Bug#619306: ghostscript segfaults on some eps file

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#619306: ghostscript segfaults on some eps file
From: Alexandre Duret-Lutz <adl@lrde.epita.fr>
Date: Tue, 22 Mar 2011 20:38:07 +0100
Message-id: <[🔎] 20110322193807.32342.22661.reportbug@hush.va-et-vient.net>
Reply-to: Alexandre Duret-Lutz <adl@lrde.epita.fr>, 619306@bugs.debian.org

Package: ghostscript
Version: 9.01~dfsg-2
Severity: important

Running gs on the attached file ends with a segfault.

% gs -dSAFER arch-SPOT.eps
GPL Ghostscript 9.01 (2011-02-07)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
zsh: segmentation fault  gs -dSAFER arch-SPOT.eps

Here are the output of valgrind and gdb.

% valgrind gs -q -dSAFER arch-SPOT.eps
==356== Memcheck, a memory error detector
==356== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==356== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==356== Command: gs -q -dSAFER arch-SPOT.eps
==356==
==356== Conditional jump or move depends on uninitialised value(s)
==356==    at 0x4FD6C11: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FD72FE: gs_gc_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x5039F93: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA5E03: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA1730: interp_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA2B3E: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA383A: gs_interpret (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F987B4: gs_main_run_string_end (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9993D: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9A129: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9B69F: gs_main_init_with_args (in /usr/lib/libgs.so.9.01)
==356==    by 0x400AEB: main (in /usr/bin/gs)
==356==
==356== Conditional jump or move depends on uninitialised value(s)
==356==    at 0x4FD73EA: gs_gc_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x5039F93: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA5E03: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA1730: interp_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA2B3E: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA383A: gs_interpret (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F987B4: gs_main_run_string_end (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9993D: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9A129: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9B69F: gs_main_init_with_args (in /usr/lib/libgs.so.9.01)
==356==    by 0x400AEB: main (in /usr/bin/gs)
==356==
==356== Conditional jump or move depends on uninitialised value(s)
==356==    at 0x4FD73EF: gs_gc_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x5039F93: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA5E03: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA1730: interp_reclaim (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA2B3E: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4FA383A: gs_interpret (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F987B4: gs_main_run_string_end (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9993D: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9A129: ??? (in /usr/lib/libgs.so.9.01)
==356==    by 0x4F9B69F: gs_main_init_with_args (in /usr/lib/libgs.so.9.01)
==356==    by 0x400AEB: main (in /usr/bin/gs)
==356==
==356== Jump to the invalid address stated on the next line
==356==    at 0x0: ???
==356==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==356==
==356==
==356== Process terminating with default action of signal 11 (SIGSEGV)
==356==  Bad permissions for mapped region at address 0x0
==356==    at 0x0: ???
==356==
==356== HEAP SUMMARY:
==356==     in use at exit: 10,781,132 bytes in 1,094 blocks
==356==   total heap usage: 2,766 allocs, 1,672 frees, 24,340,180 bytes allocated
==356==
==356== LEAK SUMMARY:
==356==    definitely lost: 264 bytes in 3 blocks
==356==    indirectly lost: 176 bytes in 4 blocks
==356==      possibly lost: 10,687,578 bytes in 733 blocks
==356==    still reachable: 93,114 bytes in 354 blocks
==356==         suppressed: 0 bytes in 0 blocks
==356== Rerun with --leak-check=full to see details of leaked memory
==356==
==356== For counts of detected and suppressed errors, rerun with: -v
==356== Use --track-origins=yes to see where uninitialised values come from
==356== ERROR SUMMARY: 93 errors from 4 contexts (suppressed: 40 from 9)
zsh: segmentation fault  valgrind gs -q -dSAFER arch-SPOT.eps

% gdb -q --args gs -q -dSAFER arch-SPOT.eps
Reading symbols from /usr/bin/gs...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/gs -q -dSAFER arch-SPOT.eps
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6593bce in cmsEvalLUT () from /usr/lib/liblcms.so.1
#2  0x00007ffff659c0a6 in ?? () from /usr/lib/liblcms.so.1
#3  0x00007ffff6588071 in _cmsComputePrelinearizationTablesFromXFORM ()
   from /usr/lib/liblcms.so.1
#4  0x00007ffff659e8d7 in _cmsPrecalculateDeviceLink ()
   from /usr/lib/liblcms.so.1
#5  0x00007ffff659cc7a in cmsCreateProofingTransform ()
   from /usr/lib/liblcms.so.1
#6  0x00007ffff659d35b in cmsCreateTransform () from /usr/lib/liblcms.so.1
#7  0x00007ffff74019ca in gsicc_get_link_profile () from /usr/lib/libgs.so.9
#8  0x00007ffff73fe817 in ?? () from /usr/lib/libgs.so.9
#9  0x00007ffff7341dba in gx_remap_CIEA () from /usr/lib/libgs.so.9
#10 0x00007ffff759fa1c in gx_remap_color () from /usr/lib/libgs.so.9
#11 0x00007ffff758fb68 in gs_text_begin () from /usr/lib/libgs.so.9
#12 0x00007ffff758ff10 in gs_xyshow_begin () from /usr/lib/libgs.so.9
#13 0x00007ffff730a987 in ?? () from /usr/lib/libgs.so.9
#14 0x00007ffff737177d in ?? () from /usr/lib/libgs.so.9
#15 0x00007ffff737283b in gs_interpret () from /usr/lib/libgs.so.9
#16 0x00007ffff73677b5 in gs_main_run_string_end () from /usr/lib/libgs.so.9
#17 0x00007ffff736893e in ?? () from /usr/lib/libgs.so.9
#18 0x00007ffff736912a in ?? () from /usr/lib/libgs.so.9
#19 0x00007ffff736a6a0 in gs_main_init_with_args () from /usr/lib/libgs.so.9
#20 0x0000000000400aec in main ()
(gdb)



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ghostscript depends on:
ii  debconf [de 1.5.38                       Debian configuration management sy
ii  debianutils 3.4.4                        Miscellaneous utilities specific t
ii  gsfonts     1:8.11+urwcyr1.0.7~pre44-4.2 Fonts for the Ghostscript interpre
ii  libc6       2.11.2-13                    Embedded GNU C Library: Shared lib
ii  libgs9      9.01~dfsg-2                  interpreter for the PostScript lan

ghostscript recommends no packages.

Versions of packages ghostscript suggests:
ii  ghostscript-cups             9.01~dfsg-2 interpreter for the PostScript lan
ii  ghostscript-x                9.01~dfsg-2 interpreter for the PostScript lan
pn  hpijs                        <none>      (no description available)

-- no debconf information

Attachment: arch-SPOT.eps
Description: PostScript document

Reply to:

Follow-Ups:
- Bug#619306: ghostscript segfaults on some eps file
  - From: Jonathan Nieder <jrnieder@gmail.com>

Prev by Date: sv:fw: b--4
Next by Date: Bug#619476: libgs9: gs catch segfault on printing specific pdf, after page 6
Previous by thread: sv:fw: b--4
Next by thread: Bug#619306: ghostscript segfaults on some eps file
Index(es):
- Date
- Thread