Bug 702229 - txtwrite: use after free in 9.51 on some files (regression from 9.50)
Summary: txtwrite: use after free in 9.51 on some files (regression from 9.50)
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Other Driver (show other bugs)
Version: master
Hardware: PC All
: P4 normal
Assignee: Ken Sharp
: 702346 (view as bug list)
Depends on:
Reported: 2020-03-18 04:29 UTC by James R Barlow
Modified: 2020-05-20 15:05 UTC (History)
1 user (show)

See Also:
Word Size: ---

mallocissue.pdf (688.79 KB, application/pdf)
2020-03-18 04:29 UTC, James R Barlow

Note You need to log in before you can comment on or make changes to this bug.
Description James R Barlow 2020-03-18 04:29:20 UTC
Created attachment 19003 [details]

On macOS the error looks like:

$ gs -dQUIET -dSAFER -dBATCH -dNOPAUSE -sDEVICE=txtwrite -dTextFormat=0 -o - mallocissue.pdf -stddout=%stderr

gs(98147,0x11082a5c0) malloc: Incorrect checksum for freed object 0x7fa850d096d8: probably modified after being freed.
Corrupt value: 0x6000000000000
gs(98147,0x11082a5c0) malloc: *** set a breakpoint in malloc_error_break to debug
fish: Job 2, 'gs -dQUIET -dSAFER -dBATCH -dNO…' terminated by signal SIGABRT (Abort)

A similar error was also reproduced on Debian Linux.
Comment 1 Ray Johnston 2020-05-15 18:33:39 UTC
Running with memento, with paranoidAt=396200 shows that txt_add_fragment
devices/vector/gdevtxtw.c line 2126:
   memcpy(penum->text_state->Widths, penum->Widths, penum->text.size *
writes past the end of penum->text_state->Widths since it was allocated as
4 floats, but penum->text.size is 8

penum->TextBufferIndex is 4 which was used for the allocation at line 2121.

It may be that all that is needed is to allocate text.size floats, but this
should be examined by someone that knows what it's trying to do.
Comment 2 Ray Johnston 2020-05-18 15:56:40 UTC
*** Bug 702346 has been marked as a duplicate of this bug. ***
Comment 3 Ken Sharp 2020-05-20 15:05:14 UTC
I believe this is fixed in commit 8c7bd787defa071c96289b7da9397f673fddb874

Certainly I don't see any problems with address sanitizer/valgrind when running either this file, the one from bug 702346 or the one from 701877