CVE-2021-45944: Use-after-free in Ghostscript sampled_data_finish via moving GC interior-pointer invalidation

Ghostscript 9.50 (psi/zfsample.c) has a use-after-free in sampled_data_finish caused by Ghostscript's compacting/moving GC. Two C local variables cache raw pointers into GC-managed objects: (1) penum = senum (line 572) captures a pointer to a gs_sampled_data_enum struct; (2) params = &penum->pfn->params (line 574-575) captures an interior pointer into the embedded params field of a gs_function_Sd_t. When gs_function_Sd_init() and ialloc_ref_array() allocate memory, the compacting GC may relocate penum and penum->pfn. The GC updates GC-tracked pointers (via gs_sampled_data_enum_reloc_ptrs) but cannot update the C stack local variables. After GC: params is stale -- gs_function_Sd_init dereferences it via pfn->params = *params (base/gsfunc0.c:1496). After the second GC triggered by ialloc_ref_array: penum is stale -- ifree_object(penum->pfn) at line 597 and ifree_object(penum) at line 598 operate on relocated/recycled memory.