Created attachment 13263 [details] POC to trigger use-after-free (gs) After some fuzz testing I found a crashing test case. Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7 Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_uaf_pdf14_cleanup_parent_color_profiles -c quit ASAN + Output: GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14) Copyright (C) 2016 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ================================================================= ==27314==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a00054d848 at pc 0x0000008d63ce bp 0x7ffef086f770 sp 0x7ffef086f768 READ of size 8 at 0x62a00054d848 thread T0 #0 0x8d63cd in pdf14_cleanup_parent_color_profiles XYZ/ghostpdl/./base/gdevp14.c:2123:31 #1 0x8d54ee in pdf14_device_finalize XYZ/ghostpdl/./base/gdevp14.c:8472:5 #2 0x1b3c4b8 in restore_finalize XYZ/ghostpdl/./psi/isave.c:952:13 #3 0x1b3c4b8 in alloc_restore_step_in XYZ/ghostpdl/./psi/isave.c:759 #4 0x1b3e288 in alloc_restore_all XYZ/ghostpdl/./psi/isave.c:886:16 #5 0x19d3d83 in gs_main_finit XYZ/ghostpdl/./psi/imain.c:997:16 #6 0x5476b5 in main XYZ/ghostpdl/./psi/gs.c:139:9 #7 0x7f99712e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8) 0x62a00054d848 is located 5704 bytes inside of 20048-byte region [0x62a00054c200,0x62a000551050) freed by thread T0 here: #0 0x519e9b in __interceptor_free /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x146a4ff in gs_heap_free_object XYZ/ghostpdl/./base/gsmalloc.c:348:5 previously allocated by thread T0 here: #0 0x51a1ec in malloc /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x1469abf in gs_heap_alloc_bytes XYZ/ghostpdl/./base/gsmalloc.c:183:34 SUMMARY: AddressSanitizer: heap-use-after-free XYZ/ghostpdl/./base/gdevp14.c:2123:31 in pdf14_cleanup_parent_color_profiles Shadow bytes around the buggy address: 0x0c54800a1ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c54800a1b00: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd 0x0c54800a1b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c54800a1b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27314==ABORTING
Fixed with http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb