Bug 688873

Summary: pdfwrite :Valgrind reports uninitialized data
Product: Ghostscript Reporter: leonardo <leonardo>
Component: PDF WriterAssignee: Alex Cherepanov <alex>
Status: NOTIFIED FIXED    
Severity: normal CC: alex
Priority: P4    
Version: master   
Hardware: PC   
OS: Windows XP   
Customer: Word Size: ---
Attachments: vg_bugs.supp.bz2
patch

Description leonardo 2006-09-07 06:20:27 UTC 
See http://ghostscript.com/pipermail/gs-cvs/2006-September/006782.html
about gdevpdf* modules.
Comment 1 Alex Cherepanov 2006-09-09 11:04:45 UTC 
Created attachment 2465 [details]
vg_bugs.supp.bz2

This is a better version of the suppression file.
- it is automaticly generated
- it includes the full log nessage and all names of affected files
Comment 2 Alex Cherepanov 2006-09-22 18:24:55 UTC 
Let's use this bug report to thack the following problem:

Conditional jump or move depends on uninitialised value(s)
   at 0x8214B29: pdf_process_string (gdevpdte.c:523)
   by 0x8213B03: pdf_process_string_aux (gdevpdte.c:67)
   by 0x8215F94: process_plain_text (gdevpdte.c:1151)
   by 0x821E4D5: pdf_text_process (gdevpdtt.c:2504)
   by 0x8260C38: gs_text_process (gstext.c:490)
   by 0x80DAD79: op_show_continue_pop (zchar.c:471)
   by 0x80DA1DF: zawidthshow (zchar.c:138)
   by 0x80BA8A0: call_operator (interp.c:104)
   by 0x80BCCEB: interp (interp.c:1518)
   by 0x80BAE22: gs_call_interp (interp.c:488)
   by 0x80BACED: gs_interpret (interp.c:446)
   by 0x80B2068: gs_main_interpret (imain.c:214)

This bug can be reproduced with the following command line:

valgrind -q gs/debugobj/gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite 
 -sOutputFile=/dev/null 0.pdf
Comment 3 Alex Cherepanov 2006-09-22 18:37:32 UTC 
Created attachment 2508 [details]
patch

Initialize x_widths and y_widths pointers to 0. The validity of the pointers is

indicated TEXT_REPLACE_WIDTHS flag but the pointers are checked for 0 in
several
places without testing the flag.

DIFFERENCES:
None
Comment 4 leonardo 2006-10-03 08:40:59 UTC 
The problem may be observed with inserting this code after the line 525 in 
gdevpdte.c :

	    *(int *)&penum->text.x_widths[0] += 0;

It causes a crash with accessing an initialized pointer.
Alex, please note this as an useful technique.
Comment 5 leonardo 2006-10-03 11:16:37 UTC 
Patch to HEAD :
http://ghostscript.com/pipermail/gs-cvs/2006-October/006840.html
is a partial fix for gdevpd* problems.
Other gdevp* problems (gdevpdfu.c, gdevpsfx.c) doesn't provide enough data for 
localization. Please attach the a document and a full stack snapshot.

Returning the bug to Alex for obtaining more data.
Comment 6 Alex Cherepanov 2006-10-04 04:41:01 UTC 
Other problems are now tracked separately; some even have proposed patches, as 
bug 688911. IMHO this bug report can be closed.
Comment 7 leonardo 2006-10-04 04:57:14 UTC 
I'm not clear which bug handles the gdevpdfu.c, gdevpsfx.c problems. Please add 
a comment and colse this one.
Comment 8 Alex Cherepanov 2006-10-04 05:43:51 UTC 
The errors in gdevpdfu.c are fixed with the the patch for bug 688911.
The errors in gdevpsfx.c are moved to the bug 688903.
Comment 9 leonardo 2006-10-04 06:18:12 UTC 
The number 688903 is wrong. Please provide a right one.
Comment 10 Alex Cherepanov 2006-10-04 06:32:26 UTC 
Please disregard the 2nd sentence in the comment #8.
The errors in gdevpsfx.c are moved to the bug 688904.