We found that the function mem_planar_get_bits_rectangle() in file gdevmpla.c duplicates most of mem_get_bits_rectangle() which has already been reported having possibility to result in NULL pointer dereference in Bug #697676. So we have reason to say mem_planar_get_bits_rectangle() may have the same danger. /base/gdevmpla.c static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread) { /* This duplicates most of mem_get_bits_rectangle. Tant pgs. */ ...... if (options == 0) { params->options = (GB_ALIGN_STANDARD | GB_ALIGN_ANY) | (GB_RETURN_COPY | GB_RETURN_POINTER) | (GB_OFFSET_0 | GB_OFFSET_SPECIFIED | GB_OFFSET_ANY) | (GB_RASTER_STANDARD | GB_RASTER_SPECIFIED | GB_RASTER_ANY) | GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; return_error(gs_error_rangecheck); } if ((w <= 0) | (h <= 0)) { if ((w | h) < 0) return_error(gs_error_rangecheck); return 0; } if (x < 0 || w > dev->width - x || y < 0 || h > dev->height - y) return_error(gs_error_rangecheck); { gs_get_bits_params_t copy_params; byte **base = &scan_line_base(mdev, y); // here may result in a null // pointer dereference ...... } Advised Patch: static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread) { ...... GB_COLORS_NATIVE | GB_ALPHA_NONE; return_error(gs_error_rangecheck); } + if (mdev→line_ptrs == 0x00) + return_error(gs_error_rangecheck); if ((w <= 0) | (h <= 0)) { if ((w | h) < 0) return_error(gs_error_rangecheck); return 0; } ...... }
Applied in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e Thanks for spotting that!
(In reply to Chris Liddell (chrisl) from comment #1) > Applied in: > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e > > Thanks for spotting that! Actually, we used a technique based on similarity computing to detect other functions in Ghostscript that may have this problem as well. We'll report them soon . So please keep an eye on our following reports.