697179 – double free with .setdevice

Bug 697179 - double free with .setdevice

Summary: double free with .setdevice

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	9.20
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-30 18:24 UTC by Tavis Ormandy
Modified:	2019-07-22 07:12 UTC (History)
CC List:	4 users (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy 2016-09-30 18:24:03 UTC

This causes a double free and memory corruption for me in 9.20, even with -dSAFER:

$ gs -sDEVICE=pngalpha  -dSAFER
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ currentdevice false .copydevice2 .setdevice } stopped { showpage } if
Segmentation fault (core dumped)

This is most likely a security issue.

Comment 1 Chris Liddell (chrisl) 2016-10-01 04:08:52 UTC

I see the problem, and I have a solution, but I need to make sure it doesn't introduce a memory leak.

Comment 2 Chris Liddell (chrisl) 2016-10-05 08:48:39 UTC

Fixed in:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02

Comment 3 Fan Xin 2017-06-07 17:34:25 UTC

I notice that the following patch is not exist.
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02

The fix patch link is:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commit;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf

Comment 4 Chris Liddell (chrisl) 2017-06-08 02:03:50 UTC

Probably better using the "central" repo:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e