Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1280458

Summary: [abrt] evince: gs_lcms2_malloc(): evince killed by SIGSEGV
Product: Red Hat Enterprise Linux 7 Reporter: Jeff Bastian <jbastian>
Component: ghostscriptAssignee: David Kaferad // Dee'Kej <deekej>
Status: CLOSED DUPLICATE QA Contact: QE Internationalization Bugs <qe-i18n-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: http://faf-report.itos.redhat.com/reports/bthash/25708118d9cc01c38a770b961478ca9772dd3c5a
Whiteboard: abrt_hash:c203a92d11d80ddc22c7fe1dfed79be2e832f3c2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-25 11:36:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: machineid
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Jeff Bastian 2015-11-11 19:13:46 UTC
Description of problem:
I just started evince and it crashed

Version-Release number of selected component:
evince-3.14.2-5.el7

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        evince
crash_function: gs_lcms2_malloc
executable:     /usr/bin/evince
global_pid:     25606
kernel:         3.10.0-326.el7.x86_64
runlevel:       N 5
type:           CCpp
uid:            12257

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 gs_lcms2_malloc at base/gsicc_lcms2.c:48
 #1 _cmsMallocZeroDefaultFn at cmserr.c:97
 #2 cmsCreateProfilePlaceholder at cmsio0.c:460
 #3 cmsOpenProfileFromMemTHR at cmsio0.c:1092
 #4 GfxICCBasedColorSpace::parse at GfxState.cc:1919
 #5 GfxColorSpace::parse at GfxState.cc:322
 #6 Gfx::doImage at Gfx.cc:4404
 #7 Gfx::opXObject at Gfx.cc:4180
 #8 Gfx::go at Gfx.cc:763
 #9 Gfx::display at Gfx.cc:729

Comment 1 Jeff Bastian 2015-11-11 19:13:48 UTC
Created attachment 1092839 [details]
File: backtrace

Comment 2 Jeff Bastian 2015-11-11 19:13:49 UTC
Created attachment 1092840 [details]
File: cgroup

Comment 3 Jeff Bastian 2015-11-11 19:13:51 UTC
Created attachment 1092841 [details]
File: core_backtrace

Comment 4 Jeff Bastian 2015-11-11 19:13:52 UTC
Created attachment 1092842 [details]
File: dso_list

Comment 5 Jeff Bastian 2015-11-11 19:13:52 UTC
Created attachment 1092843 [details]
File: environ

Comment 6 Jeff Bastian 2015-11-11 19:13:53 UTC
Created attachment 1092844 [details]
File: exploitable

Comment 7 Jeff Bastian 2015-11-11 19:13:54 UTC
Created attachment 1092845 [details]
File: limits

Comment 8 Jeff Bastian 2015-11-11 19:13:55 UTC
Created attachment 1092846 [details]
File: machineid

Comment 9 Jeff Bastian 2015-11-11 19:13:56 UTC
Created attachment 1092847 [details]
File: maps

Comment 10 Jeff Bastian 2015-11-11 19:13:57 UTC
Created attachment 1092848 [details]
File: open_fds

Comment 11 Jeff Bastian 2015-11-11 19:13:58 UTC
Created attachment 1092849 [details]
File: proc_pid_status

Comment 12 Jeff Bastian 2015-11-11 19:13:59 UTC
Created attachment 1092850 [details]
File: var_log_messages

Comment 14 Marek Kašík 2016-01-18 17:21:46 UTC
This is a bug in ghostscript.
I can not reproduce this but looking at the backtrace and related packages reveals:

poppler calls cmsOpenProfileFromMem(profBuf,length) which calls cmsOpenProfileFromMemTHR(NULL, MemPtr, dwSize)

this way we get in situation when we call ghostscript's "gs_lcms2_malloc (id=0x0, size=3752)"

Current ghostscript handles this a better because it doesn't use the given pointer directly but calls cmsGetContextUserData() on it which handles the NULL there.

Comment 15 David Kaferad // Dee'Kej 2016-05-25 11:36:24 UTC
Looking at the backtrace and Marek's comment #14, this is a duplicate of BZ #959351.

*** This bug has been marked as a duplicate of bug 959351 ***