Out-of-bounbds read and write has been reported in GhostScript package while processing a crafted .ps file. Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=696041 Upstream commit that fixes this (as per reporter): http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ecc7a199e9307475c37fea0c44d24b85df814ead Acknowledgements: Red Hat would like to thank William Robinet of Conostix S.A. for reporting this issue.
I believe that the root issue is actually an integer overflow in one of the memory allocation routines. gs_heap_alloc_bytes() function in base/gsmalloc.c: > uint added = size + sizeof(gs_malloc_block_t); > > if (mmem->limit - added < mmem->used) > set_msg("exceeded limit"); > else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0) > set_msg("failed"); If "size" is very large, then size+sizeof(gs_malloc_block_t) can cause a wrap-around and "size" will suddenly be a lot smaller than it actually needs to be.
Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859
Public via: http://openwall.com/lists/oss-security/2015/07/23/14