There is a heap-use-after-free in function ThrowLoggedException of magick/error.c whick can be reproduced as below.
./graphicsmagick-code/utilities/gm convert $poc ./out.ps2
=================================================================
==20015==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000ef60 at pc 0x7fad984641e9 bp 0x7ffe7d8c9f00 sp 0x7ffe7d8c9678
READ of size 2 at 0x60600000ef60 thread T0
#0 0x7fad984641e8 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x601e8)
#1 0x7fad98465145 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61145)
#2 0x586957 in FormatStringList magick/utility.c:1228
#3 0x586a77 in FormatString magick/utility.c:1239
#4 0x4b124f in GetLocaleExceptionMessage magick/error.c:590
#5 0x4b1e28 in ThrowLoggedException magick/error.c:1034
#6 0x7a813f in WritePS2Image coders/ps2.c:952
#7 0x47a430 in WriteImage magick/constitute.c:2245
#8 0x47ad98 in WriteImages magick/constitute.c:2404
#9 0x42bf6d in ConvertImageCommand magick/command.c:6101
#10 0x436afe in MagickCommand magick/command.c:8886
#11 0x45f2a5 in GMCommandSingle magick/command.c:17416
#12 0x45f4f1 in GMCommand magick/command.c:17469
#13 0x40cc65 in main utilities/gm.c:61
#14 0x7fad9570f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x40cb78 in _start (/home/graphicsmagick-code/utilities/gm+0x40cb78)
0x60600000ef60 is located 0 bytes inside of 57-byte region [0x60600000ef60,0x60600000ef99)
freed by thread T0 here:
#0 0x7fad9849c2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x4de735 in MagickFree magick/memory.c:532
#2 0x4b1ddf in ThrowLoggedException magick/error.c:1031
#3 0x7a813f in WritePS2Image coders/ps2.c:952
#4 0x47a430 in WriteImage magick/constitute.c:2245
#5 0x47ad98 in WriteImages magick/constitute.c:2404
#6 0x42bf6d in ConvertImageCommand magick/command.c:6101
#7 0x436afe in MagickCommand magick/command.c:8886
#8 0x45f2a5 in GMCommandSingle magick/command.c:17416
#9 0x45f4f1 in GMCommand magick/command.c:17469
#10 0x40cc65 in main utilities/gm.c:61
#11 0x7fad9570f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7fad9849c602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4de364 in MagickMalloc magick/memory.c:174
#2 0x582d94 in AcquireString magick/utility.c:147
#3 0x4b1e30 in ThrowLoggedException magick/error.c:1034
#4 0x849c62 in JPEGDecodeMessageHandler coders/jpeg.c:292
#5 0x7fad97395c5a (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x1fc5a)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9db0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9dc0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 03
0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 01 fa fa fa fa
=>0x0c0c7fff9de0: 00 00 00 00 00 00 00 03 fa fa fa fa[fd]fd fd fd
0x0c0c7fff9df0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 03
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20015==ABORTING
System Configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial
GraphicsMagick version:
GraphicsMagick 1.4 snapshot-20190403 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2019 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details. Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes DPS no FlashPix no FreeType yes Ghostscript (Library) no JBIG yes JPEG-2000 yes JPEG yes Little CMS yes Loadable Modules no Solaris mtmalloc no OpenMP yes (201307) PNG yes TIFF yes TRIO no Solaris umem no WebP yes WMF yes X11 yes XML yes ZLIB yes Host type: x86_64-pc-linux-gnu Configured using the command: ./configure 'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no' Final Build Parameters: CC = gcc CFLAGS = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -pthread LDFLAGS = LIBS = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread
This problem is fixed by Mercurial changeset 15992:44ab7f6c20b4. Thank you very much for the report!