|
Lines 225-230
gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
Link Here
|
| 225 |
|
225 |
|
| 226 |
if (pnew == 0) |
226 |
if (pnew == 0) |
| 227 |
return_error(gs_error_VMerror); |
227 |
return_error(gs_error_VMerror); |
|
|
228 |
|
| 229 |
/* Bug #697450 "Null pointer dereference in gx_device_finalize()" |
| 230 |
* If we have incorrect data passed to gs_initialise_wordimagedevice() then the |
| 231 |
* initialisation will fail, crucially it will fail *before* it calls |
| 232 |
* gs_make_mem_device() which initialises the device. This means that the |
| 233 |
* icc_struct member will be uninitialsed, but the device finalise method |
| 234 |
* will unconditionally free that memory. Since its a garbage pointer, bad things happen. |
| 235 |
* Apparently we do still need makeimagedevice to be available from |
| 236 |
* PostScript, so in here just zero the device memory, which means that |
| 237 |
* the finalise routine won't have a problem. |
| 238 |
*/ |
| 239 |
memset(pnew, 0x00, st_device_memory.ssize); |
| 228 |
code = gs_initialize_wordimagedevice(pnew, pmat, width, height, |
240 |
code = gs_initialize_wordimagedevice(pnew, pmat, width, height, |
| 229 |
colors, num_colors, word_oriented, |
241 |
colors, num_colors, word_oriented, |
| 230 |
page_device, mem); |
242 |
page_device, mem); |
| 231 |
- |
|
|
