Function mem_word_get_bits_rectangle() is a 'wrapper' for mem_get_bits_rectangle(). The latter one checks the line_ptrs to protect it from null pointer dereference. But in mem_word_get_bits_rectangle(), the 'wrapper', it accesses line_ptrs before calling get_bits_rectangle(), so checking in get_bits_rectangle() cannot protect the 'wrapper' function. It still may result in null pointer dereference. /base/gdevmem.c int mem_word_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread) { ...... bit_x = x * dev->color_info.depth; bit_w = w * dev->color_info.depth; /*here accesses mdev->line_ptrs without checking*/ ==> src = scan_line_base(mdev, y); mem_swap_byte_rect(src, dev_raster, bit_x, bit_w, h, false); /*here calls the get_bits_rectangle(), it checks line_ptrs but the access has already happened*/ ==> code = mem_get_bits_rectangle(dev, prect, params, unread); mem_swap_byte_rect(src, dev_raster, bit_x, bit_w, h, false); return code; }
*** This bug has been marked as a duplicate of bug 698073 ***