Bug 697179 - double free with .setdevice
Summary: double free with .setdevice
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: 9.20
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-30 18:24 UTC by Tavis Ormandy
Modified: 2019-07-22 07:12 UTC (History)
4 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2016-09-30 18:24:03 UTC
This causes a double free and memory corruption for me in 9.20, even with -dSAFER:

$ gs -sDEVICE=pngalpha  -dSAFER
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ currentdevice false .copydevice2 .setdevice } stopped { showpage } if
Segmentation fault (core dumped)

This is most likely a security issue.
Comment 1 Chris Liddell (chrisl) 2016-10-01 04:08:52 UTC
I see the problem, and I have a solution, but I need to make sure it doesn't introduce a memory leak.
Comment 2 Chris Liddell (chrisl) 2016-10-05 08:48:39 UTC
Fixed in:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02
Comment 4 Chris Liddell (chrisl) 2017-06-08 02:03:50 UTC
Probably better using the "central" repo:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e