rpm -qf `which gs` ghostscript-8.15.3-4.fc6 gs -dEPSFitPage -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=/tmp/y.ps /tmp/86.pdf ESP Ghostscript 815.03 (2006-08-25) Copyright (C) 2004 artofcode LLC, Benicia, CA. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 **** Warning: stream operator not terminated by valid EOL. **** Warning: stream operator not terminated by valid EOL. **** Warning: File has insufficient data for an image. Segmentation fault
Created attachment 148314 [details] .pdf file on which ghostscript dumps core
Confirmed with backtrace: #0 i_free_object (mem=0x6028d8, ptr=0x90a098, cname=0x32f08f24a0 "CFD lprev(close)") at src/gsalloc.c:770 770 finalize = pstype->finalize; #1 0x00000032f06f0f1c in s_CFD_release (st=0x909540) at src/scfd.c:86 86 gs_free_object(st->memory, ss->lprev, "CFD lprev(close)"); #2 0x00000032f0716e01 in sclose (s=0x909640) at src/stream.c:414 414 (*release) (st); #3 0x00000032f071f9ee in zclosefile (i_ctx_p=0x637da0) at src/zfileio.c:52 52 int status = sclose(s); #4 0x00000032f070d056 in gs_interpret (pi_ctx_p=0x32f0d74230, pref=<value optimized out>, user_errors=1, pexit_code=0x7fff980f88dc, perror_object=0x7fff980f88c0) at src/interp.c:1492 1492 switch (code = call_operator(op_index_proc(index), i_ctx_p)) { #5 0x00000032f07035b2 in gs_main_interpret (minst=0x32f0d73fc0, pref=0x90a098, user_errors=1, pexit_code=0x7fff980f88dc, perror_object=0x7fff980f88c0) at src/imain.c:297 297 code = gs_interpret(&minst->i_ctx_p, &refnul, #6 0x00000032f07037de in gs_main_run_string_end (minst=0x6028d8, user_errors=-13251, pexit_code=0x2c, perror_object=0x0) at src/imain.c:600 600 return gs_main_interpret(minst, &rstr, user_errors, pexit_code, #7 0x00000032f0704710 in run_string (minst=0x6028d8, str=0x90a098 '�' <repeats 28 times>, "\017���\a���\017���\037������������", '�' <repeats 14 times>, "�\177���������������\017���\217\200", options=2) at src/imainarg.c:778 778 &exit_code, &error_object); #8 0x00000032f0704e15 in runarg (minst=0x32f0d73fc0, pre=0x32f0910c35 "", arg=0x63d060 "86.pdf", post=0x32f08f47a8 ".runfile", options=<value optimized out>) at src/imainarg.c:768 768 code = run_string(minst, line, options); #9 0x00000032f0704fd8 in argproc (minst=0x32f0d73fc0, arg=<value optimized out>) at src/imainarg.c:703 703 return runarg(minst, "", filearg, ".runfile", runInit | runFlush); #10 0x00000032f0706620 in gs_main_init_with_args (minst=0x32f0d73fc0, argc=7, argv=<value optimized out>) at src/imainarg.c:216 216 code = argproc(minst, arg); #11 0x00000000004009e1 in main (argc=7, argv=0x7fff980f98d8) at src/dxmainc.c:88 88 code = gsapi_init_with_args(instance, argc, argv);
FYI...this crashes ghostscript all the way upto today's svn from the trunk (8.56) with the same error messages coming from 8.15.3: ================================================ GPL Ghostscript SVN PRE-RELEASE 8.56 (2006-05-20) Copyright (C) 2006 artofcode LLC, Benicia, CA. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 **** Warning: stream operator not terminated by valid EOL. **** Warning: stream operator not terminated by valid EOL. **** Warning: File has insufficient data for an image. Segmentation fault ================================================================== The file seems to be CCITTFax stream, which is incomplete (see error messages from xpdf). Also, AdobeReader is showing an empty page. I agree that a crash is always a software bug the document seems to be horribly wrong to begin with. Is this a kind of document you will consistenly produce?
This document is one page from a historic book I bought in electronic format. It is quite possible that this specific file has invalid .pdf, other pages are OK. evince shows me half page, then just blanks and give warnings about invalid pdf. The importance of this bug is the security of ghostscript itself. Usually similar crashes indicate possible buffer overflow or similar high risk security vulnerability. Because ghostscript is widely used for printing untrusted .pdf and .ps this is important for security reason.
I can see this in F8 (ghostscript-8.60-5.fc8) too.
Still happens with Fedora 8 (ghostscript-8.61-5.fc8).
this bug is still present in ghostscript-8.61-6.fc8
Created attachment 310029 [details] gs-scfd.patch Seems to be a buffer underrun in cf_decode_2d(), src/scfd.c:693 (the invert_data call). This patch works around the problem, but isn't a real fix.
Reported upstream.
Work-around applied in CVS.
ghostscript-8.62-4.fc9 has been submitted as an update for Fedora 9
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ghostscript'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5699
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.