1669611 – ghostscript: Regression: SEGV in names_ref on converting faulty PS to PDF

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1669611 - ghostscript: Regression: SEGV in names_ref on converting faulty PS to PDF

Summary: ghostscript: Regression: SEGV in names_ref on converting faulty PS to PDF

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ghostscript
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Osvald 🛹
QA Contact:	Petr Sklenar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-25 19:12 UTC by Cedric Buissart
Modified:	2019-08-06 13:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ghostscript-9.25-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:13:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
a faulty PS file that crashes pdfwrite (87 bytes, text/plain) 2019-01-25 19:12 UTC, Cedric Buissart	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2281	0	None	None	None	2019-08-06 13:13:18 UTC

Description Cedric Buissart 2019-01-25 19:12:19 UTC

Created attachment 1523575 [details]
a faulty PS file that crashes pdfwrite

Description of problem:

null pointer dereference in names_ref

Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. convert the faulty ps to pdf .... or die trying

$ gs  -P- -dSAFER -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr "-sOutputFile=out.pdf" -P- -dSAFER -c .setpdfwrite -f faulty.ps

Actual results:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3ca98e2 in names_ref (nt=0x609a00000458, ptr=0x0, size=7, pref=0x608600250320, enterflag=1) at psi/iname.c:179
179             NAME_HASH(hash, hash_permutation, ptr, size);

(gdb) bt
#0  0x00007ffff3ca98e2 in names_ref (nt=0x609a00000458, ptr=0x0, size=7, pref=0x608600250320, enterflag=1) at psi/iname.c:179
#1  0x00007ffff3bfdd89 in ref_param_write_typed_array (plist=plist@entry=0x7fffffffc000, pkey=pkey@entry=0x7ffff444e261 "NeverEmbed", pvalue=pvalue@entry=0x7fffffffbd40, count=14, 
    make=make@entry=0x7ffff3bfbe50 <ref_param_make_name>) at psi/iparam.c:154
#2  0x00007ffff3bff063 in ref_param_write_typed (plist=0x7fffffffc000, pkey=0x7ffff444e261 "NeverEmbed", pvalue=0x7fffffffbd40) at psi/iparam.c:254
#3  0x00007ffff422aecb in param_write_name_array (plist=plist@entry=0x7fffffffc000, pkey=pkey@entry=0x7ffff444e261 "NeverEmbed", pvalue=pvalue@entry=0x609000001768) at base/gsparam.c:440
#4  0x00007ffff3ef1eb0 in psdf_get_embed_param (psa=0x609000001768, allpname=0x7ffff444e260 ".NeverEmbed", plist=0x7fffffffc000) at base/gdevpsdp.c:369
#5  gdev_psdf_get_params (dev=dev@entry=0x609000000258, plist=plist@entry=0x7fffffffc000) at base/gdevpsdp.c:466
#6  0x00007ffff3f8c572 in gdev_pdf_get_params (dev=0x609000000258, plist=0x7fffffffc000) at base/gdevpdfp.c:218
#7  0x00007ffff41fd4d0 in gs_get_device_or_hw_params (orig_dev=orig_dev@entry=0x609000000258, plist=plist@entry=0x7fffffffc000, is_hardware=is_hardware@entry=0) at base/gsdparam.c:60
#8  0x00007ffff3c8cc5b in zget_device_params (i_ctx_p=0x608600005d68, is_hardware=0) at psi/zdevice.c:275
#9  0x00007ffff3bf8ef5 in interp (perror_object=<optimized out>, pref=<optimized out>, pi_ctx_p=<optimized out>) at psi/interp.c:1610
#10 gs_call_interp (pi_ctx_p=pi_ctx_p@entry=0x60220001fd88, pref=pref@entry=0x7fffffffd040, user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x7fffffffd0c0, 
    perror_object=<optimized out>) at psi/interp.c:509
#11 0x00007ffff3bfafb6 in gs_interpret (pi_ctx_p=pi_ctx_p@entry=0x60220001fd88, pref=0x7fffffffd040, user_errors=user_errors@entry=-12032, pexit_code=<optimized out>, 
    perror_object=<optimized out>) at psi/interp.c:467
#12 0x00007ffff3bda29d in gs_main_interpret (perror_object=<optimized out>, pexit_code=<optimized out>, user_errors=-12032, pref=0x7fffffffd040, minst=0x60220001fcf0) at psi/imain.c:241
#13 gs_main_run_string_end (minst=minst@entry=0x60220001fcf0, user_errors=<optimized out>, pexit_code=pexit_code@entry=0x7fffffffd0c0, perror_object=perror_object@entry=0x7fffffffd100)
    at psi/imain.c:615
#14 0x00007ffff3bda37e in gs_main_run_string_with_length (minst=minst@entry=0x60220001fcf0, str=<optimized out>, length=<optimized out>, user_errors=<optimized out>, 
    pexit_code=pexit_code@entry=0x7fffffffd0c0, perror_object=perror_object@entry=0x7fffffffd100) at psi/imain.c:573
#15 0x00007ffff3bda3bd in gs_main_run_string (minst=minst@entry=0x60220001fcf0, str=<optimized out>, user_errors=<optimized out>, pexit_code=pexit_code@entry=0x7fffffffd0c0, 
    perror_object=perror_object@entry=0x7fffffffd100) at psi/imain.c:555
#16 0x00007ffff3bdda60 in run_string (minst=minst@entry=0x60220001fcf0, str=str@entry=0x601000007250 "<2e2e2f726570726f64732f6675636b2e7073>.runfile", options=options@entry=3)
    at psi/imainarg.c:865
#17 0x00007ffff3bddde8 in runarg (minst=0x60220001fcf0, pre=<optimized out>, arg=<optimized out>, post=<optimized out>, options=3) at psi/imainarg.c:855
#18 0x00007ffff3be21fb in gs_main_init_with_args (minst=0x60220001fcf0, argc=argc@entry=16, argv=argv@entry=0x7fffffffdeb8) at psi/imainarg.c:226
#19 0x00007ffff3be46bb in gsapi_init_with_args (lib=<optimized out>, argc=argc@entry=16, argv=argv@entry=0x7fffffffdeb8) at psi/iapi.c:180
#20 0x0000000000400b3e in main (argc=16, argv=0x7fffffffdeb8) at psi/dxmainc.c:86


Expected results:


Additional info:

Comment 2 Martin Osvald 🛹 2019-01-26 08:17:51 UTC

This doesn't crash on ghostscript-9.07-31.el7_6.3 but starts to crash with ghostscript-9.07-31.el7_6.6, therefore, I am setting Regression keyword.

Comment 15 errata-xmlrpc 2019-08-06 13:13:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2281

Note You need to log in before you can comment on or make changes to this bug.