Bug 699668 - .definemodifiedfont memory corruption if /typecheck is handled
Summary: .definemodifiedfont memory corruption if /typecheck is handled
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:13 UTC by Tavis Ormandy
Modified: 2018-12-18 11:36 UTC (History)
6 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-22 23:13:52 UTC
$ gdb -q --args ./gs -q -sDEVICE=ppmraw -dSAFER 
Reading symbols from ./gs...done.
(gdb) r
Starting program: /usr/local/google/home/taviso/projects/ghostscript/ghostscript-9.23/bin/gs -q -sDEVICE=ppmraw -dSAFER
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
GS>errordict /typecheck { (typecheck\n) print } put
GS>1 /Foo .definemodifiedfont
typecheck
...
(lots of output)
Program received signal SIGSEGV, Segmentation fault.
0x0000555555c5615e in dstack_find_name_by_index (pds=0x55555702ce40, nidx=1019) at ./psi/idstack.c:187
187	        name_index_ref(mem, nidx, &key);
Comment 1 Chris Liddell (chrisl) 2018-08-23 11:46:36 UTC
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42