Bug 698064 - heap-buffer-overflow in xps_decode_font_char_imp(xps/xpsfont.c:520)
Summary: heap-buffer-overflow in xps_decode_font_char_imp(xps/xpsfont.c:520)
Status: RESOLVED FIXED
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-15 15:44 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
PoC (37.22 KB, application/zip)
2017-06-15 15:44 UTC, Kim Gwan Yeong 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-15 15:44:00 UTC 
Created attachment 13799 [details]
PoC

Hi.

I found a crashing test case.

Crash does not occur in the no-ASan environment.

Memory corruption occur in the ASan environment or in Valgrind.

Please confirm.

Thanks.

Version 9.22 and Git Head: 937ccd17ac65935633b2ebc06cb7089b91e17e6b
OS: Ubuntu 16.04.2 32bit
Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE


Valgrind:OUT
------------------
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x849278A: xps_encode_font_char_imp.isra.1 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84933D8: xps_encode_font_char (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8493D22: xps_true_callback_encode_char (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B2943: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84868B0: xps_parse_fixed_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8484756: xps_process_file (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DFB8: xps_imp_process_file (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1B6C: pl_main_run_file (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x82C142F: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x82C1435: copy_glyph_name (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C1E02: copy_glyph_type42 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82C34A8: gs_copy_glyph_options (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AF861: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84868B0: xps_parse_fixed_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x8493323: xps_decode_font_char (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8493CED: xps_true_callback_decode_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AF714: pdf_add_ToUnicode.part.1 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AF8EE: pdf_encode_string_element (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0404: process_text_modify_width (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B0CED: pdf_process_string (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82B26EA: process_plain_text (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BDE98: pdf_text_process (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8490A8B: xps_flush_text_buffer.isra.2 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x849173B: xps_parse_glyphs_imp (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8492113: xps_parse_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84868B0: xps_parse_fixed_page (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
GPL Ghostscript GIT PRERELEASE 9.22: Failed to interpret TT instructions in font Unknown. Continue ignoring instructions of the font.
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x8378700: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x8378702: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x403310F: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x83786F9: gs_c_name_glyph (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82ADF24: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x8389AD2: gs_font_glyph_is_notdef.part.1 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE084: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x82AE08A: pdf_compute_font_descriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE739: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330C5: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x40330F4: bcmp (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==4657==    by 0x82C445D: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==
==4657== Conditional jump or move depends on uninitialised value(s)
==4657==    at 0x82C4463: copied_drop_extension_glyphs (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AAFE0: pdf_write_embedded_font (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82AE77A: pdf_finish_FontDescriptor (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x82BF7E6: pdf_finish_resources (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8268E96: do_pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x826D7C8: pdf_close (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x8380DAC: gs_closedevice.part.3 (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D1665: pl_main_universe_dnit (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x84D16C7: pl_main_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x847689C: plapi_delete_instance (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
==4657==    by 0x809DB88: main (in /home/karas/gwanyeong/ghostpdl/bin/gxps)
------------------
ASan:OUT
------------------
==32734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4c63c23 at pc 0x08fe22a3 bp 0xbfb03518 sp 0xbfb03508
READ of size 1 at 0xb4c63c23 thread T0
    #0 0x8fe22a2 in u16 xps/xpsfont.c:34
    #1 0x8fe4627 in xps_decode_font_char_imp xps/xpsfont.c:520
    #2 0x8fe489b in xps_decode_font_char xps/xpsfont.c:584
    #3 0x8fe5992 in xps_true_callback_decode_glyph xps/xpsttf.c:126
    #4 0x88747cf in pdf_add_ToUnicode devices/vector/gdevpdte.c:157
    #5 0x8875d61 in pdf_encode_string_element devices/vector/gdevpdte.c:355
    #6 0x887f243 in process_text_modify_width devices/vector/gdevpdte.c:1157
    #7 0x88798e3 in pdf_process_string devices/vector/gdevpdte.c:699
    #8 0x8873ea1 in pdf_process_string_aux devices/vector/gdevpdte.c:79
    #9 0x8881abc in process_plain_text devices/vector/gdevpdte.c:1504
    #10 0x88b849d in pdf_text_process devices/vector/gdevpdtt.c:3552
    #11 0x8bf827d in gs_text_process base/gstext.c:574
    #12 0x8fdf3ad in xps_flush_text_buffer xps/xpsglyphs.c:324
    #13 0x8fe087f in xps_parse_glyphs_imp xps/xpsglyphs.c:569
    #14 0x8fe1b84 in xps_parse_glyphs xps/xpsglyphs.c:809
    #15 0x8fc1982 in xps_parse_element xps/xpscommon.c:68
    #16 0x8fbfda7 in xps_parse_fixed_page xps/xpspage.c:279
    #17 0x8fb95cd in xps_read_and_process_page_part xps/xpszip.c:539
    #18 0x8fba220 in xps_process_file xps/xpszip.c:688
    #19 0x809b252 in xps_imp_process_file xps/xpstop.c:228
    #20 0x8f8acbe in pl_process_file pcl/pl/pltop.c:70
    #21 0x911e1ca in pl_main_run_file pcl/pl/plmain.c:377
    #22 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313
    #23 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262
    #24 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58
    #25 0x911d2b9 in main pcl/pl/realmain.c:34
    #26 0xb6f6e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #27 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

0xb4c63c23 is located 13323 bytes to the right of 65560-byte region [0xb4c50800,0xb4c60818)
allocated by thread T0 here:
    #0 0xb7219dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7b08 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x86545e7 in chunk_obj_alloc base/gsmchunk.c:909
    #3 0x8654c20 in chunk_alloc_struct_array base/gsmchunk.c:1019
    #4 0x8e0609b in gx_char_cache_alloc base/gxccman.c:87
    #5 0x8b9fe4b in gs_font_dir_alloc2_limits base/gsfont.c:255
    #6 0x8b9fce9 in gs_font_dir_alloc2 base/gsfont.c:228
    #7 0x87692fe in pdf_open devices/vector/gdevpdf.c:834
    #8 0x8b81e34 in gs_opendevice base/gsdevice.c:456
    #9 0x911effa in pl_main_universe_select pcl/pl/plmain.c:581
    #10 0x911dfc6 in pl_main_run_file pcl/pl/plmain.c:341
    #11 0x91237a4 in pl_main_process_options pcl/pl/plmain.c:1313
    #12 0x911d9dd in pl_main_init_with_args pcl/pl/plmain.c:262
    #13 0x8f8bc81 in plapi_init_with_args pcl/pl/plapi.c:58
    #14 0x911d2b9 in main pcl/pl/realmain.c:34
    #15 0xb6f6e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow xps/xpsfont.c:34 u16
Shadow bytes around the buggy address:
  0x3698c730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3698c780: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x3698c790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32734==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-16 07:17:36 UTC 
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=961b10c
Comment 2 Kim Gwan Yeong 2017-06-18 18:55:44 UTC 
This was assigned CVE-2017-9740.