Created attachment 18451 [details]
poc

Hello

I found a heap-buffer-overflow bug in GhostScript.
Please confirm. 
Thanks.

OS:        Ubuntu 18.04 64bit
Version:   commit 1159afbcad927e1a32008b0ab87e257fc21da8e2

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with "make sanitize" using gcc.
3. Run following cmd.

gs -dBATCH -dNOPAUSE -dSAFER -dFIXEDMEDIA -sOutputFile=tmp -sDEVICE=cljet5pr $PoC

this maybe relates to https://bugs.ghostscript.com/show_bug.cgi?id=701845

Here's ASAN report.

==35351==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000001 at pc 0x559a83adadd1 bp 0x7fffc63a0bd0 sp 0x7fffc63a0bc0
READ of size 4 at 0x611000000001 thread T0
    #0 0x559a83adadd0 in clj_media_size devices/gdevclj.c:278
    #1 0x559a83adcbfe in clj_pr_put_params devices/gdevclj.c:635
    #2 0x559a836085ba in default_subclass_put_params base/gdevsclass.c:235
    #3 0x559a83cd1dcf in gs_putdeviceparams base/gsdparam.c:1008
    #4 0x559a8431b3f0 in zputdeviceparams psi/zdevice.c:470
    #5 0x559a84237bc6 in do_call_operator psi/interp.c:86
    #6 0x559a842447f7 in interp psi/interp.c:1674
    #7 0x559a84239713 in gs_call_interp psi/interp.c:520
    #8 0x559a84238db8 in gs_interpret psi/interp.c:477
    #9 0x559a8420d30f in gs_main_interpret psi/imain.c:253
    #10 0x559a842107c4 in gs_main_run_string_end psi/imain.c:791
    #11 0x559a84210189 in gs_main_run_string_with_length psi/imain.c:735
    #12 0x559a842100fb in gs_main_run_string psi/imain.c:716
    #13 0x559a8421cdbf in run_string psi/imainarg.c:1117
    #14 0x559a8421cb62 in runarg psi/imainarg.c:1086
    #15 0x559a8421c3e1 in argproc psi/imainarg.c:1008
    #16 0x559a84216bad in gs_main_init_with_args01 psi/imainarg.c:241
    #17 0x559a84217011 in gs_main_init_with_args psi/imainarg.c:288
    #18 0x559a84222541 in psapi_init_with_args psi/psapi.c:272
    #19 0x559a843f1b71 in gsapi_init_with_args psi/iapi.c:148
    #20 0x559a82fc1ef8 in main psi/gs.c:95
    #21 0x7fee34696b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #22 0x559a82fc1c99 in _start (gs+0x36cc99)

0x611000000001 is located 63 bytes to the left of 216-byte region [0x611000000040,0x611000000118)
allocated by thread T0 here:
    #0 0x7fee35f80b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7fee346a31e0  (/lib/x86_64-linux-gnu/libc.so.6+0x2e1e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow devices/gdevclj.c:278 in clj_media_size
Shadow bytes around the buggy address:
  0x0c227fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8000:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8020: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb