| Summary: | Transparency: PDF segfault | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Ralph Giles <ralph.giles> |
| Component: | PDF Interpreter | Assignee: | leonardo <leonardo> |
| Status: | NOTIFIED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | master | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
| Customer: | 330 | Word Size: | --- |
|
Description
Ralph Giles
2006-04-04 13:29:53 UTC
Created attachment 2143 [details]
problem file
The seg fault is coming from the memcopy in the following sequence in
pdf14_push_transparency_group in gdevp14.c. The width and pointers seem
reasonable at fist glance.
for (i = 0; i < n_chan_copy; i++) {
byte *buf_ptr = buf_plane;
byte *tos_ptr = tos_plane;
int y;
for (y = y0; y < y1; ++y) {
memcpy (buf_ptr, tos_ptr, width);
buf_ptr += buf->rowstride;
tos_ptr += tos->rowstride;
}
buf_plane += buf->planestride;
tos_plane += tos->planestride;
}
I got a C stack overflow on Windows NT, MSVC 6. The problem is that the bounding rectangles for the two buffers do not match. As a result, the memcopy is attempting to move data from before the start of the tos_ptr area. Igor, Would you please check the logic for determining the bounding boxes. Another crash in transparency happen with -dPDFA. I guess the branch, which converts a transparency into a bitmap, needs a similar improvement. gswin32c.exe -dPDFA -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=z:\t2 \cur.pdf -dLastPage=10 CompareFiles\Bug688631.pdf The test file is same as one attached. One more patch to HEAD : http://ghostscript.com/pipermail/gs-cvs/2006-September/006825.html |