691651 – gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)

Bug 691651 - gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)

Summary: gs 9.00 crashes in gx_alloc_char_bits (gxccman.c:612)

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Font API (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P1 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-28 19:56 UTC by William Bader
Modified:	2010-10-14 15:07 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Sample file to show the problem (665.51 KB, application/postscript) 2010-09-28 19:56 UTC, William Bader	Details
proposed patch (616 bytes, patch) 2010-09-28 19:58 UTC, William Bader	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description William Bader 2010-09-28 19:56:37 UTC

Created attachment 6758 [details]
Sample file to show the problem

gs 9.00 crashes on the file below.  I did ./configure and make with no options on the distributed source and then ran
/u/ghostscript-9.00/bin/gs -sDEVICE=x11 test.ps

valgrind reports
==17821== Invalid read of size 4
==17821==    at 0x842ED36: gx_alloc_char_bits (gxccman.c:612)
==17821==    by 0x842DC48: gx_lookup_xfont_char (gxccache.c:226)
==17821==    by 0x843273E: show_proceed (gxchar.c:1078)
==17821==    by 0x812CA5A: op_show_continue_pop (zchar.c:530)
==17821==    by 0x812CD24: zshow (zchar.c:65)
==17821==    by 0x810DBF1: interp (interp.c:1150)
==17821==    by 0x810F73C: gs_interpret (interp.c:484)
==17821==    by 0x81042EB: gs_main_run_string_end (imain.c:240)
==17821==    by 0x81046F9: gs_main_run_string (imain.c:496)
==17821==    by 0x8105354: run_string (imainarg.c:814)
==17821==    by 0x8105AC8: runarg (imainarg.c:805)
==17821==    by 0x8105CE2: argproc (imainarg.c:738)
==17821==  Address 0x4c4 is not stack'd, malloc'd or (recently) free'd

The patch below stops the crash.

--- gs9.00/base/gxccman.c-      2010-08-10 12:20:19.000000000 -0400
+++ gs9.00/base/gxccman.c       2010-09-28 15:50:14.053145974 -0400
@@ -609,7 +609,7 @@
        gs_make_mem_mono_device(pdev, pdev->memory, target);
        rc_decrement_only(target, "gx_alloc_char_bits"); /* can't go to 0 */
         /* Decrement the ICC profile also.  Same device is getting reinitialized */
-        rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc profile)");
+        if (target != NULL) rc_decrement(target->device_icc_profile,"gx_alloc_char_bits(icc profile)");
        pdev->rc = rc;
        pdev->retained = retained;
        pdev->width = iwidth;

valgrind still warns
==5286== Conditional jump or move depends on uninitialised value(s)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141356: gs_gc_reclaim (igc.c:756)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8140BE0: gc_trace (igc.c:1070)
==5286==    by 0x8141249: gs_gc_reclaim (igc.c:328)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)

==5286==    at 0x8141307: gs_gc_reclaim (igc.c:746)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)

==5286==    at 0x8141302: gs_gc_reclaim (igc.c:745)
==5286==    by 0x81D28B5: context_reclaim (zcontext.c:278)
==5286==    by 0x8111ACE: ireclaim (ireclaim.c:153)

Comment 1 William Bader 2010-09-28 19:58:45 UTC

Created attachment 6759 [details]
proposed patch

Comment 2 Chris Liddell (chrisl) 2010-10-14 15:07:08 UTC

patch applied in r11808.

Thanks for the investigation, much appreciated.