http://bugs.ghostscript.com/show_bug.cgi?id=696372

--- Comment #2 from Michael Vrhel <***@artifex.com> ---
I tried this on Linux and Windows and am not getting a segv with the current
release.

http://bugs.ghostscript.com/show_bug.cgi?id=696372

Michael Vrhel <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |IN_PROGRESS
Ever confirmed|0 |1

--- Comment #3 from Michael Vrhel <***@artifex.com> ---
OK. I do see the issue now. Working on a fix.

http://bugs.ghostscript.com/show_bug.cgi?id=696372

Michael Vrhel <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|***@artifex.com |***@artifex.com

--- Comment #4 from Michael Vrhel <***@artifex.com> ---
Pushing this one to Ray to have a look.

There is an error condition that is behaving oddly. We are doing a push of
pdf14 clist device. The procs for the target get updated at that time. We
encounter an error while processing some text. Somehow this leads to a pop of
the pdf14 device via zpoppdf14devicefilter not zabortpdf14devicefilter. We
then do a fill after that.

The commands from the interpreter are:

pdf14 device push
begin group
begin mask
begin text group
Errors occur reading content stream
end group
Complaints about unbalanced q/Q operators
device pop

This suggests that there may be an issue if we encounter an error while in a
text group. We clearly should have done a zendtransparencytextgroup call in
here and/or zabortpdf14devicefilter.

I am going to push this to Ray to have a look at pdf_ops.ps as I suspect this
is where things need to be corrected to handle the errors in the proper manner
with respect to the pdf14 device.

http://bugs.ghostscript.com/show_bug.cgi?id=696372

Chris Liddell (chrisl) <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Product|Ghostscript |Security
Severity|normal |blocker
Component|Fuzzing |Security
Group| |Security
Version|master |unspecified

http://bugs.ghostscript.com/show_bug.cgi?id=696372

--- Comment #5 from Ray Johnston <***@artifex.com> ---
*** Bug 696378 has been marked as a duplicate of this bug. ***

http://bugs.ghostscript.com/show_bug.cgi?id=696372

--- Comment #6 from Ray Johnston <***@artifex.com> ---
*** Bug 696392 has been marked as a duplicate of this bug. ***

http://bugs.ghostscript.com/show_bug.cgi?id=696372

Ray Johnston <***@artifex.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|IN_PROGRESS |RESOLVED

--- Comment #7 from Ray Johnston <***@artifex.com> ---
Fiexd in commit 8200f59f1b5aab852e23322587dda7c182fc195b