Bug 229174

Summary: ghostscript dumps core when processing .pdf file
Product: [Fedora] Fedora Reporter: Need Real Name <mal>
Component: ghostscriptAssignee: Tim Waugh <twaugh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 8CC: jhutar
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.62-4.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-01 05:30:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235704, 493442    
Attachments:
Description Flags
.pdf file on which ghostscript dumps core
none
gs-scfd.patch none

Description Need Real Name 2007-02-19 09:02:08 UTC
rpm -qf `which gs`
ghostscript-8.15.3-4.fc6

 gs -dEPSFitPage -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=/tmp/y.ps
/tmp/86.pdf
ESP Ghostscript 815.03 (2006-08-25)
Copyright (C) 2004 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
   **** Warning: stream operator not terminated by valid EOL.
   **** Warning: stream operator not terminated by valid EOL.

   **** Warning: File has insufficient data for an image.
Segmentation fault

Comment 1 Need Real Name 2007-02-19 09:02:09 UTC
Created attachment 148314 [details]
.pdf file on which ghostscript dumps core

Comment 2 Tim Waugh 2007-02-19 09:43:27 UTC
Confirmed with backtrace:

#0  i_free_object (mem=0x6028d8, ptr=0x90a098, 
    cname=0x32f08f24a0 "CFD lprev(close)") at src/gsalloc.c:770
770         finalize = pstype->finalize;
#1  0x00000032f06f0f1c in s_CFD_release (st=0x909540) at src/scfd.c:86
86          gs_free_object(st->memory, ss->lprev, "CFD lprev(close)");
#2  0x00000032f0716e01 in sclose (s=0x909640) at src/stream.c:414
414                 (*release) (st);
#3  0x00000032f071f9ee in zclosefile (i_ctx_p=0x637da0) at src/zfileio.c:52
52              int status = sclose(s);
#4  0x00000032f070d056 in gs_interpret (pi_ctx_p=0x32f0d74230, 
    pref=<value optimized out>, user_errors=1, pexit_code=0x7fff980f88dc, 
    perror_object=0x7fff980f88c0) at src/interp.c:1492
1492                            switch (code =
call_operator(op_index_proc(index), i_ctx_p)) {
#5  0x00000032f07035b2 in gs_main_interpret (minst=0x32f0d73fc0, 
    pref=0x90a098, user_errors=1, pexit_code=0x7fff980f88dc, 
    perror_object=0x7fff980f88c0) at src/imain.c:297
297             code = gs_interpret(&minst->i_ctx_p, &refnul, 
#6  0x00000032f07037de in gs_main_run_string_end (minst=0x6028d8, 
    user_errors=-13251, pexit_code=0x2c, perror_object=0x0) at src/imain.c:600
600         return gs_main_interpret(minst, &rstr, user_errors, pexit_code,
#7  0x00000032f0704710 in run_string (minst=0x6028d8, 
    str=0x90a098 '�' <repeats 28 times>, "\017���\a���\017���\037������������",
'�' <repeats 14 times>, "�\177���������������\017���\217\200", options=2)
    at src/imainarg.c:778
778                                       &exit_code, &error_object);
#8  0x00000032f0704e15 in runarg (minst=0x32f0d73fc0, pre=0x32f0910c35 "", 
    arg=0x63d060 "86.pdf", post=0x32f08f47a8 ".runfile", 
    options=<value optimized out>) at src/imainarg.c:768
768         code = run_string(minst, line, options);
#9  0x00000032f0704fd8 in argproc (minst=0x32f0d73fc0, 
    arg=<value optimized out>) at src/imainarg.c:703
703             return runarg(minst, "", filearg, ".runfile", runInit | runFlush);
#10 0x00000032f0706620 in gs_main_init_with_args (minst=0x32f0d73fc0, argc=7, 
    argv=<value optimized out>) at src/imainarg.c:216
216                     code = argproc(minst, arg);
#11 0x00000000004009e1 in main (argc=7, argv=0x7fff980f98d8)
    at src/dxmainc.c:88
88              code = gsapi_init_with_args(instance, argc, argv);


Comment 3 Sammy 2007-02-20 17:32:02 UTC
FYI...this crashes ghostscript all the way upto today's svn from the trunk
(8.56) with the same error messages coming from 8.15.3:
================================================
GPL Ghostscript SVN PRE-RELEASE 8.56 (2006-05-20)
Copyright (C) 2006 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
   **** Warning: stream operator not terminated by valid EOL.
   **** Warning: stream operator not terminated by valid EOL.

   **** Warning: File has insufficient data for an image.
Segmentation fault
==================================================================

The file seems to be CCITTFax stream, which is incomplete (see error
messages from xpdf). Also, AdobeReader is showing an empty page.
I agree that a crash is always a software bug the document seems to
be horribly wrong to begin with. Is this a kind of document you will
consistenly produce?

Comment 4 Need Real Name 2007-02-20 17:49:33 UTC
This document is one page from a historic book I bought in electronic format. 
It is quite possible that this specific file has invalid .pdf, other pages are OK.
evince shows me half page, then just blanks and give warnings about invalid pdf.

The importance of this bug is the security of ghostscript itself.
Usually similar crashes indicate possible buffer overflow 
or similar high risk security vulnerability.
Because ghostscript is widely used for printing untrusted .pdf and .ps
this is important for security reason.

Comment 5 Jan Hutař 2007-10-29 20:54:16 UTC
I can see this in F8 (ghostscript-8.60-5.fc8) too.

Comment 8 Tim Waugh 2008-01-14 12:24:32 UTC
Still happens with Fedora 8 (ghostscript-8.61-5.fc8).

Comment 9 petrosyan 2008-02-18 03:09:59 UTC
this bug is still present in ghostscript-8.61-6.fc8

Comment 10 Tim Waugh 2008-06-23 13:42:59 UTC
Created attachment 310029 [details]
gs-scfd.patch

Seems to be a buffer underrun in cf_decode_2d(), src/scfd.c:693 (the
invert_data call).  This patch works around the problem, but isn't a real fix.

Comment 11 Tim Waugh 2008-06-23 13:55:55 UTC
Reported upstream.

Comment 12 Tim Waugh 2008-06-23 14:14:19 UTC
Work-around applied in CVS.

Comment 13 Fedora Update System 2008-06-23 19:14:45 UTC
ghostscript-8.62-4.fc9 has been submitted as an update for Fedora 9

Comment 14 Fedora Update System 2008-06-25 02:55:14 UTC
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ghostscript'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5699

Comment 15 Fedora Update System 2008-07-01 05:30:41 UTC
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.