diff options
author | Ray Johnston <ray.johnston@artifex.com> | 2014-02-23 09:46:21 -0800 |
---|---|---|
committer | Ray Johnston <ray.johnston@artifex.com> | 2014-02-25 16:56:28 -0800 |
commit | 77fce4a0cfd70b94a90a876cac0310fda1a969ee (patch) | |
tree | 612a7fba9cccad09195917cca44eb2bab6d68b55 | |
parent | 9990bdac31c018de33de2c09053b7e392a26304f (diff) | |
download | ghostpdl-77fce4a0cfd70b94a90a876cac0310fda1a969ee.tar.gz |
Fix bug 695054, segfault caused by stale pointer in pattern-clist device.
The pattern-clist device could be left allocated in stable memory
after the pattern was removed from the pattern cache. The pattern
instance could be freed by a subsequent restore since it was not
in stable memory. GC trace of the chunks would then reference the
stale pinst pointer. Also, the heap pointer needs to be valid in
ialloc_validate_spaces 'state' since it can be used for error output
and this could cause a segfault.
-rw-r--r-- | gs/base/gxpcmap.c | 1 | ||||
-rw-r--r-- | gs/psi/ilocate.c | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/gs/base/gxpcmap.c b/gs/base/gxpcmap.c index 93f9f80f8..6a23299b6 100644 --- a/gs/base/gxpcmap.c +++ b/gs/base/gxpcmap.c @@ -778,6 +778,7 @@ gx_pattern_cache_free_entry(gx_pattern_cache * pcache, gx_color_tile * ctile) rc_decrement(ctile->cdev->common.icc_cache_cl, "gx_pattern_cache_free_entry"); ctile->cdev->common.icc_cache_cl = NULL; + ctile->cdev->writer.pinst = NULL; temp_device = (gx_device *)ctile->cdev; gx_device_retain(temp_device, false); ctile->cdev = NULL; diff --git a/gs/psi/ilocate.c b/gs/psi/ilocate.c index b6ffd725b..6898f39c2 100644 --- a/gs/psi/ilocate.c +++ b/gs/psi/ilocate.c @@ -205,6 +205,7 @@ ialloc_validate_spaces(const gs_dual_memory_t * dmem) state.spaces = dmem->spaces; state.loc.memory = state.space_local; state.loc.cp = 0; + state.heap = dmem->current->non_gc_memory; /* valid 'heap' needed for printing */ /* Save everything we need to reset temporarily. */ |