Created attachment 13878 [details] POC to trigger out of bounds read (gs) After some fuzz testing I found a crashing test case. Git Head: 0b7fa9293f43dce8aea028e4d2b32da1d8fc18c8 Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_oobr_igc_reloc_struct_ptr -c quit ASAN: ==6596==ERROR: AddressSanitizer: SEGV on unknown address 0x629fffffffe0 (pc 0x000001bf15aa bp 0x7ffdaf7cd170 sp 0x7ffdaf7cd070 T0) ==6596==The signal is caused by a READ memory access. #0 0x1bf15a9 in igc_reloc_struct_ptr XYZ/ghostpdl/./psi/igc.c:1307:68 #1 0x1bfb71a in igc_reloc_refs XYZ/ghostpdl/./psi/igcref.c:434:21 #2 0x1bf60e9 in gc_do_reloc XYZ/ghostpdl/./psi/igc.c:1246:17 #3 0x1bf60e9 in gs_gc_reclaim XYZ/ghostpdl/./psi/igc.c:450 #4 0x1cdce57 in context_reclaim XYZ/ghostpdl/./psi/zcontext.c:290:5 #5 0x1aecbdf in gs_vmreclaim XYZ/ghostpdl/./psi/ireclaim.c:163:9 #6 0x1aecbdf in ireclaim XYZ/ghostpdl/./psi/ireclaim.c:80 #7 0x1ad35ac in interp_reclaim XYZ/ghostpdl/./psi/interp.c:447:12 #8 0x1aaae7e in gs_main_finit XYZ/ghostpdl/./psi/imain.c:914:20 #9 0x56c040 in main XYZ/ghostpdl/./psi/gs.c:139:9 #10 0x7f7ec6757439 in __libc_start_main (/usr/lib/libc.so.6+0x20439) #11 0x47d4e9 in _start (/usr/local/bin/gs+0x47d4e9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./psi/igc.c:1307:68 in igc_reloc_struct_ptr ==6596==ABORTING BTW, please unlock recently fixed issues and request for a some CVEs for them :)
Fixed in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=671fd59eb