Bug#619306: ghostscript segfaults on some eps file

[Jonathan Nieder <jrnieder@gmail.com>]

tags 619306 + confirmed
quit

Hi,

Alexandre Duret-Lutz wrote:

> Running gs on the attached file ends with a segfault.
> 
> % gs -dSAFER arch-SPOT.eps

I can't reproduce this with upstream gs (I'm probably using the wrong
build-time parameters) but I can easily reproduce it with the ghostscript
Debian package.  Backtrace:

 Program received signal SIGSEGV, Segmentation fault.
 0x0000000000000000 in ?? ()
 (gdb) bt
 #0  0x0000000000000000 in ?? ()
 #1  0x00007ffff7fc4206 in cmsEvalLUT (Lut=0x887920, In=<value optimized out>, Out=0x7fffffffc970)
     at cmslut.c:512
 #2  0x00007ffff7fcb741 in NormalXFORM (p=0x887770, in=<value optimized out>, out=<value optimized out>, Size=1)
     at cmsxform.c:210
 #3  0x00007ffff7fbab71 in _cmsComputePrelinearizationTablesFromXFORM (h=0x7fffffffcb10, nTransforms=1, 
     Grid=0x8895c0) at cmsgmt.c:1121
 #4  0x00007ffff7fce217 in _cmsPrecalculateDeviceLink (h=0x887770, dwFlags=<value optimized out>)
     at cmssamp.c:271
 #5  0x00007ffff7fcc8bd in cmsCreateProofingTransform (InputProfile=<value optimized out>, InputFormat=196618, 
     OutputProfile=0x580660, OutputFormat=262170, ProofingProfile=<value optimized out>, nIntent=1, 
     ProofingIntent=3, dwFlags=9216) at cmsxform.c:1537
 #6  0x00007ffff7fccfbb in cmsCreateTransform (Input=<value optimized out>, InputFormat=<value optimized out>, 
     Output=<value optimized out>, OutputFormat=<value optimized out>, Intent=<value optimized out>, 
     dwFlags=<value optimized out>) at cmsxform.c:1618
 #7  0x00007ffff75eb3d7 in gsicc_get_link_profile (pis=<value optimized out>, dev=<value optimized out>, 
     gs_input_profile=0x885bf0, gs_output_profile=0x5b1c10, rendering_params=0x7fffffffccf0, memory=0x4028c8, 
     include_softproof=0) at ./base/gsicc_cache.c:592
 #8  0x00007ffff75e82f7 in gx_remap_ICC (pcc=0x6d1b00, pcs=0x445ba8, pdc=0x770db0, pis=0x428d58, dev=0x4903b8, 
     select=gs_color_select_texture) at ./base/gsicc.c:347
 #9  0x00007ffff7529b8a in gx_remap_CIEA (pc=0x6d1b00, pcs=0x445af8, pdc=0x770db0, pis=0x428d58, dev=0x4903b8, 
     select=gs_color_select_texture) at ./base/gsciemap.c:665
 #10 0x00007ffff77862bc in gx_remap_color (pgs=0x428d58) at ./base/gxcmap.c:553
 #11 0x00007ffff7778cb8 in gs_text_begin (pgs=0x428d58, text=0x7fffffffce60, mem=0x4028c8, ppte=0x7fffffffcf48)
     at ./base/gstext.c:262
 #12 0x00007ffff7779015 in gs_xyshow_begin (pgs=0x428d58, str=<value optimized out>, size=<value optimized out>, 
     x_widths=0x882b08, y_widths=0x0, widths_size=6, mem=0x4028c8, ppte=0x7fffffffcf48) at ./base/gstext.c:413
 #13 0x00007ffff74f1777 in moveshow (i_ctx_p=0x444d50, have_x=1, have_y=0) at ./psi/zcharx.c:113
 #14 0x00007ffff75592eb in interp (pi_ctx_p=0x402388, pref=<value optimized out>, perror_object=0x7fffffffde20)
     at ./psi/interp.c:1263

In other words, the Device2PCS->CLut16params.Interp3D callback passed
to cmsEvalLUT is null.  In fact, the entire CLut16params struct
consists of zeroes.  The relevant Device2PCS structure has few nonzero
fields:

	.wFlags = 584,
	.InputChan = 3,
	.OutputChan = 3,
	.OutputEntries = 2,
	.L2 = {0x72ea80, 0x72efc0, 0x729e70, 0, ...},
	.Out16params = {
		.nSamples = 2,
		.nInputs = 1,
		.nOutputs = 1,
		.Domain = 1,
	},
	.Mat4 = {
		.v = {
			[0] = {.n = {14870, 11683, 5040},},
			[1] = {.n = {7908, 22229, 2630},},
			[2] = {.n = {467, 2684, 23883},},
		}
	},
	.L4 = {0x78ebc0, 0x78efd0, 0x78f3e0, 0, ...},
	.L4params = {
		.nSamples = 512,
		.nInputs = 1,
		.nOutputs = 1,
		.Domain = 511,
	},
	.L4Entries = 512

That structure is filled by cmsReadICCLut, which calls
ReadLUT_A2B(Icc, NewLUT, offset, sig) to fill it.  What this all means
is beyond my expertise.  Hints?

$ dpkg-query -W liblcms1
liblcms1	1.18.dfsg-1.2