tags 602297 +patch stop Le mercredi 03 novembre 2010 à 14:59 +0100, Thomas Lange a écrit : > Package: unrtf > Version: 0.19.3-1.1 > Severity: important > > unrtf seems to segfault every time an rtf file is converted to ps. It > segfaulted on an rtf file I received from a windows user. It segfaults with a > test rtf file created by > me with openoffice.
The header string printed for PS file has some non-escaped '%' characters in it which trigger a segfault in a call to printf. Attached is a backtrace of the segfault, a small RTF file to reproduce the bug (in fact any valid RTF file will do), and a patch to correct this bug. Mathias
--- a/unrtf-0.19.3/ps.c 2004-02-19 00:35:03.000000000 +0100 +++ b/unrtf-0.19.3/ps.c 2010-11-10 13:55:08.000000000 +0100 @@ -367,8 +367,8 @@ } if \n\ oldx 0 eq didBR and { /didParSkip true def } if \n\ /didBR true def \n\ - % /lineAscent 0 def \n\ - % /lineDescent 0 def \n\ + %% /lineAscent 0 def \n\ + %% /lineDescent 0 def \n\ } def \n\ /P { \n\ didParSkip not { BR } if \n\
#0 __parse_one_specmb (format=<value optimized out>, posn=0, spec=0x40b782, max_ref_arg=0x7fffffffde48) at printf-parsemb.c:73 n = <value optimized out> nargs = <value optimized out> #1 0x00007ffff7ac144b in _IO_vfprintf_internal (s=<value optimized out>, format=<value optimized out>, ap=<value optimized out>) at vfprintf.c:1712 nspecs = 34 nargs = 0 max_ref_arg = 0 cnt = <value optimized out> nspecs_max = 64 specs = <value optimized out> args_value = 0x0 _buffer = {__routine = 0x7ffff7ad2c50 <__funlockfile>, __arg = 0x7ffff7dd9780, __canceltype = -136466792, __prev = 0x7ffff7ffe480} _avail = 0 thousands_sep = 0x7ffff7ba2ada "" grouping = 0x0 done = <value optimized out> f = 0x40b04a "%%", '-' <repeats 54 times>, "\n%% Set up the ISO fonts \n\n%% Times \n%% ----- \n/Times-Roman findfont dup length dict begin {\t\t\n\t1 index /FID ne { def } { pop pop } ifelse\t\n} fo"... lead_str_end = 0x40a7e8 "%%%%!PS\n%%", '-' <repeats 74 times>, "\n%% GNU UnRTF, a command-line program to convert RTF documents to other formats.\n%% Copyright (C) 2000,2001 Zachary "... work_buffer = "`\355\001\000\000\000\000\...@\000\000\000\000\000\000\000\310\313\025\000\000\000\000\000\000\000\000\000@\000\070\000\n\...@\000g\000f\000\006\000\000\000\005\000\000\000@\000\000\000\000\000\000\...@\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\060\002\000\000\000\000\000\000\060\002\000\000\000\000\000\000\b\000\000\000\000\000\000\000\003\000\000\000\004\000\000\000\200\326\022\000\000\000\000\000\200\326\022\000\000\000\000\000\200\326\022\000\000\000\000\000\034\000\000\000\000\000\000\000\034\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000\001\000\000\000\005", '\000' <repeats 27 times>, "\020v\025\000\000\000\000\000\020v\025\000\000\000\000\000\000\000 \000\000\000\000\000\001\000\000\000\006\000\000\000(w\025\000\000\000\000\000(w"... workstart = 0x1d43 <Address 0x1d43 out of bounds> workend = 0x40 <Address 0x40 out of bounds> ap_save = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffdfa0, reg_save_area = 0x7fffffffdee0}} nspecs_done = <value optimized out> save_errno = 0 readonly_format = 0 jump_table = "\001\000\000\004\000\016\000\006\000\000\a\002\000\003\t\000\005\b\b\b\b\b\b\b\b\b\000\000\000\000\000\000\000\032\000\031\000\023\023\023\000\035\000\000\f\000\000\000\000\000\000\025\000\000\000\000\022\000\r\000\000\000\000\000\000\032\000\024\017\023\023\023\n\017\034\000\v\030\027\021\026\f\000\025\033\020\000\000\022\000\r" __PRETTY_FUNCTION__ = "_IO_vfprintf_internal" #2 0x00007ffff7aca86a in __printf (format=0x0) at printf.c:35 arg = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffdfa0, reg_save_area = 0x7fffffffdee0}} done = 0 #3 0x00000000004036b2 in word_print (w=0x635ec0) at convert.c:2891 No locals. #4 0x0000000000404488 in main (argc=<value optimized out>, argv=0x7fffffffe1d8) at main.c:206 f = 0x635450 word = 0x635ec0 path = 0x7fffffffe4f3 "/home/mathias/b.rtf" i = <value optimized out> output_format = <value optimized out>
b.rtf
Description: RTF file