Bug 691651

Summary: gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)
Product: Ghostscript Reporter: William Bader <williambader>
Component: Font APIAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: williambader
Priority: P1    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Sample file to show the problem
proposed patch

Description William Bader 2010-09-28 19:56:37 UTC 
Created attachment 6758 [details]
Sample file to show the problem

gs 9.00 crashes on the file below.  I did ./configure and make with no options on the distributed source and then ran
/u/ghostscript-9.00/bin/gs -sDEVICE=x11 test.ps

valgrind reports
==17821== Invalid read of size 4
==17821==    at 0x842ED36: gx_alloc_char_bits (gxccman.c:612)
==17821==    by 0x842DC48: gx_lookup_xfont_char (gxccache.c:226)
==17821==    by 0x843273E: show_proceed (gxchar.c:1078)
==17821==    by 0x812CA5A: op_show_continue_pop (zchar.c:530)
==17821==    by 0x812CD24: zshow (zchar.c:65)
==17821==    by 0x810DBF1: interp (interp.c:1150)
==17821==    by 0x810F73C: gs_interpret (interp.c:484)
==17821==    by 0x81042EB: gs_main_run_string_end (imain.c:240)
==17821==    by 0x81046F9: gs_main_run_string (imain.c:496)
==17821==    by 0x8105354: run_string (imainarg.c:814)
==17821==    by 0x8105AC8: runarg (imainarg.c:805)
==17821==    by 0x8105CE2: argproc (imainarg.c:738)
==17821==  Address 0x4c4 is not stack'd, malloc'd or (recently) free'd

The patch below stops the crash.

--- gs9.00/base/gxccman.c-      2010-08-10 12:20:19.000000000 -0400
+++ gs9.00/base/gxccman.c       2010-09-28 15:50:14.053145974 -0400
@@ -609,7 +609,7 @@
        gs_make_mem_mono_device(pdev, pdev->memory, target);
        rc_decrement_only(target, "gx_alloc_char_bits"); /* can't go to 0 */
         /* Decrement the ICC profile also.  Same device is getting reinitialized */
-        rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc profile)");
+        if (target != NULL) rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc profile)");
        pdev->rc = rc;
        pdev->retained = retained;
        pdev->width = iwidth;

valgrind still warns
==5286== Conditional jump or move depends on uninitialised value(s)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141356: gs_gc_reclaim (igc.c:756)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141249: gs_gc_reclaim (igc.c:328)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8141307: gs_gc_reclaim (igc.c:746)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)

==5286==    at 0x8141302: gs_gc_reclaim (igc.c:745)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)
Comment 1 William Bader 2010-09-28 19:58:45 UTC 
Created attachment 6759 [details]
proposed patch
Comment 2 Chris Liddell (chrisl) 2010-10-14 15:07:08 UTC 
patch applied in r11808.

Thanks for the investigation, much appreciated.