[gs-bugs] [Bug 691651] New: gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Tue Sep 28 19:56:42 UTC 2010


           Summary: gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)
           Product: Ghostscript
           Version: HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P4
         Component: Font API
        AssignedTo: chris.liddell at artifex.com
        ReportedBy: williambader at hotmail.com
         QAContact: gs-bugs at ghostscript.com
   Estimated Hours: 0.0

Created an attachment (id=6758)
 --> (http://bugs.ghostscript.com/attachment.cgi?id=6758)
Sample file to show the problem

gs 9.00 crashes on the file below.  I did ./configure and make with no options
on the distributed source and then ran
/u/ghostscript-9.00/bin/gs -sDEVICE=x11 test.ps

valgrind reports
==17821== Invalid read of size 4
==17821==    at 0x842ED36: gx_alloc_char_bits (gxccman.c:612)
==17821==    by 0x842DC48: gx_lookup_xfont_char (gxccache.c:226)
==17821==    by 0x843273E: show_proceed (gxchar.c:1078)
==17821==    by 0x812CA5A: op_show_continue_pop (zchar.c:530)
==17821==    by 0x812CD24: zshow (zchar.c:65)
==17821==    by 0x810DBF1: interp (interp.c:1150)
==17821==    by 0x810F73C: gs_interpret (interp.c:484)
==17821==    by 0x81042EB: gs_main_run_string_end (imain.c:240)
==17821==    by 0x81046F9: gs_main_run_string (imain.c:496)
==17821==    by 0x8105354: run_string (imainarg.c:814)
==17821==    by 0x8105AC8: runarg (imainarg.c:805)
==17821==    by 0x8105CE2: argproc (imainarg.c:738)
==17821==  Address 0x4c4 is not stack'd, malloc'd or (recently) free'd

The patch below stops the crash.

--- gs9.00/base/gxccman.c-      2010-08-10 12:20:19.000000000 -0400
+++ gs9.00/base/gxccman.c       2010-09-28 15:50:14.053145974 -0400
@@ -609,7 +609,7 @@
        gs_make_mem_mono_device(pdev, pdev->memory, target);
        rc_decrement_only(target, "gx_alloc_char_bits"); /* can't go to 0 */
         /* Decrement the ICC profile also.  Same device is getting
reinitialized */
-        rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc
+        if (target != NULL)
rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc profile)");
        pdev->rc = rc;
        pdev->retained = retained;
        pdev->width = iwidth;

valgrind still warns
==5286== Conditional jump or move depends on uninitialised value(s)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141356: gs_gc_reclaim (igc.c:756)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141249: gs_gc_reclaim (igc.c:328)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8141307: gs_gc_reclaim (igc.c:746)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)

==5286==    at 0x8141302: gs_gc_reclaim (igc.c:745)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)

Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the gs-bugs mailing list