Out-of-bounbds read and write has been reported in GhostScript package while processing a crafted .ps file.
Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=696041
Upstream commit that fixes this (as per reporter): http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ecc7a199e9307475c37fea0c44d24b85df814ead
Red Hat would like to thank William Robinet of Conostix S.A. for reporting this issue.
I believe that the root issue is actually an integer overflow in one of
the memory allocation routines.
gs_heap_alloc_bytes() function in base/gsmalloc.c:
> uint added = size + sizeof(gs_malloc_block_t);
> if (mmem->limit - added < mmem->used)
> set_msg("exceeded limit");
> else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0)
If "size" is very large, then size+sizeof(gs_malloc_block_t) can cause
a wrap-around and "size" will suddenly be a lot smaller than it
actually needs to be.