diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2023-03-01 15:21:01 +0000 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2023-03-01 17:02:05 +0000 |
| commit | a409d884c2f53b1a2be49597f9bcf9bf9f9bc55f (patch) | |
| tree | 1048dd2e0c641ec987ebce78d0de810946b69980 /base | |
| parent | 4b95c5da04ae4e2c8a83aec1774a067da4553f47 (diff) | |
| download | ghostpdl-a409d884c2f53b1a2be49597f9bcf9bf9f9bc55f.tar.gz | |
Ghostscript - colour spaces and garbage collection
No bug report, this came up from cluster 32-bit testing.
Commit 6894a2826210baf24f9ccd024bbca211b17d1f9b altered the params
union of the colour space structure. At the time I made a change in
gs_cspace_final() because it was possible for us to fill in some of the
new params, and have them write to areas of the union which, when
interpreted as a DeviceN params structure, meant that the
devn_process_space member of that structure was not NULL.
Because the code only checked if the member was non-NULL and didn't
check if the colour space meant it should even be interpreted as a
DeviceN params structure this meant we could try to free random
memory.
It turns out there are two other important places that do the same, the
garbage-collected pointer and relocation code do pretty much the same
thing with the devn_process_space member.
This commit checks the colour space to see if its a DeviceN space and if
it is not then it does not attempt to relocate the pointer, nor does it
enumerate it (enumerates a NULL instead).
Diffstat (limited to 'base')
| -rw-r--r-- | base/gscspace.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/base/gscspace.c b/base/gscspace.c index 9a707a0c0..80b3f6ff4 100644 --- a/base/gscspace.c +++ b/base/gscspace.c @@ -1048,8 +1048,13 @@ ENUM_PTRS_BEGIN_PROC(color_space_enum_ptrs) return ENUM_OBJ(pcs->pclient_color_space_data); if (index == 2) return ENUM_OBJ(pcs->icc_equivalent); - if (index == 3) - return ENUM_OBJ(pcs->params.device_n.devn_process_space); + if (index == 3) { + if (gs_color_space_get_index(pcs) == gs_color_space_index_DeviceN) + return ENUM_OBJ(pcs->params.device_n.devn_process_space); + else + return ENUM_OBJ(NULL); + } + return ENUM_USING(*pcs->type->stype, vptr, size, index - 4); ENUM_PTRS_END_PROC } @@ -1059,7 +1064,8 @@ RELOC_PTRS_WITH(color_space_reloc_ptrs, gs_color_space *pcs) RELOC_VAR(pcs->base_space); RELOC_VAR(pcs->pclient_color_space_data); RELOC_VAR(pcs->icc_equivalent); - RELOC_VAR(pcs->params.device_n.devn_process_space); + if (gs_color_space_get_index(pcs) == gs_color_space_index_DeviceN) + RELOC_VAR(pcs->params.device_n.devn_process_space); RELOC_USING(*pcs->type->stype, vptr, size); } RELOC_PTRS_END |