Bug 698063

Summary: heap-buffer-overflow in Ins_JMPR(base/ttinterp.c)
Product: GhostXPS Reporter: Kim Gwan Yeong <gy741.kim>
Component: GeneralAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: PoC

Description Kim Gwan Yeong 2017-06-15 15:37:09 UTC 
Created attachment 13798 [details]
PoC

Hi.

I found a crashing test case.

Crash does not occur in the no-ASan environment.

Memory corruption occur in the ASan environment or in Valgrind.

Please confirm.

Thanks.

Version 9.22 and Git Head: 937ccd17ac65935633b2ebc06cb7089b91e17e6b
OS: Ubuntu 16.04.2 32bit
Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE


Valgrind:OUT
------------------
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x82C1435: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84868B0: xps_parse_fixed_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x8378700: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x8378702: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8389AD2: gs_font_glyph_is_notdef.part.1 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE084: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x82AE08A: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Invalid read of size 1
==27941==    at 0x80DF74F: Ins_JMPR (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E3770: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Address 0x43e0bb9 is 56,977 bytes inside a block of size 65,576 free'd
==27941==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Block was alloc'd at
==27941==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Invalid read of size 1
==27941==    at 0x80DF755: Ins_JMPR (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E3770: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Address 0x43e0bb8 is 56,976 bytes inside a block of size 65,576 free'd
==27941==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Block was alloc'd at
==27941==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Invalid read of size 1
==27941==    at 0x80DF178: Calc_Length (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E36EA: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Address 0x43e0bb9 is 56,977 bytes inside a block of size 65,576 free'd
==27941==    at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==  Block was alloc'd at
==27941==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==27941==    by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==
==27941== Conditional jump or move depends on uninitialised value(s)
==27941==    at 0x82C4463: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==27941==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
--------------
ASan:OUT
=================================================================
==16317==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4cc6639 at pc 0x08185506 bp 0xbf9bf368 sp 0xbf9bf358
READ of size 1 at 0xb4cc6639 thread T0
    #0 0x8185505 in Ins_JMPR base/ttinterp.c:1801
    #1 0x8198f27 in RunIns base/ttinterp.c:5036
    #2 0x819e83e in Context_Run base/ttobjs.c:457
    #3 0x817aa32 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827
    #4 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874
    #5 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033
    #6 0x81a8cdc in gx_ttf_outline base/gxttfb.c:788
    #7 0x816e1fa in append_outline_fitted base/gstype42.c:1595
    #8 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991
    #9 0x8ba4ad8 in gs_default_glyph_info base/gsfont.c:1036
    #10 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017
    #11 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088
    #12 0x8870bfd in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457
    #13 0x8871f8b in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636
    #14 0x88bcf90 in pdf_finish_resources devices/vector/gdevpdtw.c:677
    #15 0x877d824 in do_pdf_close devices/vector/gdevpdf.c:2569
    #16 0x8784581 in pdf_close devices/vector/gdevpdf.c:3281
    #17 0x8b83bfe in gs_closedevice base/gsdevice.c:720
    #18 0x911ed8b in pl_main_universe_dnit pcl/pl/plmain.c:557
    #19 0x911e4d9 in pl_main_delete_instance pcl/pl/plmain.c:436
    #20 0x8f8bdc7 in plapi_delete_instance pcl/pl/plapi.c:89
    #21 0x911d382 in main pcl/pl/realmain.c:50
    #22 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #23 0x8099f90  (/home/karas/gwanyeong/update-06-14-ghostpdl/ghostpdl/bin/gxps+0x8099f90)

0xb4cc6639 is located 7697 bytes to the right of 65576-byte region [0xb4cb4800,0xb4cc4828)
freed by thread T0 here:
    #0 0xb72bea84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84)
    #1 0x8bc87b1 in gs_heap_free_object base/gsmalloc.c:358
    #2 0x865514e in chunk_free_object base/gsmchunk.c:1092
    #3 0x866543c in s_zlib_free base/szlibc.c:110
    #4 0x82e4ae1 in deflateEnd zlib/deflate.c:998
    #5 0x8665fea in s_zlibE_release base/szlibe.c:88
    #6 0x8621657 in sclose base/stream.c:434
    #7 0x8811491 in stream_to_none devices/vector/gdevpdfu.c:1092
    #8 0x881184d in pdf_open_contents devices/vector/gdevpdfu.c:1118
    #9 0x8811a43 in pdf_close_contents devices/vector/gdevpdfu.c:1142
    #10 0x876a1b2 in pdf_close_page devices/vector/gdevpdf.c:973
    #11 0x876e2a2 in pdf_output_page devices/vector/gdevpdf.c:1395
    #12 0x8b804f2 in gs_output_page base/gsdevice.c:210
    #13 0x9124922 in pl_finish_page pcl/pl/plmain.c:1488
    #14 0x809c204 in xps_show_page xps/xpstop.c:428
    #15 0x8fc00d0 in xps_parse_fixed_page xps/xpspage.c:306
    #16 0x8fb95cd in xps_read_and_process_page_part xps/xpszip.c:539
    #17 0x8fba220 in xps_process_file xps/xpszip.c:688
    #18 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #19 0x8f8acbe in pl_process_file pcl/pl/pltop.c:70
    #20 0x911e1ca in pl_main_run_file pcl/pl/plmain.c:377
    #21 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313
    #22 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262
    #23 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58
    #24 0x911d2b9 in main pcl/pl/realmain.c:34
    #25 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

previously allocated by thread T0 here:
    #0 0xb72bedee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7b08 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8653bae in chunk_obj_alloc base/gsmchunk.c:789
    #3 0x8654a85 in chunk_alloc_bytes base/gsmchunk.c:977
    #4 0x8654b50 in chunk_alloc_byte_array_immovable base/gsmchunk.c:998
    #5 0x86650e5 in s_zlib_alloc base/szlibc.c:87
    #6 0x82ddb1c in deflateInit2_ zlib/deflate.c:301
    #7 0x86659d7 in s_zlibE_init base/szlibe.c:31
    #8 0x8810a6e in none_to_stream devices/vector/gdevpdfu.c:996
    #9 0x881184d in pdf_open_contents devices/vector/gdevpdfu.c:1118
    #10 0x8815ce5 in pdf_open_page devices/vector/gdevpdfu.c:1877
    #11 0x889fb19 in pdf_prepare_text_drawing devices/vector/gdevpdtt.c:417
    #12 0x88b5118 in pdf_text_process devices/vector/gdevpdtt.c:3112
    #13 0x8bf827d in gs_text_process base/gstext.c:574
    #14 0x8fdf3ad in xps_flush_text_buffer xps/xpsglyphs.c:324
    #15 0x8fe087f in xps_parse_glyphs_imp xps/xpsglyphs.c:569
    #16 0x8fe1b84 in xps_parse_glyphs xps/xpsglyphs.c:809
    #17 0x8fc1982 in xps_parse_element xps/xpscommon.c:68
    #18 0x8fbfda7 in xps_parse_fixed_page xps/xpspage.c:279
    #19 0x8fb95cd in xps_read_and_process_page_part xps/xpszip.c:539
    #20 0x8fba220 in xps_process_file xps/xpszip.c:688
    #21 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #22 0x8f8acbe in pl_process_file pcl/pl/pltop.c:70
    #23 0x911e1ca in pl_main_run_file pcl/pl/plmain.c:377
    #24 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313
    #25 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262
    #26 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58
    #27 0x911d2b9 in main pcl/pl/realmain.c:34
    #28 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow base/ttinterp.c:1801 Ins_JMPR
Shadow bytes around the buggy address:
  0x36998c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36998cc0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x36998cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36998d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==16317==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-16 07:17:12 UTC 
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c501a58f
Comment 2 Kim Gwan Yeong 2017-06-18 18:55:24 UTC 
This was assigned CVE-2017-9739