Bug 692655

Summary: gs_type1_piece_codes() segfault
Product: Ghostscript Reporter: Tim Waugh <twaugh>
Component: GeneralAssignee: Ken Sharp <ken.sharp>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: korea.ps.xz

Description Tim Waugh 2011-11-02 15:13:39 UTC 
This command segfaults:

gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=./korea.pdf -c.setpdfwrite -fkorea.ps

Original report:
  https://bugzilla.redhat.com/show_bug.cgi?id=728710
Comment 1 Tim Waugh 2011-11-02 15:18:12 UTC 
Created attachment 8067 [details]
korea.ps.xz
Comment 2 Ken Sharp 2011-11-03 20:27:36 UTC 
Assigning to me, this is not one of the Coverity issues, and crashes are important.
Comment 3 Ken Sharp 2011-11-08 08:28:47 UTC 
When copying fonts for embedding the font copying code checks the used glyphs to see if any of them are SEAC glyphs (as the components must be copied too).

The SEAC scanner was not properly implementing the CFF 'shortint' operator (the operator is a horrible kludge). Instead of pushing the value on the operand stack it was skipping it. When the value was the index of a Subr this could cause the wrong subroutine to be executed, and with incorrect parameters on the stack.

Eventually this could lead to a crash.

Fixed in Git commit: 138d68e2d7dd5567c7a24740ec71858e24342a1f