 0xb7287dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7a55 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8653afb in chunk_obj_alloc base/gsmchunk.c:789
    #3 0x86549d2 in chunk_alloc_bytes base/gsmchunk.c:977
    #4 0x8654a9d in chunk_alloc_byte_array_immovable base/gsmchunk.c:998
    #5 0x8665032 in s_zlib_alloc base/szlibc.c:87
    #6 0x82dd804 in deflateInit2_ zlib/deflate.c:294
    #7 0x8665924 in s_zlibE_init base/szlibe.c:31
    #8 0x88109bb in none_to_stream devices/vector/gdevpdfu.c:996
    #9 0x881179a in pdf_open_contents devices/vector/gdevpdfu.c:1118
    #10 0x8815c32 in pdf_open_page devices/vector/gdevpdfu.c:1877
    #11 0x889fa66 in pdf_prepare_text_drawing devices/vector/gdevpdtt.c:417
    #12 0x88b5065 in pdf_text_process devices/vector/gdevpdtt.c:3112
    #13 0x8bf81ca in gs_text_process base/gstext.c:574
    #14 0x8fdf2fa in xps_flush_text_buffer xps/xpsglyphs.c:324
    #15 0x8fe07cc in xps_parse_glyphs_imp xps/xpsglyphs.c:569
    #16 0x8fe1ad1 in xps_parse_glyphs xps/xpsglyphs.c:809
    #17 0x8fc18cf in xps_parse_element xps/xpscommon.c:68
    #18 0x8fbfcf4 in xps_parse_fixed_page xps/xpspage.c:279
    #19 0x8fb951a in xps_read_and_process_page_part xps/xpszip.c:539
    #20 0x8fba16d in xps_process_file xps/xpszip.c:688
    #21 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #22 0x8f8ac0b in pl_process_file pcl/pl/pltop.c:70
    #23 0x911e117 in pl_main_run_file pcl/pl/plmain.c:377
    #24 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313
    #25 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262
    #26 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58
    #27 0x911d206 in main pcl/pl/realmain.c:34
    #28 0xb6fdc636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-use-after-free base/ttinterp.c:3784 Ins_MDRP
Shadow bytes around the buggy address:
  0x36992850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36992860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36992870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36992880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x36992890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x369928a0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x369928b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x369928c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x369928d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x369928e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x369928f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==21375==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-15 07:05:27 UTC 
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7755e671