Bug#954901: ghostscript: runtime error: malloc(): invalid size (unsorted)

2020-04-18 Thread Bernhard Übelacker 
Sorry, the file I attached in message #10 was for a
different bug, unrelated to this one.

Created upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=702346

Bug#954901: ghostscript: runtime error: malloc(): invalid size (unsorted)

2020-03-26 Thread Bernhard Übelacker 
Dear Maintainer,
I tried to collect some more information and might have found something.

The allocator aborts at the backtrace below.

A valgrind run points to the same function txt_add_fragment.

There is seems that in line 2121 the allocation takes place with
12 bytes total, then a memset is done with 12 bytes.
But in line 2126 the memcpy is done with 24 bytes.

This is because allocation is done with
penum->TextBufferIndex == 3, but the memcpy uses 
penum->text.size == 6. (For the given input file.)

The same pattern in lines 2134 to 2139.

But I have no clue if the variables are the
right ones, or contain wrong values.

It might be related to this upstream bug,
which touches the same lines:

  https://bugs.ghostscript.com/show_bug.cgi?id=701877

Kind regards,
Bernhard



https://sources.debian.org/src/ghostscript/9.52%7Edfsg-1/devices/vector/gdevtxtw.c/#L2121
https://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=devices/vector/gdevtxtw.c;h=87f9355d8771e1fa546b4eb687ae4078ef2abdff;hb=HEAD#l2121

2121 penum->text_state->Widths = (float 
*)gs_malloc(tdev->memory->stable_memory,
2122 penum->TextBufferIndex, sizeof(float), "txtwrite alloc widths 
array");
2123 if (!penum->text_state->Widths)
2124 return gs_note_error(gs_error_VMerror);
2125 memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * 
sizeof(float));
2126 memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * 
sizeof(float));





(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x7fb706bae55b in __GI_abort () at abort.c:79
#2  0x7fb706c06ff8 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7fb706d13f3e "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x7fb706c0e39a in malloc_printerr (str=str@entry=0x7fb706d16010 
"malloc(): invalid size (unsorted)") at malloc.c:5339
#4  0x7fb706c11304 in _int_malloc (av=av@entry=0x7fb706d45b80 , 
bytes=bytes@entry=62) at malloc.c:3736
#5  0x7fb706c12a74 in __GI___libc_malloc (bytes=bytes@entry=62) at 
malloc.c:3058
#6  0x7fb7070a3445 in gs_heap_alloc_bytes (mem=0x5600c40c5c40, size=14, 
cname=0x7fb7072389c8 "txtwrite alloc sorted text buffer") at 
./base/gsmalloc.c:191
#7  0x7fb706fe88e1 in txt_add_fragment (penum=0x5600c45abea8, 
tdev=) at ./devices/vector/gdevtxtw.c:2141
#8  textw_text_process (pte=0x5600c45abea8) at ./devices/vector/gdevtxtw.c:2241
#9  0x7fb70717b8a0 in op_show_continue (i_ctx_p=0x5600c40f9778) at 
./psi/zchar.c:690
#10 op_show_continue (i_ctx_p=0x5600c40f9778) at ./psi/zchar.c:685
#11 0x7fb70715d739 in interp (perror_object=, 
pref=, pi_ctx_p=) at ./psi/interp.c:1300
#12 gs_call_interp (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590, 
pref=pref@entry=0x775a4350, user_errors=user_errors@entry=1, 
pexit_code=pexit_code@entry=0x775a43cc, perror_object=) at 
./psi/interp.c:520
#13 0x7fb70715ec7a in gs_interpret (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590, 
pref=pref@entry=0x775a4350, user_errors=user_errors@entry=1, 
pexit_code=pexit_code@entry=0x775a43cc, perror_object=, 
perror_object@entry=0x775a43d0) at ./psi/interp.c:477
#14 0x7fb70715153e in gs_main_interpret (perror_object=0x775a43d0, 
pexit_code=0x775a43cc, user_errors=1, pref=0x775a4350, minst=) at ./psi/imain.c:791
#15 gs_main_run_string_end (minst=minst@entry=0x5600c40c64f0, 
user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x775a43cc, 
perror_object=perror_object@entry=0x775a43d0) at ./psi/imain.c:791
#16 0x7fb7071515d1 in gs_main_run_string_with_length (str=, 
length=, perror_object=0x775a43d0, 
pexit_code=0x775a43cc, user_errors=1, minst=0x5600c40c64f0) at 
./psi/imain.c:735
#17 gs_main_run_string_with_length (minst=0x5600c40c64f0, str=0x5600c41c2720 
"<6f75742e706466>.runfile", length=24, user_errors=1, 
pexit_code=0x775a43cc, perror_object=0x775a43d0) at ./psi/imain.c:721
#18 0x7fb7071534ef in run_string (minst=minst@entry=0x5600c40c64f0, 
str=str@entry=0x5600c41c2720 "<6f75742e706466>.runfile", 
options=options@entry=3, user_errors=user_errors@entry=1, 
pexit_code=0x775a43cc, pexit_code@entry=0x0, perror_object=0x775a43d0, 
perror_object@entry=0x0) at ./psi/imainarg.c:1119
#19 0x7fb7071537e6 in runarg (minst=minst@entry=0x5600c40c64f0, 
arg=arg@entry=0x775a4508 "out.pdf", post=post@entry=0x7fb70725cc5c 
".runfile", options=options@entry=3, user_errors=1, 
pexit_code=pexit_code@entry=0x0, perror_object=0x0, pre=0x7fb70723aced "") at 
./psi/imainarg.c:1088
#20 0x7fb707153904 in argproc (arg=0x775a4508 "out.pdf", 
minst=0x5600c40c64f0) at ./psi/imainarg.c:1010
#21 argproc (minst=0x5600c40c64f0, arg=0x775a4508 "out.pdf") at 
./psi/imainarg.c:995
#22 0x7fb707155010 in gs_main_init_with_args01 
(minst=minst@entry=0x5600c40c64f0, argc=7, argv=0x775a5038) at 
./psi/imainarg.c:241
#23 0x7fb7071552b9 in gs_main_init_with_args (minst=0x5600c40c64f0, 
argc=, argv=) at