[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#619306: ghostscript segfaults on some eps file

Jonathan Nieder wrote:
> Håkon A. Hjortland wrote:

>> Downgrading liblcms1 from 1.18.dfsg-1.2ubuntu1 to 1.16-7ubuntu1 also
>> fixes the segfaults for both arch-SPOT.eps and transmitter.pdf.
> Ah, thanks for this (and for pinpointing which pointers are NULL)!
> I'll bisect.

Ok, so I was looking for an upstream repository to sift through but I
don't think there is one for lcms1.  Results for "gs -dSAFER
arch-SPOT.eps" using packages from snapshot.debian.org:

 liblcms1 1.16-7	ok
 liblcms1 1.17-2	ok
 liblcms1 1.17.dfsg-1	ok
 liblcms1 1.17.dfsg-1+lenny1	segfault
 liblcms1 1.17.dfsg-1+lenny2	segfault
 liblcms1 1.18.dfsg-1	segfault

Either ghostscript 9 is abusing lcms1 (quite possible --- ghostscript
is just starting to use littlecms and there is doubtless a learning
curve involved) or there was an undeclared ABI break.

Based on lcms-user mailing list archives around that time, the patch
from 1.17.dfsg-1+lenny1[1] is not the patch to look at and it is
better to look at what 1.18 did:

| With this patch lcms does not work at all. Please upgrade to 1.18 and 
| let's forgot all this nasty stuff.

When ghostscript renders arch-SPOT.eps, Device2PCS->CLut16params (as
filled by cmsReadICCLut) is all-zeroes with modern liblcms1 and in
particular the pointer to its Interp3D method is NULL when cmsEvalLUT
calls it.  Håkon did the brave thing and tried omitting the Interp3D
call, and it seemed to work okay.

So it's all a little puzzling.  Hints welcome.

Still, hope that helps,

[1] Changelog for 1.17.dfsg-1+lenny1:

  * Non-maintainer upload by the security team
  * Include upstream fixes for integer overflows, possible memory leaks
    and a buffer overflow
    Fixes: CVE-2009-0723 CVE-2009-0581 CVE-2009-0733

DSA: http://www.debian.org/security/2009/dsa-1745

Reply to: