[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#615202: libgs8: SEGV in gs when called from pstoraster (and in other contexts)

Package: libgs8
Version: 8.71~dfsg2-9
Severity: important
Tags: upstream

A SEGV can result when gs is invoked by pstoraster with the command
"/usr/bin/gs -dQUIET -dDEBUG -dPARANOIDSAFER -dNOPAUSE -dBATCH -dNOMEDIAATTRS
-sDEVICE=cups -sstdout=%stderr -sOUTPUTFILE=%stdout -c  -f -_", depending on
the input postscript file.

The problem arises because of the interaction between the "stringoption" macro
in cups/gdevcups.c:

        #define stringoption(name, sname) \
          if ((code = param_read_string(plist, sname, &stringval)) < 0) \
          { \
            dprintf2("ERROR: Error setting %s to \"%s\"...\n", sname, \
                     (char *)(stringval.data));                       \
            param_signal_error(plist, sname, code); \
            return (code); \
          } \
          else if (code == 0) \
          { \
            dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
                     (char *)(stringval.data));                      \
            strncpy(cups->header.name, (const char *)(stringval.data),  \
                    stringval.size); \
            cups->header.name[stringval.size] = '\0'; \
          }

and the "param_read_string" function in base/gsparam.c:

        int
        param_read_string(gs_param_list * plist, gs_param_name pkey,
                          gs_param_string * pvalue)
        {
            RETURN_READ_TYPED(s, gs_param_type_string);
        }

The RETURN_READ_TYPED macro is as follows:

        #define RETURN_READ_TYPED(alt, ptype)\
          gs_param_typed_value typed;\
          int code;\
        \
          typed.type = ptype;\
          code = param_read_requested_typed(plist, pkey, &typed);\
          if ( code == 0 )\
            *pvalue = typed.value.alt;\
          return code

The problem occurs if param_read_requested_typed returns a non-zero status. In
that case, pvalue is never set in param_read_string, which means that the value
from the stringoption macro is left uninitialised. "stringoption" then tries to
use that uninitialised value as a string parameter to dprintf2.


The following change to param_read_string will prevent the SEGV, and allow the
process (and the print job) to complete successfully:

        int
        param_read_string(gs_param_list * plist, gs_param_name pkey,
                          gs_param_string * pvalue)
        {
            pvalue->data = 0;
            pvalue->size = 0;
            pvalue->persistent = 0;
            RETURN_READ_TYPED(s, gs_param_type_string);
        }

However it seems more likely that the correct fix is for stringoption not to
attempt to use the stringvalue variable on error, so that the macro would
appear as follows:

        #define stringoption(name, sname) \
          if ((code = param_read_string(plist, sname, &stringval)) < 0) \
          { \
            dprintf2("ERROR: Error setting %s...\n", sname); \
            param_signal_error(plist, sname, code); \
            return (code); \
          } \
          else if (code == 0) \
          { \
            dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
                     (char *)(stringval.data));                      \
            strncpy(cups->header.name, (const char *)(stringval.data),  \
                    stringval.size); \
            cups->header.name[stringval.size] = '\0'; \
          }

However the correct fix may be a matter for upstream.

The impact of this bug is that some postscript files cannot be succesfully
printed at all to printers that require rasterisation.

I have an example file, but it contains configential so I can only provide it
if necessary out of band to the developer who will be fixing it. It may be
possible to duplicate this by configuring  a Windows 7 system to print to that
printer using a postscript driver, and printing a test page.



-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (700, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgs8 depends on:
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libcups2                1.4.4-7          Common UNIX Printing System(tm) - 
ii  libcupsimage2           1.4.4-7          Common UNIX Printing System(tm) - 
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libgcrypt11             1.4.5-2          LGPL Crypto library - runtime libr
ii  libgnutls26             2.8.6-1          the GNU TLS library - runtime libr
ii  libgssapi-krb5-2        1.8.3+dfsg-4     MIT Kerberos runtime libraries - k
ii  libjasper1              1.900.1-7+b1     The JasPer JPEG-2000 runtime libra
ii  libjbig2dec0            0.11-1           JBIG2 decoder library - shared lib
ii  libjpeg62               6b1-1            The Independent JPEG Group's JPEG 
ii  libk5crypto3            1.8.3+dfsg-4     MIT Kerberos runtime libraries - C
ii  libkrb5-3               1.8.3+dfsg-4     MIT Kerberos runtime libraries
ii  libpaper1               1.1.24           library for handling paper charact
ii  libpng12-0              1.2.44-1         PNG library - runtime
ii  libstdc++6              4.4.5-8          The GNU Standard C++ Library v3
ii  libtiff4                3.9.4-5          Tag Image File Format (TIFF) libra
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libgs8 recommends no packages.

libgs8 suggests no packages.

-- no debconf information
Reply to: