692655 – gs_type1_piece_codes() segfault

Bug 692655 - gs_type1_piece_codes() segfault

Summary: gs_type1_piece_codes() segfault

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Ken Sharp

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-02 15:13 UTC by Tim Waugh
Modified:	2011-11-08 08:28 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
korea.ps.xz (3.13 MB, application/x-xz) 2011-11-02 15:18 UTC, Tim Waugh	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Waugh 2011-11-02 15:13:39 UTC

This command segfaults:

gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=./korea.pdf -c.setpdfwrite -fkorea.ps

Original report:
  https://bugzilla.redhat.com/show_bug.cgi?id=728710

Comment 1 Tim Waugh 2011-11-02 15:18:12 UTC

Created attachment 8067 [details]
korea.ps.xz

Comment 2 Ken Sharp 2011-11-03 20:27:36 UTC

Assigning to me, this is not one of the Coverity issues, and crashes are important.

Comment 3 Ken Sharp 2011-11-08 08:28:47 UTC

When copying fonts for embedding the font copying code checks the used glyphs to see if any of them are SEAC glyphs (as the components must be copied too).

The SEAC scanner was not properly implementing the CFF 'shortint' operator (the operator is a horrible kludge). Instead of pushing the value on the operand stack it was skipping it. When the value was the index of a Subr this could cause the wrong subroutine to be executed, and with incorrect parameters on the stack.

Eventually this could lead to a crash.

Fixed in Git commit: 138d68e2d7dd5567c7a24740ec71858e24342a1f