Created attachment 13798 [details] PoC Hi. I found a crashing test case. Crash does not occur in the no-ASan environment. Memory corruption occur in the ASan environment or in Valgrind. Please confirm. Thanks. Version 9.22 and Git Head: 937ccd17ac65935633b2ebc06cb7089b91e17e6b OS: Ubuntu 16.04.2 32bit Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE Valgrind:OUT ------------------ ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x82C1435: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84868B0: xps_parse_fixed_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x8378700: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x8378702: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8389AD2: gs_font_glyph_is_notdef.part.1 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE084: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x82AE08A: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Invalid read of size 1 ==27941== at 0x80DF74F: Ins_JMPR (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E3770: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Address 0x43e0bb9 is 56,977 bytes inside a block of size 65,576 free'd ==27941== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Block was alloc'd at ==27941== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Invalid read of size 1 ==27941== at 0x80DF755: Ins_JMPR (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E3770: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Address 0x43e0bb8 is 56,976 bytes inside a block of size 65,576 free'd ==27941== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Block was alloc'd at ==27941== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Invalid read of size 1 ==27941== at 0x80DF178: Calc_Length (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E36EA: RunIns (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E4873: Context_Run (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DD52B: ttfOutliner__BuildGlyphOutlineAux (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DEA2F: ttfOutliner__Outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80E6C77: gx_ttf_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB1CD: gs_type42_glyph_outline (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8389759: gs_default_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB378: gs_type42_glyph_info_by_gid (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x80DB6A0: gs_type42_glyph_info (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82ADD33: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Address 0x43e0bb9 is 56,977 bytes inside a block of size 65,576 free'd ==27941== at 0x402E358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8224E57: s_zlib_free (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133418: deflateEnd (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224FF3: s_zlibE_release (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8214BC2: sclose (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82936F8: stream_to_none (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8294350: pdf_close_contents (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82688CD: pdf_close_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826EB08: pdf_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8381052: gs_output_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D3461: pl_finish_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809E5AF: xps_show_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== Block was alloc'd at ==27941== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x8392730: gs_heap_alloc_bytes (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8221F3A: chunk_obj_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8224DCE: s_zlib_alloc (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8133653: deflateInit2_ (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8225150: s_zlibE_init (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82941B1: none_to_stream (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82956E9: pdf_open_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BDF69: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27941== by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== ==27941== Conditional jump or move depends on uninitialised value(s) ==27941== at 0x82C4463: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps) ==27941== by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps) -------------- ASan:OUT ================================================================= ==16317==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4cc6639 at pc 0x08185506 bp 0xbf9bf368 sp 0xbf9bf358 READ of size 1 at 0xb4cc6639 thread T0 #0 0x8185505 in Ins_JMPR base/ttinterp.c:1801 #1 0x8198f27 in RunIns base/ttinterp.c:5036 #2 0x819e83e in Context_Run base/ttobjs.c:457 #3 0x817aa32 in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:827 #4 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874 #5 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033 #6 0x81a8cdc in gx_ttf_outline base/gxttfb.c:788 #7 0x816e1fa in append_outline_fitted base/gstype42.c:1595 #8 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991 #9 0x8ba4ad8 in gs_default_glyph_info base/gsfont.c:1036 #10 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017 #11 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088 #12 0x8870bfd in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457 #13 0x8871f8b in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636 #14 0x88bcf90 in pdf_finish_resources devices/vector/gdevpdtw.c:677 #15 0x877d824 in do_pdf_close devices/vector/gdevpdf.c:2569 #16 0x8784581 in pdf_close devices/vector/gdevpdf.c:3281 #17 0x8b83bfe in gs_closedevice base/gsdevice.c:720 #18 0x911ed8b in pl_main_universe_dnit pcl/pl/plmain.c:557 #19 0x911e4d9 in pl_main_delete_instance pcl/pl/plmain.c:436 #20 0x8f8bdc7 in plapi_delete_instance pcl/pl/plapi.c:89 #21 0x911d382 in main pcl/pl/realmain.c:50 #22 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #23 0x8099f90 (/home/karas/gwanyeong/update-06-14-ghostpdl/ghostpdl/bin/gxps+0x8099f90) 0xb4cc6639 is located 7697 bytes to the right of 65576-byte region [0xb4cb4800,0xb4cc4828) freed by thread T0 here: #0 0xb72bea84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84) #1 0x8bc87b1 in gs_heap_free_object base/gsmalloc.c:358 #2 0x865514e in chunk_free_object base/gsmchunk.c:1092 #3 0x866543c in s_zlib_free base/szlibc.c:110 #4 0x82e4ae1 in deflateEnd zlib/deflate.c:998 #5 0x8665fea in s_zlibE_release base/szlibe.c:88 #6 0x8621657 in sclose base/stream.c:434 #7 0x8811491 in stream_to_none devices/vector/gdevpdfu.c:1092 #8 0x881184d in pdf_open_contents devices/vector/gdevpdfu.c:1118 #9 0x8811a43 in pdf_close_contents devices/vector/gdevpdfu.c:1142 #10 0x876a1b2 in pdf_close_page devices/vector/gdevpdf.c:973 #11 0x876e2a2 in pdf_output_page devices/vector/gdevpdf.c:1395 #12 0x8b804f2 in gs_output_page base/gsdevice.c:210 #13 0x9124922 in pl_finish_page pcl/pl/plmain.c:1488 #14 0x809c204 in xps_show_page xps/xpstop.c:428 #15 0x8fc00d0 in xps_parse_fixed_page xps/xpspage.c:306 #16 0x8fb95cd in xps_read_and_process_page_part xps/xpszip.c:539 #17 0x8fba220 in xps_process_file xps/xpszip.c:688 #18 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #19 0x8f8acbe in pl_process_file pcl/pl/pltop.c:70 #20 0x911e1ca in pl_main_run_file pcl/pl/plmain.c:377 #21 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313 #22 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262 #23 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58 #24 0x911d2b9 in main pcl/pl/realmain.c:34 #25 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) previously allocated by thread T0 here: #0 0xb72bedee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x8bc7b08 in gs_heap_alloc_bytes base/gsmalloc.c:193 #2 0x8653bae in chunk_obj_alloc base/gsmchunk.c:789 #3 0x8654a85 in chunk_alloc_bytes base/gsmchunk.c:977 #4 0x8654b50 in chunk_alloc_byte_array_immovable base/gsmchunk.c:998 #5 0x86650e5 in s_zlib_alloc base/szlibc.c:87 #6 0x82ddb1c in deflateInit2_ zlib/deflate.c:301 #7 0x86659d7 in s_zlibE_init base/szlibe.c:31 #8 0x8810a6e in none_to_stream devices/vector/gdevpdfu.c:996 #9 0x881184d in pdf_open_contents devices/vector/gdevpdfu.c:1118 #10 0x8815ce5 in pdf_open_page devices/vector/gdevpdfu.c:1877 #11 0x889fb19 in pdf_prepare_text_drawing devices/vector/gdevpdtt.c:417 #12 0x88b5118 in pdf_text_process devices/vector/gdevpdtt.c:3112 #13 0x8bf827d in gs_text_process base/gstext.c:574 #14 0x8fdf3ad in xps_flush_text_buffer xps/xpsglyphs.c:324 #15 0x8fe087f in xps_parse_glyphs_imp xps/xpsglyphs.c:569 #16 0x8fe1b84 in xps_parse_glyphs xps/xpsglyphs.c:809 #17 0x8fc1982 in xps_parse_element xps/xpscommon.c:68 #18 0x8fbfda7 in xps_parse_fixed_page xps/xpspage.c:279 #19 0x8fb95cd in xps_read_and_process_page_part xps/xpszip.c:539 #20 0x8fba220 in xps_process_file xps/xpszip.c:688 #21 0x809b252 in xps_imp_process_file xps/xpstop.c:228 #22 0x8f8acbe in pl_process_file pcl/pl/pltop.c:70 #23 0x911e1ca in pl_main_run_file pcl/pl/plmain.c:377 #24 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313 #25 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262 #26 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58 #27 0x911d2b9 in main pcl/pl/realmain.c:34 #28 0xb7013636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow base/ttinterp.c:1801 Ins_JMPR Shadow bytes around the buggy address: 0x36998c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36998cc0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x36998cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36998d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==16317==ABORTING
Fixed: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c501a58f
This was assigned CVE-2017-9739