Bug#615202: libgs8: SEGV in gs when called from pstoraster (and in other contexts)
Package: libgs8
Version: 8.71~dfsg2-9
Severity: important
Tags: upstream
A SEGV can result when gs is invoked by pstoraster with the command
"/usr/bin/gs -dQUIET -dDEBUG -dPARANOIDSAFER -dNOPAUSE -dBATCH -dNOMEDIAATTRS
-sDEVICE=cups -sstdout=%stderr -sOUTPUTFILE=%stdout -c -f -_", depending on
the input postscript file.
The problem arises because of the interaction between the "stringoption" macro
in cups/gdevcups.c:
#define stringoption(name, sname) \
if ((code = param_read_string(plist, sname, &stringval)) < 0) \
{ \
dprintf2("ERROR: Error setting %s to \"%s\"...\n", sname, \
(char *)(stringval.data)); \
param_signal_error(plist, sname, code); \
return (code); \
} \
else if (code == 0) \
{ \
dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
(char *)(stringval.data)); \
strncpy(cups->header.name, (const char *)(stringval.data), \
stringval.size); \
cups->header.name[stringval.size] = '\0'; \
}
and the "param_read_string" function in base/gsparam.c:
int
param_read_string(gs_param_list * plist, gs_param_name pkey,
gs_param_string * pvalue)
{
RETURN_READ_TYPED(s, gs_param_type_string);
}
The RETURN_READ_TYPED macro is as follows:
#define RETURN_READ_TYPED(alt, ptype)\
gs_param_typed_value typed;\
int code;\
\
typed.type = ptype;\
code = param_read_requested_typed(plist, pkey, &typed);\
if ( code == 0 )\
*pvalue = typed.value.alt;\
return code
The problem occurs if param_read_requested_typed returns a non-zero status. In
that case, pvalue is never set in param_read_string, which means that the value
from the stringoption macro is left uninitialised. "stringoption" then tries to
use that uninitialised value as a string parameter to dprintf2.
The following change to param_read_string will prevent the SEGV, and allow the
process (and the print job) to complete successfully:
int
param_read_string(gs_param_list * plist, gs_param_name pkey,
gs_param_string * pvalue)
{
pvalue->data = 0;
pvalue->size = 0;
pvalue->persistent = 0;
RETURN_READ_TYPED(s, gs_param_type_string);
}
However it seems more likely that the correct fix is for stringoption not to
attempt to use the stringvalue variable on error, so that the macro would
appear as follows:
#define stringoption(name, sname) \
if ((code = param_read_string(plist, sname, &stringval)) < 0) \
{ \
dprintf2("ERROR: Error setting %s...\n", sname); \
param_signal_error(plist, sname, code); \
return (code); \
} \
else if (code == 0) \
{ \
dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
(char *)(stringval.data)); \
strncpy(cups->header.name, (const char *)(stringval.data), \
stringval.size); \
cups->header.name[stringval.size] = '\0'; \
}
However the correct fix may be a matter for upstream.
The impact of this bug is that some postscript files cannot be succesfully
printed at all to printers that require rasterisation.
I have an example file, but it contains configential so I can only provide it
if necessary out of band to the developer who will be fixing it. It may be
possible to duplicate this by configuring a Windows 7 system to print to that
printer using a postscript driver, and printing a test page.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (700, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgs8 depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libcups2 1.4.4-7 Common UNIX Printing System(tm) -
ii libcupsimage2 1.4.4-7 Common UNIX Printing System(tm) -
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libjasper1 1.900.1-7+b1 The JasPer JPEG-2000 runtime libra
ii libjbig2dec0 0.11-1 JBIG2 decoder library - shared lib
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libk5crypto3 1.8.3+dfsg-4 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libpaper1 1.1.24 library for handling paper charact
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libtiff4 3.9.4-5 Tag Image File Format (TIFF) libra
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libgs8 recommends no packages.
libgs8 suggests no packages.
-- no debconf information
Reply to: