xps front end crashes when reading a file from microsoft's sample xps files set. Testing using current svn trunk on linux. ./gxps -sDEVICE=pdfwrite -sOutputFile=foo.pdf -dBATCH -dNOPAUSE Office2007_Powerpoint_Drawing_Fills_Texture.xps #0 0x00306006 in ?? () #1 0x08197cbe in pdf_copy_color_bits (s=0x8695170, base=0x2a24c0 <Address 0x2a24c0 out of bounds>, sourcex=0, raster=-2880, w=960, h=960, bytes_per_pixel=3) at ../gs/base/gdevpdfj.c:587 #2 0x081ac0c1 in pdf_put_colored_pattern (pdev=0x85a770c, pdc=0x85cd5f8, pcs=0x85cde08, ppscc=0x8388614, have_pattern_streams=0, ppres=0xbfd0ab4c) at ../gs/base/gdevpdfv.c:461 #3 0x0818ec33 in pdf_reset_color (pdev=0x85a770c, pis=0x858e2c0, pdc=0x85cd5f8, psc=0x85a7d9c, used_process_color=0x85a7d94, ppscc=0x8388614) at ../gs/base/gdevpdfg.c:410 #4 0x0818f05f in pdf_set_drawing_color (pdev=0x85a770c, pis=0x858e2c0, pdc=0x85cd5f8, psc=0x85a7d9c, used_process_color=0x85a7d94, ppscc=0x8388614) at ../gs/base/gdevpdfg.c:483 #5 0x081873cc in pdf_setfillcolor (vdev=0x85a770c, pis=0x858e2c0, pdc=0x85cd5f8) at ../gs/base/gdevpdfd.c:100 #6 0x08189a04 in gdev_pdf_fill_path (dev=0x85a770c, pis=0x858e2c0, ppath=0x85cbe40, params=0xbfd0b6a4, pdcolor=0x85cd5f8, pcpath=0x85cb8fc) at ../gs/base/gdevpdfd.c:1049 #7 0x082c5884 in gx_fill_path (ppath=0x85cbe40, pdevc=0x85cd5f8, pgs=0x858e2c0, rule=1, adjust_x=0, adjust_y=0) at ../gs/base/gxpaint.c:48 #8 0x08280128 in fill_with_rule (pgs=0x858e2c0, rule=1) at ../gs/base/gspaint.c:310 #9 0x082801d1 in gs_eofill (pgs=0x858e2c0) at ../gs/base/gspaint.c:334 ---Type <return> to continue, or q <return> to quit--- #10 0x08308407 in xps_fill (ctx=0x858d9d8) at ../xps/xpspath.c:174 #11 0x0830bc32 in xps_parse_tiling_brush (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, root=0x8666010, func=0x830c93a <xps_paint_image_brush>, user=0x85bbc44) at ../xps/xpstile.c:259 #12 0x0830cea9 in xps_parse_image_brush (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, root=0x8666010) at ../xps/xpsimage.c:340 #13 0x08306141 in xps_parse_brush (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, node=0x8666010) at ../xps/xpscommon.c:24 #14 0x0830afd2 in xps_parse_path (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, root=0x85b624c) at ../xps/xpspath.c:1127 #15 0x08306299 in xps_parse_element (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, node=0x85b624c) at ../xps/xpscommon.c:38 #16 0x08304f45 in xps_parse_canvas (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, root=0x85b68f4) at ../xps/xpspage.c:89 #17 0x0830631e in xps_parse_element (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, node=0x85b68f4) at ../xps/xpscommon.c:42 ---Type <return> to continue, or q <return> to quit--- #18 0x08304f45 in xps_parse_canvas (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, root=0x85b569c) at ../xps/xpspage.c:89 #19 0x0830631e in xps_parse_element (ctx=0x858d9d8, base_uri=0xbfd0beec "/Documents/1/Pages/", dict=0x0, node=0x85b569c) at ../xps/xpscommon.c:42 #20 0x0830583a in xps_parse_fixed_page (ctx=0x858d9d8, part=0x8665da4) at ../xps/xpspage.c:230 #21 0x083024bb in xps_read_and_process_page_part (ctx=0x858d9d8, name=0x85b53cc "/Documents/1/Pages/4.fpage") at ../xps/xpszipseek.c:449 #22 0x083027a1 in xps_process_file (ctx=0x858d9d8, file=0x859b508) at ../xps/xpszipseek.c:507 #23 0x0804b7b7 in xps_imp_process_file (pinstance=0x858d998, filename=0xbfd0e69a "SampleXpsDocuments_1_0/Office2007/Office2007_Powerpoint_Drawing_Fills_Texture.xps") at ../xps/xpstop.c:238 #24 0x08330a62 in pl_process_file (instance=0x858d998, filename=0xbfd0e69a "SampleXpsDocuments_1_0/Office2007/Office2007_Powerpoint_Drawing_Fills_Texture.xps") at ../pl/pltop.c:146 #25 0x0833ae7a in pl_main (argc=6, argv=0xbfd0d4f4) at ../pl/plmain.c:420 #26 0x0833cd81 in main (argc=6, argv=0xbfd0d4f4) at ../pl/plmain.c:1311 problem seems to be here: 461 if ((code = pdf_copy_color_bits(writer.binary[0].strm, p_tile->tbits.data + (h - 1) * p_tile->tbits.raster, 0, -p_tile->tbits.raster, w, h, pdev->color_info.depth >> 3)) < 0 || (gdb) print p_tile->tbits.data $7 = (byte *) 0x0
Created attachment 5985 [details] problem xps file, from http://www.microsoft.com/whdc/xps/xpssampdoc.mspx
Also affects Handcrafted/PNGplus.xps and Office2007_RGB_PNG_ROTATED.pdf from the same test file set.
Crash doesn't occur when using -sDEVICE=png16m (and the output appears to have been rendered correctly) - presumably implies it is a bug in the pdfwriter, but not sure which is the correct pdf writer component to reassign the bug to.
This is the same problem as the Quality Logic test file fts_28xx.xps. I've put a temporary change in place which doesn't dereference the NULL pointer. The file runs to completion but there are pages which do not render due to missing objects. There are a number of other cases of this problem, so we'll address these and come back to this.
In fact the device reference counting fix (rev 11366) seems to have obviated the need for the pointer test. As noted the file does not convert fully correctly, but the segv is resolved. Closing this issue and will continue with the other problems separately. Patch for the reference counting issue: http://ghostscript.com/pipermail/gs-cvs/2010-June/011185.html