Bug 1280458

Summary: [abrt] evince: gs_lcms2_malloc(): evince killed by SIGSEGV
Product: Red Hat Enterprise Linux 7 Reporter: Jeff Bastian <jbastian>
Component: ghostscriptAssignee: David Kaspar // Dee'Kej <deekej>
Status: CLOSED DUPLICATE QA Contact: QE Internationalization Bugs <qe-i18n-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: http://faf-report.itos.redhat.com/reports/bthash/25708118d9cc01c38a770b961478ca9772dd3c5a
Whiteboard: abrt_hash:c203a92d11d80ddc22c7fe1dfed79be2e832f3c2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-25 11:36:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: machineid
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Jeff Bastian 2015-11-11 19:13:46 UTC 
Description of problem:
I just started evince and it crashed

Version-Release number of selected component:
evince-3.14.2-5.el7

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        evince
crash_function: gs_lcms2_malloc
executable:     /usr/bin/evince
global_pid:     25606
kernel:         3.10.0-326.el7.x86_64
runlevel:       N 5
type:           CCpp
uid:            12257

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 gs_lcms2_malloc at base/gsicc_lcms2.c:48
 #1 _cmsMallocZeroDefaultFn at cmserr.c:97
 #2 cmsCreateProfilePlaceholder at cmsio0.c:460
 #3 cmsOpenProfileFromMemTHR at cmsio0.c:1092
 #4 GfxICCBasedColorSpace::parse at GfxState.cc:1919
 #5 GfxColorSpace::parse at GfxState.cc:322
 #6 Gfx::doImage at Gfx.cc:4404
 #7 Gfx::opXObject at Gfx.cc:4180
 #8 Gfx::go at Gfx.cc:763
 #9 Gfx::display at Gfx.cc:729
Comment 1 Jeff Bastian 2015-11-11 19:13:48 UTC 
Created attachment 1092839 [details]
File: backtrace
Comment 2 Jeff Bastian 2015-11-11 19:13:49 UTC 
Created attachment 1092840 [details]
File: cgroup
Comment 3 Jeff Bastian 2015-11-11 19:13:51 UTC 
Created attachment 1092841 [details]
File: core_backtrace
Comment 4 Jeff Bastian 2015-11-11 19:13:52 UTC 
Created attachment 1092842 [details]
File: dso_list
Comment 5 Jeff Bastian 2015-11-11 19:13:52 UTC 
Created attachment 1092843 [details]
File: environ
Comment 6 Jeff Bastian 2015-11-11 19:13:53 UTC 
Created attachment 1092844 [details]
File: exploitable
Comment 7 Jeff Bastian 2015-11-11 19:13:54 UTC 
Created attachment 1092845 [details]
File: limits
Comment 8 Jeff Bastian 2015-11-11 19:13:55 UTC 
Created attachment 1092846 [details]
File: machineid
Comment 9 Jeff Bastian 2015-11-11 19:13:56 UTC 
Created attachment 1092847 [details]
File: maps
Comment 10 Jeff Bastian 2015-11-11 19:13:57 UTC 
Created attachment 1092848 [details]
File: open_fds
Comment 11 Jeff Bastian 2015-11-11 19:13:58 UTC 
Created attachment 1092849 [details]
File: proc_pid_status
Comment 12 Jeff Bastian 2015-11-11 19:13:59 UTC 
Created attachment 1092850 [details]
File: var_log_messages
Comment 14 Marek Kašík 2016-01-18 17:21:46 UTC 
This is a bug in ghostscript.
I can not reproduce this but looking at the backtrace and related packages reveals:

poppler calls cmsOpenProfileFromMem(profBuf,length) which calls cmsOpenProfileFromMemTHR(NULL, MemPtr, dwSize)

this way we get in situation when we call ghostscript's "gs_lcms2_malloc (id=0x0, size=3752)"

Current ghostscript handles this a better because it doesn't use the given pointer directly but calls cmsGetContextUserData() on it which handles the NULL there.
Comment 15 David Kaspar // Dee'Kej 2016-05-25 11:36:24 UTC 
Looking at the backtrace and Marek's comment #14, this is a duplicate of BZ #959351.

*** This bug has been marked as a duplicate of bug 959351 ***