699391 – segfault in txtwrite_process_plain_text()

Bug 699391 - segfault in txtwrite_process_plain_text()

Summary: segfault in txtwrite_process_plain_text()

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Text (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Ken Sharp

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-05-30 09:23 UTC by jwilk
Modified:	2018-06-05 09:12 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
reproducer (5.22 KB, application/postscript) 2018-05-30 09:23 UTC, jwilk	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jwilk 2018-05-30 09:23:37 UTC

Created attachment 15207 [details]
reproducer

Ghostscript crashes on the attached file:

> $ gs -q -dSAFER -sDEVICE=txtwrite -o - djvu.ps
> Segmentation fault

Backtrace:

> #0  0x00007ffff699d92e in txtwrite_process_plain_text (pte=0x7ffff82ff650) at ./devices/vector/gdevtxtw.c:1952
> #1  0x00007ffff699e925 in textw_text_process (pte=0x7ffff82ff650) at ./devices/vector/gdevtxtw.c:2197
> #2  0x00007ffff6aaf049 in gs_text_process (pte=0x7ffff82ff650) at ./base/gstext.c:574
> #3  0x00007ffff6c76f63 in op_show_continue_pop (i_ctx_p=0x7ffff804ee60, npop=1) at ./psi/zchar.c:584
> #4  0x00007ffff6c13243 in zglyphshow (i_ctx_p=0x7ffff804ee60) at ./psi/zcharx.c:69
> #5  0x00007ffff6c46925 in do_call_operator (op_proc=0x7ffff6c1316f <zglyphshow>, i_ctx_p=0x7ffff804ee60) at ./psi/interp.c:86
> #6  0x00007ffff6c48eb9 in interp (pi_ctx_p=0x7ffff8000080, pref=0x7fffffffd340, perror_object=0x7fffffffd410) at ./psi/interp.c:1207
> #7  0x00007ffff6c47199 in gs_call_interp (pi_ctx_p=0x7ffff8000080, pref=0x7fffffffd340, user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/interp.c:517
> #8  0x00007ffff6c46fa5 in gs_interpret (pi_ctx_p=0x7ffff8000080, pref=0x7fffffffd340, user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/interp.c:474
> #9  0x00007ffff6c38796 in gs_main_interpret (minst=0x7ffff7ffffe0, pref=0x7fffffffd340, user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/imain.c:235
> #10 0x00007ffff6c397b1 in gs_main_run_string_end (minst=0x7ffff7ffffe0, user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/imain.c:651
> #11 0x00007ffff6c3967b in gs_main_run_string_with_length (minst=0x7ffff7ffffe0, str=0x7ffff82d80f0 "<646a76752e7073>.runfile", length=24, user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/imain.c:609
> #12 0x00007ffff6c395ed in gs_main_run_string (minst=0x7ffff7ffffe0, str=0x7ffff82d80f0 "<646a76752e7073>.runfile", user_errors=1, pexit_code=0x7fffffffd428, perror_object=0x7fffffffd410) at ./psi/imain.c:591
> #13 0x00007ffff6c3d4c0 in run_string (minst=0x7ffff7ffffe0, str=0x7ffff82d80f0 "<646a76752e7073>.runfile", options=3) at ./psi/imainarg.c:1033
> #14 0x00007ffff6c3d43b in runarg (minst=0x7ffff7ffffe0, pre=0x7ffff6de59e3 "", arg=0x7fffffffd548 "djvu.ps", post=0x7ffff6de5b9d ".runfile", options=3) at ./psi/imainarg.c:1023
> #15 0x00007ffff6c3d116 in argproc (minst=0x7ffff7ffffe0, arg=0x7fffffffd548 "djvu.ps") at ./psi/imainarg.c:956
> #16 0x00007ffff6c3b1bb in gs_main_init_with_args (minst=0x7ffff7ffffe0, argc=7, argv=0x7fffffffe058) at ./psi/imainarg.c:238
> #17 0x00007ffff661875a in main (argc=7, argv=0x7fffffffe058) at ./psi/gs.c:95

This was tested with git master (7a91a08d9c78b5e37b0d434ffaafa30aa1d680ad).

Comment 1 Ken Sharp 2018-05-30 15:00:52 UTC

Fixed in commit 71de6d0f9c2a48d6e4a69287b2123bf9efd6df88

Comment 2 Ken Sharp 2018-05-30 15:01:48 UTC

Forgot to point out; the txtwrite device doesn't support writing to stdout, so you will get an 'unknownerror in --showpage--' with that command line.

Comment 3 jwilk 2018-05-30 17:41:00 UTC

Thanks!
I confirm that 71de6d0f9c2a48d6e4a69287b2123bf9efd6df88 fixes it for me.

> the txtwrite device doesn't support writing to stdout

Oh? I took this command line from ps2ascii, so I think it's supposed to work.

> you will get an 'unknownerror in --showpage--' with that command line.

I don't get such error.

Comment 4 Ken Sharp 2018-05-30 17:59:14 UTC

(In reply to Jakub Wilk from comment #3)
> Thanks!
> I confirm that 71de6d0f9c2a48d6e4a69287b2123bf9efd6df88 fixes it for me.
> 
> > the txtwrite device doesn't support writing to stdout
> 
> Oh? I took this command line from ps2ascii, so I think it's supposed to work.

ps2ascii is a PostScript program, txtwrite is a Ghostscript device, the two are totally different, you can't infer the behaviour of one from the other (for example, txtwrite outputs YTF8 or Unicode, ps2ascii outputs ASCII, sort of)

 
> > you will get an 'unknownerror in --showpage--' with that command line.
> 
> I don't get such error.

Interesting, I do.....

Comment 5 jwilk 2018-06-04 19:04:06 UTC

Since 2fa6beaa40144c592661a611bf35ff6f06d3354f, ps2ascii is implemented using txtwrite.
(You may find name of the author of this commit familiar. :-P)

Comment 6 Ken Sharp 2018-06-05 09:12:02 UTC

(In reply to Jakub Wilk from comment #5)
> Since 2fa6beaa40144c592661a611bf35ff6f06d3354f, ps2ascii is implemented
> using txtwrite.
> (You may find name of the author of this commit familiar. :-P)

I assumed you meant the *old* ps2ascii, the only reason I updated the script is to stop people using the old version and try to encourage adoption of the new code.

I made no attempt to discover if the scripts worked in all their possible configurations.