[gs-cvs] rev 8823 - trunk/gs/src

ken at ghostscript.com ken at ghostscript.com
Mon Jul 7 01:57:00 PDT 2008 

Author: ken
Date: 2008-07-07 01:56:59 -0700 (Mon, 07 Jul 2008)
New Revision: 8823

Modified:
   trunk/gs/src/spngp.c
   trunk/gs/src/spngpx.h
Log:
Fix (pdfwrite): Images ina DeviceN space with more than 60 inks caused a crash.

Details:
Bug #689864 "Regression: 09-34.PS core dumps with pdfwrite"

When emitting an image, using the Flate encoder, the number of colorants in 
the DeviceN space was not checked against the maximum permitted. Since the 
encoder uses a fixed buffer whose size depends on the maximum number of inks, this
could cause a write beyond the end of the buffer.

(spngpx.h) Increase the maximum number of colorants to 256
(spngp.c) Return error if the number of colorants in the space
          exceeds the maximum permitted.

I can't check the generated PDF file, as no PDF reader seems able to open a PDF 
file with more than 32 inks, the architectural limit in the current version 
of Acrobat.

EXPECTED DIFFERENCES:
None


Modified: trunk/gs/src/spngp.c
===================================================================
--- trunk/gs/src/spngp.c	2008-07-06 00:45:19 UTC (rev 8822)
+++ trunk/gs/src/spngp.c	2008-07-07 08:56:59 UTC (rev 8823)
@@ -70,6 +70,10 @@
 #endif
     ss->row_count = (uint) ((bits_per_row + 7) >> 3);
     ss->end_mask = (1 << (-bits_per_row & 7)) - 1;
+
+    if (ss->Colors > s_PNG_max_Colors)
+	return ERRC; /* Too many colorants */
+
     ss->bpp = (bits_per_pixel + 7) >> 3;
     if (need_prev) {
 	prev_row = gs_alloc_bytes(st->memory, ss->bpp + ss->row_count,

Modified: trunk/gs/src/spngpx.h
===================================================================
--- trunk/gs/src/spngpx.h	2008-07-06 00:45:19 UTC (rev 8822)
+++ trunk/gs/src/spngpx.h	2008-07-07 08:56:59 UTC (rev 8823)
@@ -22,8 +22,10 @@
  * Define the maximum value for Colors.  The PNG specification probably
  * defines this as 16, but some PS3 CET files require it to be as large as
  * 53.  The only cost of larger values is a larger stream state structure.
+ * In fact some CET files (09-34.ps) require 250 inks, so bump this to the 
+ * current maximum of 256.
  */
-#define s_PNG_max_Colors 60
+#define s_PNG_max_Colors 256
 
 /* PNGPredictorDecode / PNGPredictorEncode */
 typedef struct stream_PNGP_state_s {

More information about the gs-cvs mailing list