Bug#619306: ghostscript segfaults on some eps file
Jonathan Nieder wrote:
> Håkon A. Hjortland wrote:
>> Downgrading liblcms1 from 1.18.dfsg-1.2ubuntu1 to 1.16-7ubuntu1 also
>> fixes the segfaults for both arch-SPOT.eps and transmitter.pdf.
> Ah, thanks for this (and for pinpointing which pointers are NULL)!
> I'll bisect.
Ok, so I was looking for an upstream repository to sift through but I
don't think there is one for lcms1. Results for "gs -dSAFER
arch-SPOT.eps" using packages from snapshot.debian.org:
liblcms1 1.16-7 ok
liblcms1 1.17-2 ok
liblcms1 1.17.dfsg-1 ok
liblcms1 1.17.dfsg-1+lenny1 segfault
liblcms1 1.17.dfsg-1+lenny2 segfault
liblcms1 1.18.dfsg-1 segfault
Either ghostscript 9 is abusing lcms1 (quite possible --- ghostscript
is just starting to use littlecms and there is doubtless a learning
curve involved) or there was an undeclared ABI break.
Based on lcms-user mailing list archives around that time, the patch
from 1.17.dfsg-1+lenny1 is not the patch to look at and it is
better to look at what 1.18 did:
| With this patch lcms does not work at all. Please upgrade to 1.18 and
| let's forgot all this nasty stuff.
When ghostscript renders arch-SPOT.eps, Device2PCS->CLut16params (as
filled by cmsReadICCLut) is all-zeroes with modern liblcms1 and in
particular the pointer to its Interp3D method is NULL when cmsEvalLUT
calls it. Håkon did the brave thing and tried omitting the Interp3D
call, and it seemed to work okay.
So it's all a little puzzling. Hints welcome.
Still, hope that helps,
 Changelog for 1.17.dfsg-1+lenny1:
* Non-maintainer upload by the security team
* Include upstream fixes for integer overflows, possible memory leaks
and a buffer overflow
Fixes: CVE-2009-0723 CVE-2009-0581 CVE-2009-0733