[gs-cvs] rev 8247 - trunk/gs/src

leonardo at ghostscript.com leonardo at ghostscript.com
Thu Sep 20 05:15:53 PDT 2007 

Author: leonardo
Date: 2007-09-20 05:15:52 -0700 (Thu, 20 Sep 2007)
New Revision: 8247

Modified:
   trunk/gs/src/gxclrast.c
Log:
Fix : A crash in garbager after clist playback fails in image.

DETAILS :

This problem was occasionally detected when disk overflow happens with 
the test case of the bug 689440.

device_clist_enum_ptrs, device_clist_reloc_ptrs process
gx_device_clist::writer.clip_path when image_enum_id is not zero.
The clist playback code sets it when processing an image.
We guess it was done to avoid redundant clist writing,
and we think it's not a best way to do that.

If an image processing fails with an error,
the old code  does not reset image_enum_id.
Later (when the interpreter closes) 
the garbager processes gx_device_clist::writer.clip_path .
But in the test case it appears to be a pointer from global memory
to local memory, and its relocation appears wrong.
A crash happens while validating the heap after the relocation.

We're not sure why gx_device_clist::writer.clip_path
needs to be set between image plane data portions,
and why the garbager methods are coded to process it.
We guess all these manipulations are wrong,
and a right way should be to call cmd_check_clip_path
in clist_image_plane_data. 

See also comment in cmd_check_clip_path : 
"The clip path might have moved in memory".
We guess it assumes that the pointer is not relocated
when image_enum_id is zero and the ppointer is set.
We guess it should be regular assumption
for all cases, and the clist device garbager methods
must never process it.

This patch applies a minimal change to prevent the crash,
and does not close other suspections.
The change simply closes the image enumerator
when writing to it ends with an error.

EXPECTED DIFFERENCES :

None,


Modified: trunk/gs/src/gxclrast.c
===================================================================
--- trunk/gs/src/gxclrast.c	2007-09-20 08:49:49 UTC (rev 8246)
+++ trunk/gs/src/gxclrast.c	2007-09-20 12:15:52 UTC (rev 8247)
@@ -1210,6 +1210,8 @@
 #endif
 			code = gx_image_plane_data(image_info, planes,
 						   data_height);
+			if (code < 0)
+			    gx_image_end(image_info, false);
 			if (data_on_heap)
 			    gs_free_object(mem, data_on_heap,
 					   "clist image_data");

More information about the gs-cvs mailing list