Bug 1280458 - [abrt] evince: gs_lcms2_malloc(): evince killed by SIGSEGV
[abrt] evince: gs_lcms2_malloc(): evince killed by SIGSEGV
Status: CLOSED DUPLICATE of bug 959351
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ghostscript (Show other bugs)
7.2
x86_64 Unspecified
medium Severity medium
: rc
: ---
Assigned To: David Kaspar [Dee'Kej]
QE Internationalization Bugs
http://faf-report.itos.redhat.com/rep...
abrt_hash:c203a92d11d80ddc22c7fe1dfed...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-11 14:13 EST by Jeff Bastian
Modified: 2016-05-25 07:36 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-25 07:36:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (42.06 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: cgroup (182 bytes, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: core_backtrace (24.75 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: dso_list (12.94 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: environ (2.48 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: exploitable (82 bytes, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: limits (1.29 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: machineid (135 bytes, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: maps (64.89 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: open_fds (2.73 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: proc_pid_status (1.11 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details
File: var_log_messages (2.80 KB, text/plain)
2015-11-11 14:13 EST, Jeff Bastian
no flags Details

  None (edit)
Description Jeff Bastian 2015-11-11 14:13:46 EST
Description of problem:
I just started evince and it crashed

Version-Release number of selected component:
evince-3.14.2-5.el7

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 4
cmdline:        evince
crash_function: gs_lcms2_malloc
executable:     /usr/bin/evince
global_pid:     25606
kernel:         3.10.0-326.el7.x86_64
runlevel:       N 5
type:           CCpp
uid:            12257

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 gs_lcms2_malloc at base/gsicc_lcms2.c:48
 #1 _cmsMallocZeroDefaultFn at cmserr.c:97
 #2 cmsCreateProfilePlaceholder at cmsio0.c:460
 #3 cmsOpenProfileFromMemTHR at cmsio0.c:1092
 #4 GfxICCBasedColorSpace::parse at GfxState.cc:1919
 #5 GfxColorSpace::parse at GfxState.cc:322
 #6 Gfx::doImage at Gfx.cc:4404
 #7 Gfx::opXObject at Gfx.cc:4180
 #8 Gfx::go at Gfx.cc:763
 #9 Gfx::display at Gfx.cc:729
Comment 1 Jeff Bastian 2015-11-11 14:13:48 EST
Created attachment 1092839 [details]
File: backtrace
Comment 2 Jeff Bastian 2015-11-11 14:13:49 EST
Created attachment 1092840 [details]
File: cgroup
Comment 3 Jeff Bastian 2015-11-11 14:13:51 EST
Created attachment 1092841 [details]
File: core_backtrace
Comment 4 Jeff Bastian 2015-11-11 14:13:52 EST
Created attachment 1092842 [details]
File: dso_list
Comment 5 Jeff Bastian 2015-11-11 14:13:52 EST
Created attachment 1092843 [details]
File: environ
Comment 6 Jeff Bastian 2015-11-11 14:13:53 EST
Created attachment 1092844 [details]
File: exploitable
Comment 7 Jeff Bastian 2015-11-11 14:13:54 EST
Created attachment 1092845 [details]
File: limits
Comment 8 Jeff Bastian 2015-11-11 14:13:55 EST
Created attachment 1092846 [details]
File: machineid
Comment 9 Jeff Bastian 2015-11-11 14:13:56 EST
Created attachment 1092847 [details]
File: maps
Comment 10 Jeff Bastian 2015-11-11 14:13:57 EST
Created attachment 1092848 [details]
File: open_fds
Comment 11 Jeff Bastian 2015-11-11 14:13:58 EST
Created attachment 1092849 [details]
File: proc_pid_status
Comment 12 Jeff Bastian 2015-11-11 14:13:59 EST
Created attachment 1092850 [details]
File: var_log_messages
Comment 14 Marek Kašík 2016-01-18 12:21:46 EST
This is a bug in ghostscript.
I can not reproduce this but looking at the backtrace and related packages reveals:

poppler calls cmsOpenProfileFromMem(profBuf,length) which calls cmsOpenProfileFromMemTHR(NULL, MemPtr, dwSize)

this way we get in situation when we call ghostscript's "gs_lcms2_malloc (id=0x0, size=3752)"

Current ghostscript handles this a better because it doesn't use the given pointer directly but calls cmsGetContextUserData() on it which handles the NULL there.
Comment 15 David Kaspar [Dee'Kej] 2016-05-25 07:36:24 EDT
Looking at the backtrace and Marek's comment #14, this is a duplicate of BZ #959351.

*** This bug has been marked as a duplicate of bug 959351 ***

Note You need to log in before you can comment on or make changes to this bug.