692217 – SEGV due to uninitialised device colour pattern in clist

Bug 692217 - SEGV due to uninitialised device colour pattern in clist

Summary: SEGV due to uninitialised device colour pattern in clist

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Graphics Library (show other bugs)
Version:	master
Hardware:	PC All

Importance:	P4 normal
Assignee:	Ray Johnston

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-20 13:21 UTC by Robin Watts
Modified:	2011-05-26 02:28 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
test.pdf (1.06 MB, application/unknown) 2011-05-20 13:21 UTC, Robin Watts	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Watts 2011-05-20 13:21:16 UTC

Created attachment 7520 [details]
test.pdf

The following command:

debugobj/gs -r300 -sDEVICE=ppmraw -o /dev/null test.pdf

causes a SEGV.

This seems to be caused by playing back a clist as part of a pattern.

Quick precis of what I've found so far: clist_playback_band gets a cmd_opv_ext_put_drawing_color, and calls into the pattern loading code with dev_color.ccolor.pattern = NULL. This then falls over in gx_pattern_size_estimate with a NULL dereference.

#0  0x0813b0c2 in gx_pattern_size_estimate (pinst=0x0, has_tags=0) at ./base/gxpcmap.c:196
#1  0x0813d857 in gx_pattern_load (pdc=0xbfaaf4f4, pis=0xbfaadc60, dev=0xbfab6318, select=gs_color_select_texture) at ./base/gxpcmap.c:1171
#2  0x08134fba in gx_dc_pattern_load (pdevc=0xbfaaf4f4, pis=0xbfaadc60, dev=0xbfab6318, select=gs_color_select_texture) at ./base/gsptype1.c:1164
#3  0x0832c205 in clist_playback_band (playback_action=playback_action_render, cdev=0xa7020c4, s=0xbfab0ff8, target=0xbfab6318, x0=-88, y0=0, mem=0xa5f5b74) at ./base/gxclrast.c:1692
#4  0x08333da1 in clist_playback_file_bands (action=playback_action_render, crdev=0xa7020c4, page_info=0xa702610, target=0xbfab6318, band_first=0, band_last=0, x0=-88, y0=0) at ./base/gxclread.c:842
#5  0x08138a76 in tile_pattern_clist (ptfs=0xbfab132c, x=88, y=0, w=2305, h=76) at ./base/gxp1fill.c:285
#6  0x08138649 in tile_by_steps (ptfs=0xbfab132c, x0=87, y0=0, w0=2306, h0=76, ptile=0xa6c5efc, tbits_or_tmask=0xbfab12fc, fill_proc=0x813891e <tile_pattern_clist>) at ./base/gxp1fill.c:206
#7  0x0813aee0 in gx_trans_pattern_fill_rect (xmin=87, ymin=0, xmax=2306, ymax=76, ptile=0xa6c5efc, fill_trans_buffer=0x0, phase={x = 0, y = 0}, dev=0xbfab6318, pdevc=0xbfab99b4) at ./base/gxp1fill.c:883
#8  0x081f827e in pdf14_tile_pattern_fill (pdev=0xa8a0ed4, pis=0xbfab6898, ppath=0xbfab891c, params=0xbfab8ab8, pdevc=0xbfab99b4, pcpath=0xbfab8804) at ./base/gdevp14.c:2457
#9  0x081f675b in pdf14_fill_path (dev=0xa8a0ed4, pis=0xbfab8120, ppath=0xbfab891c, params=0xbfab8ab8, pdcolor=0xbfab99b4, pcpath=0xbfab8804) at ./base/gdevp14.c:1978
#10 0x0832c80e in clist_playback_band (playback_action=playback_action_render, cdev=0xa8c75ac, s=0xbfabb4b8, target=0xa8a0ed4, x0=0, y0=0, mem=0xa5f5b74) at ./base/gxclrast.c:1802
#11 0x08333da1 in clist_playback_file_bands (action=playback_action_render, crdev=0xa8c75ac, page_info=0xbfabbb0c, target=0xc235d9c, band_first=0, band_last=0, x0=0, y0=0) at ./base/gxclread.c:842
#12 0x083339b7 in clist_render_rectangle (cldev=0xa8c75ac, prect=0xbfabbfe0, bdev=0xc235d9c, render_plane=0xbfabc0f8, clear=1) at ./base/gxclread.c:771
#13 0x08333679 in clist_rasterize_lines (dev=0xa8c75ac, y=0, line_count=1, bdev=0xc235d9c, render_plane=0xbfabc0f8, pmy=0xbfabc114) at ./base/gxclread.c:683
#14 0x083331db in clist_get_bits_rectangle (dev=0xa8c75ac, prect=0xbfabc338, params=0xbfabc2a8, unread=0x0) at ./base/gxclread.c:574
#15 0x0834d7d6 in clist_get_bits_rect_mt (dev=0xa8c75ac, prect=0xbfabc338, params=0xbfabc2a8, unread=0x0) at ./base/gxclthrd.c:524
#16 0x085cd414 in gx_default_get_bits (dev=0xa8c75ac, y=0, data=0xc6af574 '¨' <repeats 200 times>..., actual_data=0xbfabc3d0) at ./base/gdevdgbr.c:52
#17 0x08320ad8 in gdev_prn_get_bits (pdev=0xa8c75ac, y=0, str=0xc6af574 '¨' <repeats 200 times>..., actual_data=0xbfabc3d0) at ./base/gdevprn.c:1228
#18 0x083e9bfa in pbm_print_page_loop (pdev=0xa8c75ac, magic=54 '6', pstream=0xc6af308, row_proc=0x83e9569 <nop_row_proc>) at ./base/gdevpbm.c:721
#19 0x083ea665 in ppm_print_page (pdev=0xa8c75ac, pstream=0xc6af308) at ./base/gdevpbm.c:974
#20 0x0831fe9f in gx_default_print_page_copies (pdev=0xa8c75ac, prn_stream=0xc6af308, num_copies=1) at ./base/gdevprn.c:836
#21 0x0831fc30 in gdev_prn_output_page (pdev=0xa8c75ac, num_copies=1, flush=1) at ./base/gdevprn.c:772
#22 0x083e85b9 in ppm_output_page (pdev=0xa8c75ac, num_copies=1, flush=1) at ./base/gdevpbm.c:276
#23 0x085d06b4 in gx_forward_output_page (dev=0xb114dec, num_copies=1, flush=1) at ./base/gdevnfwd.c:173
#24 0x0853d2ad in gs_output_page (pgs=0xa60c764, num_copies=1, flush=1) at ./base/gsdevice.c:147
#25 0x0818cbb8 in zoutputpage (i_ctx_p=0xa61d098) at ./psi/zdevice.c:355
#26 0x0814a581 in do_call_operator (op_proc=0x818cad2 <zoutputpage>, i_ctx_p=0xa61d098) at ./psi/interp.c:84
#27 0x0814c7c4 in interp (pi_ctx_p=0xa5f472c, pref=0xbfabd1fc, perror_object=0xbfabd3a0) at ./psi/interp.c:1163
#28 0x0814ac4c in gs_call_interp (pi_ctx_p=0xa5f472c, pref=0xbfabd2f8, user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/interp.c:490
#29 0x0814aacf in gs_interpret (pi_ctx_p=0xa5f472c, pref=0xbfabd2f8, user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/interp.c:448
#30 0x0813f183 in gs_main_interpret (minst=0xa5f46d8, pref=0xbfabd2f8, user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/imain.c:239
#31 0x0813fcc1 in gs_main_run_string_end (minst=0xa5f46d8, user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/imain.c:555
#32 0x0813fbb4 in gs_main_run_string_with_length (minst=0xa5f46d8, str=0xb0a57e0 "<2e2e2f2e2e2f4d7954657374732f4275673639313735352e706466>.runfile", length=64, user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/imain.c:513
#33 0x0813fb22 in gs_main_run_string (minst=0xa5f46d8, str=0xb0a57e0 "<2e2e2f2e2e2f4d7954657374732f4275673639313735352e706466>.runfile", user_errors=1, pexit_code=0xbfabd3ac, perror_object=0xbfabd3a0) at ./psi/imain.c:495
#34 0x08142c4b in run_string (minst=0xa5f46d8, str=0xb0a57e0 "<2e2e2f2e2e2f4d7954657374732f4275673639313735352e706466>.runfile", options=3) at ./psi/imainarg.c:816
#35 0x08142c02 in runarg (minst=0xa5f46d8, pre=0x8606ffb "", arg=0xa622a00 "../../MyTests/Bug691755.pdf", post=0x86070f5 ".runfile", options=3) at ./psi/imainarg.c:807
#36 0x08142875 in argproc (minst=0xa5f46d8, arg=0xbfabe5af "../../MyTests/Bug691755.pdf") at ./psi/imainarg.c:740
#37 0x081410c1 in gs_main_init_with_args (minst=0xa5f46d8, argc=6, argv=0xbfabde64) at ./psi/imainarg.c:215
#38 0x0809f53a in main (argc=6, argv=0xbfabde64) at ./psi/gs.c:94

Comment 1 Ray Johnston 2011-05-20 14:52:07 UTC

I can reproduce this on Windows 32-bit build. Looking into it...

Comment 2 Ray Johnston 2011-05-26 02:28:41 UTC

This was caused by a clip device created for tiling a mask with a transparent
pattern rendered with a clist. The clip device used for rendering did not
get its color_info updated when its target (pdf14) changed the color_info,
specifically the depth.
    
Fixed by grabbing the target color_info after calling the target's compositor.

I did check other "forwarding" devices and this is (AFAICT) the only device
that uses the gx_forward_create_compositor function and so this _should_ have
no effect on any other devices, and it is (IMHO) a reasonable assumption in
any other current or future forwarding devices that the default forwarding
function will take care of the 'color_info' change during the forwarded
create_compositor call.

Committed:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=25de59220e9472e6de1acc046c317141a1751770