[bug-pcl] Segfault in ghostpcl_1.41

[James Macfarlane]

Hi

I've recently downloaded and built GhostPCL version 1.41 on linux 
(Debian testing, kernel 2.6.10, glibgc2.2). "make test" runs fine but I 
have experienced a segfault when using it to view a pcl file generated 
by ghostscript. 

The errant code is in pcl/rtrstcmp.c, in function uncompress_9, around 
line 222. What happens is that the loop condition at line 186 is 
reached with a value of i=1. This is then post-decremented and the loop 
continues with i=0. One of the conditions at line 206 or 212 decrements 
i further to a value of -1. When line 222 is reached, j, an unsigned 
int, is set to -1, giving it a large positive value. The loop at 224 
thus over-runs the end of array "pin", resulting in a segfault.

I've tried changing the definition of j to a signed int. This prevents 
the segfault, but the rendering of the pcl file comes out as garbage. 
I should think there aught to be some sort of extra check of the state 
of i at line 221, but I don't know enough about the context this code 
is operating in. I suspect there is another problem here.

This file renders fine on a HP DeskJet 660C printer, and is attached for 
you to try. The file was produced using ESP Ghostscript 7.07.1 
(2003-07-12) as follows:

gs -sDEVICE=hpdj660c -sOutputFile=output.pcl -sPAPERSIZE=a4 -dNOPAUSE -q 
-- /usr/share/cups/data/testprint.ps

BTW, thanks for making ghostpcl available for linux. AFAIK, it is the 
_only_ free PCL render available on this platform. 

Best whishes,

James Macfarlane.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: output.pcl.gz
Type: application/x-gzip
Size: 60681 bytes
Desc: not available
Url : http://ghostscript.com/pipermail/bug-pcl/attachments/20050730/e72781bc/output.pcl-0001.bin