Crash in paperdone() when called through Ghostscript

[mbakke]

Hi! Ghostscript crashes with libpaper 1.2.1 with free(): invalid size (in GDB with debug symbols available I get free: invalid pointer instead):

[...]
#5  0x00007ffff68ad574 in free ()
   from /gnu/store/s4nhrglpz7rvdacj0zghzc8y66q7xzw0-glibc-2.33/lib/libc.so.6
#6  0x00007ffff6539a6c in paperdone () at libpaper.c:413
#7  paperdone () at libpaper.c:408
#8  0x00007ffff6bf3bbc in gp_defaultpapersize ()
   from /gnu/store/fgkbk9h7qd0g6v1ds91nk0l6m3v7wrh2-ghostscript-9.56.1/lib/libgs.so.9
[...]

Reading the code, it seems as if free_xdg_config_home should only be set when xdg_config_home is allocated through mfile_name_concat; however my naive attempt at doing that gave a segfault instead.

Steps to reproduce:

1. Build Ghostscript --with-libpaper.
2. Run the built gsc executable. I'm using this file from the groff test suite like so:

gsc -o /dev/null -sDEVICE=bbox fonts_n.ps

For reference, here is the Ghostscript code that uses libpaper.

Thoughts?

[rrthomas]

Thanks for this. I agree with your analysis: the line that sets free_xdg_config_home = true should be moved from line 298 of libpaper.c.in.in to just after char *home = getenv("HOME");.

I have made a corresponding change in git master.

Then, I checked out and built the ghostpdl project with ASAN against libpaper 1.2.1; being on Ubuntu, I get bin/gs rather than bin/gsc. When I run your command with XDG_CONFIG_HOME unset, no problem. When I run it with XDG_CONFIG_HOME set, I get an ASAN error ("attempting free on address which was not malloc()-ed").

When I then run with libpaper git master installed instead (no need to rebuild ghostpdl), I get no error either way. (Actually, I get other errors from ASAN, but no free-related error.)

Please can you test with current git master?

[mbakke]

Thanks for the quick fix! The reproducer now segfaults if ~/.config/paperspecs does not exist, or contains "odd" values such as A4,21,30,cm (I just put something there for testing and found out).

When that file is present and has mm units it appears to work fine.

Would you like separate bug reports for these other issues?

[rrthomas]

Thanks very much for the testing. Separate bug reports for the other issues would be a big help.

[rrthomas]

Looking into the problem with the user paperspecs file containing invalid content. Clearly libpaper should be more robust in this case, but the logic is a little involved.

OK, I have a fix for this, and it's a bit nasty, because it involves the deprecated systempapername() API being assumed to return an argument that needs freeing!

[rrthomas]

I also seem to have fixed the case where the user paperspecs file is missing. Over to you again!

[mbakke]

@rrthomas I can confirm everything seems to work with the latest master branch. No further regressions spotted in Guix either.

Thanks!

[rrthomas]

Thanks very much for confirming! I've released 1.2.2.