Bug 229174 - ghostscript dumps core when processing .pdf file
Summary: ghostscript dumps core when processing .pdf file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: ghostscript
Version: 8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: F8Target CVE-2007-6725
TreeView+ depends on / blocked
 
Reported: 2007-02-19 09:02 UTC by Need Real Name
Modified: 2009-04-01 18:58 UTC (History)
1 user (show)

Fixed In Version: 8.62-4.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-01 05:30:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
.pdf file on which ghostscript dumps core (40.69 KB, application/pdf)
2007-02-19 09:02 UTC, Need Real Name
no flags Details
gs-scfd.patch (419 bytes, patch)
2008-06-23 13:42 UTC, Tim Waugh
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Ghostscript 689917 0 None None None Never

Description Need Real Name 2007-02-19 09:02:08 UTC
rpm -qf `which gs`
ghostscript-8.15.3-4.fc6

 gs -dEPSFitPage -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=/tmp/y.ps
/tmp/86.pdf
ESP Ghostscript 815.03 (2006-08-25)
Copyright (C) 2004 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
   **** Warning: stream operator not terminated by valid EOL.
   **** Warning: stream operator not terminated by valid EOL.

   **** Warning: File has insufficient data for an image.
Segmentation fault

Comment 1 Need Real Name 2007-02-19 09:02:09 UTC
Created attachment 148314 [details]
.pdf file on which ghostscript dumps core

Comment 2 Tim Waugh 2007-02-19 09:43:27 UTC
Confirmed with backtrace:

#0  i_free_object (mem=0x6028d8, ptr=0x90a098, 
    cname=0x32f08f24a0 "CFD lprev(close)") at src/gsalloc.c:770
770         finalize = pstype->finalize;
#1  0x00000032f06f0f1c in s_CFD_release (st=0x909540) at src/scfd.c:86
86          gs_free_object(st->memory, ss->lprev, "CFD lprev(close)");
#2  0x00000032f0716e01 in sclose (s=0x909640) at src/stream.c:414
414                 (*release) (st);
#3  0x00000032f071f9ee in zclosefile (i_ctx_p=0x637da0) at src/zfileio.c:52
52              int status = sclose(s);
#4  0x00000032f070d056 in gs_interpret (pi_ctx_p=0x32f0d74230, 
    pref=<value optimized out>, user_errors=1, pexit_code=0x7fff980f88dc, 
    perror_object=0x7fff980f88c0) at src/interp.c:1492
1492                            switch (code =
call_operator(op_index_proc(index), i_ctx_p)) {
#5  0x00000032f07035b2 in gs_main_interpret (minst=0x32f0d73fc0, 
    pref=0x90a098, user_errors=1, pexit_code=0x7fff980f88dc, 
    perror_object=0x7fff980f88c0) at src/imain.c:297
297             code = gs_interpret(&minst->i_ctx_p, &refnul, 
#6  0x00000032f07037de in gs_main_run_string_end (minst=0x6028d8, 
    user_errors=-13251, pexit_code=0x2c, perror_object=0x0) at src/imain.c:600
600         return gs_main_interpret(minst, &rstr, user_errors, pexit_code,
#7  0x00000032f0704710 in run_string (minst=0x6028d8, 
    str=0x90a098 '�' <repeats 28 times>, "\017���\a���\017���\037������������",
'�' <repeats 14 times>, "�\177���������������\017���\217\200", options=2)
    at src/imainarg.c:778
778                                       &exit_code, &error_object);
#8  0x00000032f0704e15 in runarg (minst=0x32f0d73fc0, pre=0x32f0910c35 "", 
    arg=0x63d060 "86.pdf", post=0x32f08f47a8 ".runfile", 
    options=<value optimized out>) at src/imainarg.c:768
768         code = run_string(minst, line, options);
#9  0x00000032f0704fd8 in argproc (minst=0x32f0d73fc0, 
    arg=<value optimized out>) at src/imainarg.c:703
703             return runarg(minst, "", filearg, ".runfile", runInit | runFlush);
#10 0x00000032f0706620 in gs_main_init_with_args (minst=0x32f0d73fc0, argc=7, 
    argv=<value optimized out>) at src/imainarg.c:216
216                     code = argproc(minst, arg);
#11 0x00000000004009e1 in main (argc=7, argv=0x7fff980f98d8)
    at src/dxmainc.c:88
88              code = gsapi_init_with_args(instance, argc, argv);


Comment 3 Sammy 2007-02-20 17:32:02 UTC
FYI...this crashes ghostscript all the way upto today's svn from the trunk
(8.56) with the same error messages coming from 8.15.3:
================================================
GPL Ghostscript SVN PRE-RELEASE 8.56 (2006-05-20)
Copyright (C) 2006 artofcode LLC, Benicia, CA.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
   **** Warning: stream operator not terminated by valid EOL.
   **** Warning: stream operator not terminated by valid EOL.

   **** Warning: File has insufficient data for an image.
Segmentation fault
==================================================================

The file seems to be CCITTFax stream, which is incomplete (see error
messages from xpdf). Also, AdobeReader is showing an empty page.
I agree that a crash is always a software bug the document seems to
be horribly wrong to begin with. Is this a kind of document you will
consistenly produce?

Comment 4 Need Real Name 2007-02-20 17:49:33 UTC
This document is one page from a historic book I bought in electronic format. 
It is quite possible that this specific file has invalid .pdf, other pages are OK.
evince shows me half page, then just blanks and give warnings about invalid pdf.

The importance of this bug is the security of ghostscript itself.
Usually similar crashes indicate possible buffer overflow 
or similar high risk security vulnerability.
Because ghostscript is widely used for printing untrusted .pdf and .ps
this is important for security reason.

Comment 5 Jan Hutař 2007-10-29 20:54:16 UTC
I can see this in F8 (ghostscript-8.60-5.fc8) too.

Comment 8 Tim Waugh 2008-01-14 12:24:32 UTC
Still happens with Fedora 8 (ghostscript-8.61-5.fc8).

Comment 9 petrosyan 2008-02-18 03:09:59 UTC
this bug is still present in ghostscript-8.61-6.fc8

Comment 10 Tim Waugh 2008-06-23 13:42:59 UTC
Created attachment 310029 [details]
gs-scfd.patch

Seems to be a buffer underrun in cf_decode_2d(), src/scfd.c:693 (the
invert_data call).  This patch works around the problem, but isn't a real fix.

Comment 11 Tim Waugh 2008-06-23 13:55:55 UTC
Reported upstream.

Comment 12 Tim Waugh 2008-06-23 14:14:19 UTC
Work-around applied in CVS.

Comment 13 Fedora Update System 2008-06-23 19:14:45 UTC
ghostscript-8.62-4.fc9 has been submitted as an update for Fedora 9

Comment 14 Fedora Update System 2008-06-25 02:55:14 UTC
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ghostscript'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5699

Comment 15 Fedora Update System 2008-07-01 05:30:41 UTC
ghostscript-8.62-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.