Created attachment 9589 [details] page.pdf Original bug report: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1172571 The attached file causes Ghostscript 9.07 (and also 9.05) to segfault with the following command line: gs -dBATCH -dNOPAUSE -o page.png -sDEVICE=pngmono page.pdf
There is a Valgrind log posted on the Ubuntu bug report.
Created attachment 9590 [details] just a thought that might help...... In order to reproduce this in the master code, you need to build with -DGS_USE_MEMORY_HEADER_ID=0 in your CFLAGS (the memory ID code "hides" the problem). The memory header is being corrupted by the "invert_data()" macro in cf_decode_2d(). During decoding, we get a run length of "-2" in a part of the code where negative run lengths are not catered for, we then try to invert that number of bytes - hence zapping the memory header. The negative run length happens around line 732 in scfd.c, from the line: hwb:get_run(cf_black_decode, cfd_black_initial_bits, cfd_black_min_bits, The following invert_data() call corrupts the header. The patch attached *seems* to work, but is a bit of a stab in the dark (I think we should get rid of the get_run() macro, and make it a function!) - I'll defer to Alex on whether it's useful. Till, please don't consider using this patch until Alex has a chance to investigate.
Chris, the original reporter of the Ubuntu bug has tested your patch and it seems to fix the problem for him.
Passing this one back to Chris since he did some work on it. Looks to me like th best solution is to adopt his patch.
Patch applied in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f1b0e276