Created attachment 13775 [details] PoC POC to trigger heap-use-after-free (gxps) I found a crashing test case. Please confirm. Version 9.22 and Git Head: f6507e828ddfe1f60645bc925bff9bedfdb306ce OS: Ubuntu 16.04.2 x86_64 Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE --------------- Valgrind out: --------------- ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x4C33D2D: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8AC88A: gs_c_name_glyph (gscencs.c:144) ==2580== by 0x7963EE: copy_glyph_name (gxfcopy.c:560) ==2580== by 0x798E0A: copy_glyph_type42 (gxfcopy.c:1396) ==2580== by 0x79B7F4: gs_copy_glyph_options (gxfcopy.c:2265) ==2580== by 0x77360C: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==2580== by 0x778298: pdf_font_used_glyph (gdevpdtd.c:363) ==2580== by 0x77A3BE: pdf_encode_string_element (gdevpdte.c:272) ==2580== by 0x77E3A1: process_text_modify_width (gdevpdte.c:1157) ==2580== by 0x77C1FA: pdf_process_string (gdevpdte.c:699) ==2580== by 0x779B9C: pdf_process_string_aux (gdevpdte.c:79) ==2580== by 0x77F7B9: process_plain_text (gdevpdte.c:1504) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x8AC892: gs_c_name_glyph (gscencs.c:145) ==2580== by 0x7963EE: copy_glyph_name (gxfcopy.c:560) ==2580== by 0x798E0A: copy_glyph_type42 (gxfcopy.c:1396) ==2580== by 0x79B7F4: gs_copy_glyph_options (gxfcopy.c:2265) ==2580== by 0x77360C: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==2580== by 0x778298: pdf_font_used_glyph (gdevpdtd.c:363) ==2580== by 0x77A3BE: pdf_encode_string_element (gdevpdte.c:272) ==2580== by 0x77E3A1: process_text_modify_width (gdevpdte.c:1157) ==2580== by 0x77C1FA: pdf_process_string (gdevpdte.c:699) ==2580== by 0x779B9C: pdf_process_string_aux (gdevpdte.c:79) ==2580== by 0x77F7B9: process_plain_text (gdevpdte.c:1504) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x8AC8C0: gs_c_name_glyph (gscencs.c:147) ==2580== by 0x7963EE: copy_glyph_name (gxfcopy.c:560) ==2580== by 0x798E0A: copy_glyph_type42 (gxfcopy.c:1396) ==2580== by 0x79B7F4: gs_copy_glyph_options (gxfcopy.c:2265) ==2580== by 0x77360C: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==2580== by 0x778298: pdf_font_used_glyph (gdevpdtd.c:363) ==2580== by 0x77A3BE: pdf_encode_string_element (gdevpdte.c:272) ==2580== by 0x77E3A1: process_text_modify_width (gdevpdte.c:1157) ==2580== by 0x77C1FA: pdf_process_string (gdevpdte.c:699) ==2580== by 0x779B9C: pdf_process_string_aux (gdevpdte.c:79) ==2580== by 0x77F7B9: process_plain_text (gdevpdte.c:1504) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x4C33D52: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8AC88A: gs_c_name_glyph (gscencs.c:144) ==2580== by 0x7963EE: copy_glyph_name (gxfcopy.c:560) ==2580== by 0x798E0A: copy_glyph_type42 (gxfcopy.c:1396) ==2580== by 0x79B7F4: gs_copy_glyph_options (gxfcopy.c:2265) ==2580== by 0x77360C: pdf_base_font_copy_glyph (gdevpdtb.c:428) ==2580== by 0x778298: pdf_font_used_glyph (gdevpdtd.c:363) ==2580== by 0x77A3BE: pdf_encode_string_element (gdevpdte.c:272) ==2580== by 0x77E3A1: process_text_modify_width (gdevpdte.c:1157) ==2580== by 0x77C1FA: pdf_process_string (gdevpdte.c:699) ==2580== by 0x779B9C: pdf_process_string_aux (gdevpdte.c:79) ==2580== by 0x77F7B9: process_plain_text (gdevpdte.c:1504) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x4C33D2D: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8AC88A: gs_c_name_glyph (gscencs.c:144) ==2580== by 0x78CFA4: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==2580== by 0x78DEE9: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==2580== by 0x77F6C9: process_plain_text (gdevpdte.c:1476) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== by 0x461527: xps_imp_process_file (xpstop.c:228) ==2580== by 0xA4603B: pl_process_file (pltop.c:70) ==2580== by 0xAEE33A: pl_main_run_file (plmain.c:377) ==2580== by 0xAF0C65: pl_main_process_options (plmain.c:1313) ==2580== by 0xAEDE20: pl_main_init_with_args (plmain.c:262) ==2580== by 0xA46570: plapi_init_with_args (plapi.c:58) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x8AC892: gs_c_name_glyph (gscencs.c:145) ==2580== by 0x78CFA4: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==2580== by 0x78DEE9: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==2580== by 0x77F6C9: process_plain_text (gdevpdte.c:1476) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== by 0x461527: xps_imp_process_file (xpstop.c:228) ==2580== by 0xA4603B: pl_process_file (pltop.c:70) ==2580== by 0xAEE33A: pl_main_run_file (plmain.c:377) ==2580== by 0xAF0C65: pl_main_process_options (plmain.c:1313) ==2580== by 0xAEDE20: pl_main_init_with_args (plmain.c:262) ==2580== by 0xA46570: plapi_init_with_args (plapi.c:58) ==2580== by 0xAEDAC5: main (realmain.c:34) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x8AC8C0: gs_c_name_glyph (gscencs.c:147) ==2580== by 0x78CFA4: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==2580== by 0x78DEE9: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==2580== by 0x77F6C9: process_plain_text (gdevpdte.c:1476) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== by 0x461527: xps_imp_process_file (xpstop.c:228) ==2580== by 0xA4603B: pl_process_file (pltop.c:70) ==2580== by 0xAEE33A: pl_main_run_file (plmain.c:377) ==2580== by 0xAF0C65: pl_main_process_options (plmain.c:1313) ==2580== by 0xAEDE20: pl_main_init_with_args (plmain.c:262) ==2580== by 0xA46570: plapi_init_with_args (plapi.c:58) ==2580== by 0xAEDAC5: main (realmain.c:34) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x4C33D52: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8AC88A: gs_c_name_glyph (gscencs.c:144) ==2580== by 0x78CFA4: pdf_make_text_glyphs_table_unencoded (gdevpdtt.c:1856) ==2580== by 0x78DEE9: pdf_obtain_font_resource_unencoded (gdevpdtt.c:2198) ==2580== by 0x77F6C9: process_plain_text (gdevpdte.c:1476) ==2580== by 0x791D6E: pdf_text_process (gdevpdtt.c:3552) ==2580== by 0x8EA6A1: gs_text_process (gstext.c:574) ==2580== by 0xA6CCD2: xps_flush_text_buffer (xpsglyphs.c:324) ==2580== by 0xA6D810: xps_parse_glyphs_imp (xpsglyphs.c:569) ==2580== by 0xA6E536: xps_parse_glyphs (xpsglyphs.c:809) ==2580== by 0xA5EC24: xps_parse_element (xpscommon.c:68) ==2580== by 0xA5DD18: xps_parse_fixed_page (xpspage.c:279) ==2580== by 0xA5A81D: xps_read_and_process_page_part (xpszip.c:539) ==2580== by 0xA5B166: xps_process_file (xpszip.c:688) ==2580== by 0x461527: xps_imp_process_file (xpstop.c:228) ==2580== by 0xA4603B: pl_process_file (pltop.c:70) ==2580== by 0xAEE33A: pl_main_run_file (plmain.c:377) ==2580== by 0xAF0C65: pl_main_process_options (plmain.c:1313) ==2580== by 0xAEDE20: pl_main_init_with_args (plmain.c:262) ==2580== by 0xA46570: plapi_init_with_args (plapi.c:58) ==2580== Uninitialised value was created by a stack allocation ==2580== at 0x8AC7DC: gs_c_name_glyph (gscencs.c:128) ==2580== ==2580== Conditional jump or move depends on uninitialised value(s) ==2580== at 0x4B9FE4: MulDiv_Round (ttcalc.c:84) ==2580== by 0x4C5F32: Ins_IP (ttinterp.c:4180) ==2580== by 0x4C7111: RunIns (ttinterp.c:5032) ==2580== by 0x4C905A: Context_Run (ttobjs.c:457) ==2580== by 0x4BD8DE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827) ==2580== by 0x4BDB7E: ttfOutliner__BuildGlyphOutline (ttfmain.c:874) ==2580== by 0x4BEB07: ttfOutliner__Outline (ttfmain.c:1033) ==2580== by 0x4CC91E: gx_ttf_outline (gxttfb.c:787) ==2580== by 0x4B8E3B: append_outline_fitted (gstype42.c:1595) ==2580== by 0x4B7ECC: gs_type42_glyph_outline (gstype42.c:991) ==2580== by 0x8C7F75: gs_default_glyph_info (gsfont.c:1036) ==2580== by 0x4B803E: gs_type42_glyph_info_by_gid (gstype42.c:1017) ==2580== by 0x4B8400: gs_type42_glyph_info (gstype42.c:1088) ==2580== by 0x7786B3: pdf_compute_font_descriptor (gdevpdtd.c:457) ==2580== by 0x779108: pdf_finish_FontDescriptor (gdevpdtd.c:636) ==2580== by 0x793DE2: pdf_finish_resources (gdevpdtw.c:677) ==2580== by 0x712629: do_pdf_close (gdevpdf.c:2569) ==2580== by 0x7150D5: pdf_close (gdevpdf.c:3281) ==2580== by 0x8BA0BD: gs_closedevice (gsdevice.c:720) ==2580== by 0xAEE98D: pl_main_universe_dnit (plmain.c:557) ==2580== Uninitialised value was created by a heap allocation ==2580== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8D8493: gs_heap_alloc_bytes (gsmalloc.c:193) ==2580== by 0x6A85D6: chunk_obj_alloc (gsmchunk.c:909) ==2580== by 0x6A8866: chunk_alloc_bytes (gsmchunk.c:977) ==2580== by 0x59F3CC: gsicc_load_profile_buffer (gsicc_manage.c:2170) ==2580== by 0x59DB87: gsicc_profile_new (gsicc_manage.c:1885) ==2580== by 0x597161: gsicc_set_iccsmaskprofile (gsicc_manage.c:153) ==2580== by 0x597968: gsicc_initialize_iccsmask (gsicc_manage.c:230) ==2580== by 0x8B15BD: gs_cspace_new_ICC (gscspace.c:175) ==2580== by 0x461197: xps_imp_allocate_interp_instance (xpstop.c:134) ==2580== by 0xA45FC8: pl_allocate_interp_instance (pltop.c:42) ==2580== by 0xAEE802: pl_main_universe_init (plmain.c:500) ==2580== by 0xAEDDAC: pl_main_init_with_args (plmain.c:249) ==2580== by 0xA46570: plapi_init_with_args (plapi.c:58) ==2580== by 0xAEDAC5: main (realmain.c:34) ==2580== ==2580== Invalid read of size 4 ==2580== at 0x4C5CCE: Ins_IP (ttinterp.c:4140) ==2580== by 0x4C7111: RunIns (ttinterp.c:5032) ==2580== by 0x4C905A: Context_Run (ttobjs.c:457) ==2580== by 0x4BD8DE: ttfOutliner__BuildGlyphOutlineAux (ttfmain.c:827) ==2580== by 0x4BDB7E: ttfOutliner__BuildGlyphOutline (ttfmain.c:874) ==2580== by 0x4BEB07: ttfOutliner__Outline (ttfmain.c:1033) ==2580== by 0x4CC91E: gx_ttf_outline (gxttfb.c:787) ==2580== by 0x4B8E3B: append_outline_fitted (gstype42.c:1595) ==2580== by 0x4B7ECC: gs_type42_glyph_outline (gstype42.c:991) ==2580== by 0x8C7F75: gs_default_glyph_info (gsfont.c:1036) ==2580== by 0x4B803E: gs_type42_glyph_info_by_gid (gstype42.c:1017) ==2580== by 0x4B8400: gs_type42_glyph_info (gstype42.c:1088) ==2580== by 0x7786B3: pdf_compute_font_descriptor (gdevpdtd.c:457) ==2580== by 0x779108: pdf_finish_FontDescriptor (gdevpdtd.c:636) ==2580== by 0x793DE2: pdf_finish_resources (gdevpdtw.c:677) ==2580== by 0x712629: do_pdf_close (gdevpdf.c:2569) ==2580== by 0x7150D5: pdf_close (gdevpdf.c:3281) ==2580== by 0x8BA0BD: gs_closedevice (gsdevice.c:720) ==2580== by 0xAEE98D: pl_main_universe_dnit (plmain.c:557) ==2580== by 0xAEE5DC: pl_main_delete_instance (plmain.c:436) ==2580== Address 0x5a2bfb0 is 4,912 bytes inside a block of size 8,240 free'd ==2580== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8D8BB1: gs_heap_free_object (gsmalloc.c:358) ==2580== by 0x5A4E7C: gs_lcms2_free (gsicc_lcms2.c:83) ==2580== by 0x5BD7A0: _cmsFree (cmserr.c:294) ==2580== by 0x5BFEE3: cmsFreeToneCurve (cmsgamma.c:759) ==2580== by 0x5C00A5: cmsFreeToneCurveTriple (cmsgamma.c:793) ==2580== by 0x5CD5A6: BuildRGBOutputMatrixShaper (cmsio1.c:510) ==2580== by 0x5CD9AC: _cmsReadOutputLUT (cmsio1.c:660) ==2580== by 0x5BBD6F: DefaultICCintents (cmscnvrt.c:617) ==2580== by 0x5BCEFB: _cmsLinkProfiles (cmscnvrt.c:1084) ==2580== by 0x5FB092: cmsCreateExtendedTransform (cmsxform.c:1048) ==2580== by 0x5FB5CB: cmsCreateMultiprofileTransformTHR (cmsxform.c:1164) ==2580== by 0x5FB6F8: cmsCreateTransformTHR (cmsxform.c:1205) ==2580== by 0x5A5AC3: gscms_get_link (gsicc_lcms2.c:576) ==2580== by 0x5A3ACF: gsicc_get_link_profile (gsicc_cache.c:1200) ==2580== by 0x5A2E08: gsicc_get_link (gsicc_cache.c:840) ==2580== by 0x59602B: gx_remap_ICC (gsicc.c:411) ==2580== by 0x9B74D8: gx_remap_DeviceGray (gxcmap.c:784) ==2580== by 0x9B69A5: gx_remap_color (gxcmap.c:560) ==2580== by 0x8E05DD: gs_fillpage (gspaint.c:96) ==2580== Block was alloc'd at ==2580== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2580== by 0x8D8493: gs_heap_alloc_bytes (gsmalloc.c:193) ==2580== by 0x5A4E2A: gs_lcms2_malloc (gsicc_lcms2.c:62) ==2580== by 0x5BD69C: _cmsMalloc (cmserr.c:265) ==2580== by 0x5BD2F0: _cmsMallocZeroDefaultFn (cmserr.c:104) ==2580== by 0x5BD6D8: _cmsMallocZero (cmserr.c:272) ==2580== by 0x5BD3F3: _cmsCallocDefaultFn (cmserr.c:158) ==2580== by 0x5BD718: _cmsCalloc (cmserr.c:279) ==2580== by 0x5BE673: AllocateToneCurveStruct (cmsgamma.c:255) ==2580== by 0x5BFA10: cmsBuildTabulatedToneCurve16 (cmsgamma.c:621) ==2580== by 0x5C05A8: cmsReverseToneCurveEx (cmsgamma.c:923) ==2580== by 0x5C0852: cmsReverseToneCurve (cmsgamma.c:973) ==2580== by 0x5CD479: BuildRGBOutputMatrixShaper (cmsio1.c:487) ==2580== by 0x5CD9AC: _cmsReadOutputLUT (cmsio1.c:660) ==2580== by 0x5BBD6F: DefaultICCintents (cmscnvrt.c:617) ==2580== by 0x5BCEFB: _cmsLinkProfiles (cmscnvrt.c:1084) ==2580== by 0x5FB092: cmsCreateExtendedTransform (cmsxform.c:1048) ==2580== by 0x5FB5CB: cmsCreateMultiprofileTransformTHR (cmsxform.c:1164) ==2580== by 0x5FB6F8: cmsCreateTransformTHR (cmsxform.c:1205) ==2580== by 0x5A5AC3: gscms_get_link (gsicc_lcms2.c:576) ==2580== ==2580== ==2580== FILE DESCRIPTORS: 3 open at exit. ==2580== Open file descriptor 2: /dev/pts/6 ==2580== <inherited from parent> ==2580== ==2580== Open file descriptor 1: /dev/pts/6 ==2580== <inherited from parent> ==2580== ==2580== Open file descriptor 0: /dev/pts/6 ==2580== <inherited from parent> ==2580== ==2580== ==2580== HEAP SUMMARY: ==2580== in use at exit: 0 bytes in 0 blocks ==2580== total heap usage: 745 allocs, 745 frees, 2,186,452 bytes allocated ==2580== ==2580== All heap blocks were freed -- no leaks are possible ==2580== ==2580== For counts of detected and suppressed errors, rerun with: -v ==2580== ERROR SUMMARY: 204 errors from 10 contexts (suppressed: 0 from 0) --------------- ASan out: --------------- ==2530==ERROR: AddressSanitizer: heap-use-after-free on address 0x63100006f4d0 at pc 0x000000552699 bp 0x7ffccff3ddf0 sp 0x7ffccff3dde0 READ of size 4 at 0x63100006f4d0 thread T0 #0 0x552698 in Ins_IP base/ttinterp.c:4140 #1 0x556503 in RunIns base/ttinterp.c:5032 #2 0x55c9a1 in Context_Run base/ttobjs.c:457 #3 0x537dc5 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827 #4 0x538466 in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874 #5 0x53aab1 in ttfOutliner__Outline base/ttfmain.c:1033 #6 0x567314 in gx_ttf_outline base/gxttfb.c:787 #7 0x52c811 in append_outline_fitted base/gstype42.c:1595 #8 0x52a3d2 in gs_type42_glyph_outline base/gstype42.c:991 #9 0xf3c43b in gs_default_glyph_info base/gsfont.c:1036 #10 0x52a783 in gs_type42_glyph_info_by_gid base/gstype42.c:1017 #11 0x52ae85 in gs_type42_glyph_info base/gstype42.c:1088 #12 0xc22569 in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457 #13 0xc236c9 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636 #14 0xc66550 in pdf_finish_resources devices/vector/gdevpdtw.c:677 #15 0xb3c918 in do_pdf_close devices/vector/gdevpdf.c:2569 #16 0xb42674 in pdf_close devices/vector/gdevpdf.c:3281 #17 0xf1c525 in gs_closedevice base/gsdevice.c:720 #18 0x14aaadf in pl_main_universe_dnit pcl/pl/plmain.c:557 #19 0x14aa339 in pl_main_delete_instance pcl/pl/plmain.c:436 #20 0x1317967 in plapi_delete_instance pcl/pl/plapi.c:89 #21 0x14a9095 in main pcl/pl/realmain.c:50 #22 0x7fc63cacc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #23 0x461a48 in _start (/home/karas/gwanyeong/ghostpdl/debugbin/gxps+0x461a48) 0x63100006f4d0 is located 44240 bytes inside of 65616-byte region [0x631000064800,0x631000074850) freed by thread T0 here: #0 0x7fc63d6372ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0xf64be4 in gs_heap_free_object base/gsmalloc.c:358 #2 0xa168c1 in chunk_free_object base/gsmchunk.c:1092 #3 0xa23c82 in s_zlib_free base/szlibc.c:110 #4 0x6a8755 in deflateEnd zlib/deflate.c:1001 #5 0xa24699 in s_zlibE_release base/szlibe.c:88 #6 0x9e1649 in sclose base/stream.c:434 #7 0xbc72da in stream_to_none devices/vector/gdevpdfu.c:1092 #8 0xbc75db in pdf_open_contents devices/vector/gdevpdfu.c:1118 #9 0xbc77b6 in pdf_close_contents devices/vector/gdevpdfu.c:1142 #10 0xb2ba3e in pdf_close_page devices/vector/gdevpdf.c:973 #11 0xb2f5f4 in pdf_output_page devices/vector/gdevpdf.c:1395 #12 0xf18d34 in gs_output_page base/gsdevice.c:210 #13 0x14afdca in pl_finish_page pcl/pl/plmain.c:1488 #14 0x463904 in xps_show_page xps/xpstop.c:428 #15 0x134ad73 in xps_parse_fixed_page xps/xpspage.c:306 #16 0x1344729 in xps_read_and_process_page_part xps/xpszip.c:539 #17 0x1345657 in xps_process_file xps/xpszip.c:688 #18 0x462a2c in xps_imp_process_file xps/xpstop.c:228 #19 0x1316a58 in pl_process_file pcl/pl/pltop.c:70 #20 0x14a9f75 in pl_main_run_file pcl/pl/plmain.c:377 #21 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313 #22 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262 #23 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58 #24 0x14a8fd1 in main pcl/pl/realmain.c:34 #25 0x7fc63cacc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) previously allocated by thread T0 here: #0 0x7fc63d637602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0xf63c86 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0xa1537c in chunk_obj_alloc base/gsmchunk.c:789 #3 0xa16113 in chunk_alloc_bytes base/gsmchunk.c:977 #4 0xa16204 in chunk_alloc_byte_array_immovable base/gsmchunk.c:998 #5 0xa239cb in s_zlib_alloc base/szlibc.c:87 #6 0x6a18e2 in deflateInit2_ zlib/deflate.c:293 #7 0xa24168 in s_zlibE_init base/szlibe.c:31 #8 0xbc69c6 in none_to_stream devices/vector/gdevpdfu.c:996 #9 0xbc75db in pdf_open_contents devices/vector/gdevpdfu.c:1118 #10 0xbcb48d in pdf_open_page devices/vector/gdevpdfu.c:1877 #11 0xc4b7d2 in pdf_prepare_text_drawing devices/vector/gdevpdtt.c:417 #12 0xc5f164 in pdf_text_process devices/vector/gdevpdtt.c:3112 #13 0xf92676 in gs_text_process base/gstext.c:574 #14 0x13687fa in xps_flush_text_buffer xps/xpsglyphs.c:324 #15 0x1369ef1 in xps_parse_glyphs_imp xps/xpsglyphs.c:569 #16 0x136b199 in xps_parse_glyphs xps/xpsglyphs.c:809 #17 0x134c41a in xps_parse_element xps/xpscommon.c:68 #18 0x134aa98 in xps_parse_fixed_page xps/xpspage.c:279 #19 0x1344729 in xps_read_and_process_page_part xps/xpszip.c:539 #20 0x1345657 in xps_process_file xps/xpszip.c:688 #21 0x462a2c in xps_imp_process_file xps/xpstop.c:228 #22 0x1316a58 in pl_process_file pcl/pl/pltop.c:70 #23 0x14a9f75 in pl_main_run_file pcl/pl/plmain.c:377 #24 0x14aee24 in pl_main_process_options pcl/pl/plmain.c:1313 #25 0x14a96c6 in pl_main_init_with_args pcl/pl/plmain.c:262 #26 0x1317848 in plapi_init_with_args pcl/pl/plapi.c:58 #27 0x14a8fd1 in main pcl/pl/realmain.c:34 #28 0x7fc63cacc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-use-after-free base/ttinterp.c:4140 Ins_IP Shadow bytes around the buggy address: 0x0c6280005e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c6280005e90: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c6280005ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c6280005ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2530==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=98f6da6
This was assigned CVE-2017-9612.