tags 602297 +patch stop Le mercredi 03 novembre 2010 à 14:59 +0100, Thomas Lange a écrit : > Package: unrtf > Version: 0.19.3-1.1 > Severity: important > > unrtf seems to segfault every time an rtf file is converted to ps. It > segfaulted on an rtf file I received from a windows user. It segfaults with a > test rtf file created by > me with openoffice.
The header string printed for PS file has some non-escaped '%' characters in it which trigger a segfault in a call to printf. Attached is a backtrace of the segfault, a small RTF file to reproduce the bug (in fact any valid RTF file will do), and a patch to correct this bug. Mathias
--- a/unrtf-0.19.3/ps.c 2004-02-19 00:35:03.000000000 +0100
+++ b/unrtf-0.19.3/ps.c 2010-11-10 13:55:08.000000000 +0100
@@ -367,8 +367,8 @@
} if \n\
oldx 0 eq didBR and { /didParSkip true def } if \n\
/didBR true def \n\
- % /lineAscent 0 def \n\
- % /lineDescent 0 def \n\
+ %% /lineAscent 0 def \n\
+ %% /lineDescent 0 def \n\
} def \n\
/P { \n\
didParSkip not { BR } if \n\
#0 __parse_one_specmb (format=<value optimized out>, posn=0, spec=0x40b782,
max_ref_arg=0x7fffffffde48) at printf-parsemb.c:73
n = <value optimized out>
nargs = <value optimized out>
#1 0x00007ffff7ac144b in _IO_vfprintf_internal (s=<value optimized out>,
format=<value optimized out>, ap=<value optimized out>) at vfprintf.c:1712
nspecs = 34
nargs = 0
max_ref_arg = 0
cnt = <value optimized out>
nspecs_max = 64
specs = <value optimized out>
args_value = 0x0
_buffer = {__routine = 0x7ffff7ad2c50 <__funlockfile>, __arg =
0x7ffff7dd9780, __canceltype = -136466792, __prev = 0x7ffff7ffe480}
_avail = 0
thousands_sep = 0x7ffff7ba2ada ""
grouping = 0x0
done = <value optimized out>
f = 0x40b04a "%%", '-' <repeats 54 times>, "\n%% Set up the ISO fonts
\n\n%% Times \n%% ----- \n/Times-Roman findfont dup length dict begin
{\t\t\n\t1 index /FID ne { def } { pop pop } ifelse\t\n} fo"...
lead_str_end = 0x40a7e8 "%%%%!PS\n%%", '-' <repeats 74 times>, "\n%%
GNU UnRTF, a command-line program to convert RTF documents to other
formats.\n%% Copyright (C) 2000,2001 Zachary "...
work_buffer =
"`\355\001\000\000\000\000\...@\000\000\000\000\000\000\000\310\313\025\000\000\000\000\000\000\000\000\000@\000\070\000\n\...@\000g\000f\000\006\000\000\000\005\000\000\000@\000\000\000\000\000\000\...@\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\060\002\000\000\000\000\000\000\060\002\000\000\000\000\000\000\b\000\000\000\000\000\000\000\003\000\000\000\004\000\000\000\200\326\022\000\000\000\000\000\200\326\022\000\000\000\000\000\200\326\022\000\000\000\000\000\034\000\000\000\000\000\000\000\034\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000\001\000\000\000\005",
'\000' <repeats 27 times>,
"\020v\025\000\000\000\000\000\020v\025\000\000\000\000\000\000\000
\000\000\000\000\000\001\000\000\000\006\000\000\000(w\025\000\000\000\000\000(w"...
workstart = 0x1d43 <Address 0x1d43 out of bounds>
workend = 0x40 <Address 0x40 out of bounds>
ap_save = {{gp_offset = 8, fp_offset = 48, overflow_arg_area =
0x7fffffffdfa0, reg_save_area = 0x7fffffffdee0}}
nspecs_done = <value optimized out>
save_errno = 0
readonly_format = 0
jump_table =
"\001\000\000\004\000\016\000\006\000\000\a\002\000\003\t\000\005\b\b\b\b\b\b\b\b\b\000\000\000\000\000\000\000\032\000\031\000\023\023\023\000\035\000\000\f\000\000\000\000\000\000\025\000\000\000\000\022\000\r\000\000\000\000\000\000\032\000\024\017\023\023\023\n\017\034\000\v\030\027\021\026\f\000\025\033\020\000\000\022\000\r"
__PRETTY_FUNCTION__ = "_IO_vfprintf_internal"
#2 0x00007ffff7aca86a in __printf (format=0x0) at printf.c:35
arg = {{gp_offset = 8, fp_offset = 48, overflow_arg_area =
0x7fffffffdfa0, reg_save_area = 0x7fffffffdee0}}
done = 0
#3 0x00000000004036b2 in word_print (w=0x635ec0) at convert.c:2891
No locals.
#4 0x0000000000404488 in main (argc=<value optimized out>,
argv=0x7fffffffe1d8) at main.c:206
f = 0x635450
word = 0x635ec0
path = 0x7fffffffe4f3 "/home/mathias/b.rtf"
i = <value optimized out>
output_format = <value optimized out>
b.rtf
Description: RTF file
