Sophie

Sophie

distrib > Mageia > 6 > armv7hl > media > core-updates-src > by-pkgid > bc219369320b6b5781eed48254462cef > files > 19

ghostscript-9.25-1.2.mga6.src.rpm

From 8ed08cb9904bc718ad57e0b4884a81a9227ce3ea Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 20 Sep 2018 17:08:08 +0100
Subject: [PATCH] Bug 699797 "setundercolorremoval memory corruption"

What is happening is that we are not properly reference counting a
structure.

For setblackgeneration and setundercolorremoval we need to use a
continuation procedure, which samples the supplied PostScript function
and then stores the sample map.

As part of this we create an internal structure to hold the map, and we
make this the current undercolorremoval/blackgeneration entry in the
graphics state. We *also* push a reference to it onto the exec stack,
so that the continuation procedure can use it from there. However we
don't increment the reference count.

When we execute the 'grestore' in the function we reset the values in
the graphics state, and because the reference count is one we count it
down and then discard the structure.

When we then throw an error we try to copy data off the exec stack into
an array, when we hit the reference to the freed strcuture we potentially
are pointing to invalid memory, leading to a seg fault.

To fix this, increment the reference count of the object when we put
it on the exec stack, and decrement it when we remove it from the exec
stack.
---
 psi/zcolor.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/psi/zcolor.c b/psi/zcolor.c
index 53f1768..0409f62 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -687,6 +687,7 @@ zcolor_remap_one(
     ++esp;
     make_struct(esp, imemory_space((gs_ref_memory_t *) pgs->memory),
                 pmap);
+    rc_increment(pmap);
     push_op_estack(finish_proc);
     push_op_estack(zfor_samples);
     return o_push_estack;
@@ -699,6 +700,7 @@ zcolor_remap_one_store(i_ctx_t *i_ctx_p, double min_value)
     int i;
     gx_transfer_map *pmap = r_ptr(esp, gx_transfer_map);
 
+    rc_decrement_only(pmap, "zcolor_remap_one_store");
     if (ref_stack_count(&o_stack) < transfer_map_size)
         return_error(gs_error_stackunderflow);
     for (i = 0; i < transfer_map_size; i++) {
-- 
2.9.1

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional