[gs-bugs] [Bug 691655] New: COMPILE_INITS=0 and gsicc_set_icc_directory() failure

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Thu Sep 30 12:08:53 UTC 2010 

http://bugs.ghostscript.com/show_bug.cgi?id=691655

           Summary: COMPILE_INITS=0 and gsicc_set_icc_directory() failure
           Product: Ghostscript
           Version: HEAD
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P4
         Component: Color
        AssignedTo: michael.vrhel at artifex.com
        ReportedBy: norbert.janssen at oce.com
         QAContact: gs-bugs at ghostscript.com
   Estimated Hours: 0.0
          Customer: 661


I tried to compile the xps with COMPILE_INITS=0 and MSVC-compiler.

Running the gxps fails with a not found *.icc profiles.
So I added the gsicc_set_icc_directory(pgs, "../gs/iccprofiles/"), just above
the gsicc_init_iccmanager() in xpstop.c

This works OK with the gcc, and also with MSVC-debug
However in MSVC production mode (DEBUG=0 TDEBUG=0) this crashes, with a
heap-corruption.

I tracked it down to the gsicc_set_icc_directory which does not allocate enough
bytes to store the name.

At line 126 in gsicc_manage.c is allocates namelen bytes (should have been
namelen+1, to accomodate also the null-byte, which is also copied with the
strcpy)!!!

    /* User param string.  Must allocate in non-gc memory */
    result = (char*) gs_alloc_bytes(mem_gc->non_gc_memory, namelen+1,
                        "gsicc_set_icc_directory");


This is necessary because further on in gsicc_profile_new() the name is copied,
and a buffer is allocated (with size namelen, should have been namelen+1) as
the memcpy

    if (namelen > 0) {
        nameptr = (char*) gs_alloc_bytes(mem_nongc, namelen+1,
                    "gsicc_profile_new");
        memcpy(nameptr, pname, namelen);
    nameptr[namelen] = '\0';
        result->name = nameptr;
    } else {
        result->name = NULL;


Also in gsicc_open_search() the allocation should be for
namelen+icc_manager->namelen + 1 (for the NULL-byte).
Otherwise in gsicc_open_search() the
     strcpy(buffer, icc_manager->profiledir);
     strcat(buffer, pname);
could have unpredictable results in PRODUCTION mode (as the profiledir would
then not be terminated with a NULL-byte.

-- 
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the gs-bugs mailing list