Control: notfound -1 9.06~dfsg-2 Control: notfound -1 9.20~dfsg-2 Hi After some more investigation I suspect the issue actually was only introduced with
http://git.ghostscript.com/?p=ghostpdl.git;h=cffb5712bc10c2c2f46adf311fc74aaae74cb784 and indeed applying that commit on top of the sid packaging and running under valgrind leads to (but not without): ----cut---------cut---------cut---------cut---------cut---------cut----- ==30949== Memcheck, a memory error detector ==30949== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==30949== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==30949== Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_uaf_i_free_object -c quit ==30949== GPL Ghostscript 9.20 (2016-09-26) Copyright (C) 2016 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ==30949== Invalid read of size 4 ==30949== at 0x5145D87: i_free_object (gsalloc.c:1457) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== Address 0xd0881a4 is 84 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== ==30949== Invalid read of size 8 ==30949== at 0x5145D8B: i_free_object (gsalloc.c:1459) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== Address 0xd0881a8 is 88 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== ==30949== Invalid read of size 1 ==30949== at 0x5145DC3: i_free_object (gsalloc.c:1487) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== Address 0xd0881a0 is 80 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024) ==30949== by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== ==30949== Invalid read of size 4 ==30949== at 0x5145D87: i_free_object (gsalloc.c:1457) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== by 0x5201697: gs_main_init_with_args (imainarg.c:238) ==30949== by 0x108ACA: main (dxmainc.c:86) ==30949== Address 0xd08e484 is 84 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== ==30949== Invalid read of size 8 ==30949== at 0x5145D8B: i_free_object (gsalloc.c:1459) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== by 0x5201697: gs_main_init_with_args (imainarg.c:238) ==30949== by 0x108ACA: main (dxmainc.c:86) ==30949== Address 0xd08e488 is 88 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== ==30949== Invalid read of size 1 ==30949== at 0x5145DC3: i_free_object (gsalloc.c:1487) ==30949== by 0x519D4AC: gx_begin_image1 (gximage1.c:99) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== by 0x51FFFA9: runarg (imainarg.c:967) ==30949== by 0x5201697: gs_main_init_with_args (imainarg.c:238) ==30949== by 0x108ACA: main (dxmainc.c:86) ==30949== Address 0xd08e480 is 80 bytes inside a block of size 24,928 free'd ==30949== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==30949== by 0x514530D: alloc_free_clump (gsalloc.c:2593) ==30949== by 0x5145F1F: i_free_object (gsalloc.c:1511) ==30949== by 0x51A3664: gx_image_enum_begin (gxipixel.c:293) ==30949== by 0x519D451: gx_begin_image1 (gximage1.c:94) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== by 0x51FFE28: run_string (imainarg.c:977) ==30949== Block was alloc'd at ==30949== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==30949== by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183) ==30949== by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430) ==30949== by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891) ==30949== by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178) ==30949== by 0x519D3F4: gx_begin_image1 (gximage1.c:84) ==30949== by 0x515DF60: gs_image_begin_typed (gsimage.c:252) ==30949== by 0x523A3ED: zimage_setup (zimage.c:183) ==30949== by 0x523A9BC: image1_setup (zimage.c:246) ==30949== by 0x5209451: interp (interp.c:1574) ==30949== by 0x5209EC4: gs_call_interp (interp.c:511) ==30949== by 0x5209EC4: gs_interpret (interp.c:468) ==30949== by 0x51FE394: gs_main_interpret (imain.c:245) ==30949== by 0x51FE394: gs_main_run_string_end (imain.c:663) ==30949== Error: /undefinedresult in --colorimage-- Operand stack: 6 8 8 --nostringval-- --nostringval-- --nostringval-- --nostringval-- true 3 Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1999 1 3 %oparray_pop 1998 1 3 %oparray_pop 1982 1 3 %oparray_pop 1868 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- 1894 9 3 %oparray_pop Dictionary stack: --dict:1207/1684(ro)(G)-- --dict:0/20(G)-- --dict:78/200(L)-- Current allocation mode is local GPL Ghostscript 9.20: Unrecoverable error, exit code 1 ==30949== ==30949== HEAP SUMMARY: ==30949== in use at exit: 0 bytes in 0 blocks ==30949== total heap usage: 2,821 allocs, 2,821 frees, 11,953,960 bytes allocated ==30949== ==30949== All heap blocks were freed -- no leaks are possible ==30949== ==30949== For counts of detected and suppressed errors, rerun with: -v ==30949== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0) ----cut---------cut---------cut---------cut---------cut---------cut----- I'm not closing the bug yet, nor updating the security tracker as not-affected, since I would like to see first a peer-review on the above. Regards, Salvatore
