gs is segfaulting when I try to convert a pdf to png. gs works fine for other pdfs.
Created attachment 3859 [details] the pdf causing the problem $ /usr/bin/gs -sDEVICE=ppmraw -sOutputFile=test.ppm 06-02-OE-1MN-OE_061MN012-01-4C.pdf GPL Ghostscript 8.62 (2008-02-29) Copyright (C) 2008 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 Segmentation fault
A different pdf viewer, evince, complains: Error (53449): No current point in closepath ltrace shows (last few lines): strlen("Extend") = 6 memcmp(0x83f400f, 0x88c2808, 6, 0x877b434, 0xbf845b98) = 0 memcpy(0x8b3bf6c, "pm\246\b", 96) = 0x8b3bf6c memcpy(0xbf844cd8, "", 1012) = 0xbf844cd8 memcpy(0x8b272b4, "\001", 84) = 0x8b272b4 memcpy(0x8b3c9c4, "\001", 196) = 0x8b3c9c4 memcpy(0x8b3c290, "4\264w\b\\\367x\b", 1832) = 0x8b3c290 memcpy(0x8b3d538, "|\004", 232) = 0x8b3d538 memcpy(0x8b3ca94, "", 1012) = 0x8b3ca94 memcpy(0x8b3ce94, "\200@I\b", 1688) = 0x8b3ce94 memcpy(0xbf845394, "P\302\263\b(\\\204\277#\002\020\b\314/y\b(\\\204\2774\264w\b\301\013\017\b\027X\271\267"..., 1012) = 0xbf845394 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ strace: read(3, "^$\312):\337QP\35<\6\337+\320\373\202\261\'\315\235\310g\353n\277\376\323\377Q\307\353\373"..., 4096) = 4096 _llseek(3, 167936, [167936], SEEK_SET) = 0 read(3, "4\25\315\232&~H\207\231\276y\32\351\330\221\177\310\336\272\242\"\362\7kOY:\221\326\347(r"..., 4096) = 4096 _llseek(3, 53248, [53248], SEEK_SET) = 0 read(3, "^$\312):\337QP\35<\6\337+\320\373\202\261\'\315\235\310g\353n\277\376\323\377Q\307\353\373"..., 4096) = 4096 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
and when calling this using convert (which calls gs), dmesg shows: convert[18999]: segfault at b46d365a eip b78171d4 esp bfd311a0 error 4
/usr/include/asm-generic/errno-base.h says error 4 is: "Interrupted system call"
Ghostscript 8.62 gets the segfault when executing the PDF 'sh' operator. The relevant -dPDFDEBUG log shows: =========================================================== h 8.37 -16.079 m W n q 0 g 1 0 0 1 8.37034 -16.0789299 cm BX /SH1 sh =========================================================== The call stack shows; gx_path_new(gx_path_s * ppath=0x0006e694) Line 433 + 0x13 bytes gx_cpath_from_rectangle(gx_clip_path_s * pcpath=0x0006e694, gs_fixed_rect_s * pbox=0x0006e75c) Line 520 + 0x9 bytes gx_default_fill_path(gx_device_s * pdev=0x012900a8, const gs_imager_state_s * pis=0x01198fb0, gx_path_s * ppath=0x00000000, const gx_fill_params_s * params=0x0006e7ec, const gx_device_color_s * pdevc=0x0006e8dc, const gx_clip_path_s * pcpath=0x0219ecf8) Line 617 + 0x10 bytes gx_forward_fill_path(gx_device_s * dev=0x021700a8, const gs_imager_state_s * pis=0x01198fb0, gx_path_s * ppath=0x00000000, const gx_fill_params_s * params=0x0006e7ec, const gx_device_color_s * pdcolor=0x0006e8dc, const gx_clip_path_s * pcpath=0x0219ecf8) Line 395 + 0x1b byteS gx_fill_path(gx_path_s * ppath=0x00000000, gx_device_color_s * pdevc=0x0006e8dc, gs_state_s * pgs=0x01198fb0, int rule=-1, long adjust_x=64, long adjust_y=64) Line 50 + 0x23 bytes gs_shfill(gs_state_s * pgs=0x01198fb0, const gs_shading_s * psh=0x0219f440) Line 112 + 0x28 bytes C !zshfill(gs_context_state_s * i_ctx_p=0x011a9740) Line 78 + 0x15 bytes The problem occurs because the 'ppath->segments' has value 0x00000041 which fails when gx_path_is_shared derefences this non-zero value. Assigning to Igor since shaded filling is his bailiwick.
P2 for crashes.
Patch to HEAD : http://ghostscript.com/pipermail/gs-cvs/2008-March/008183.html
*** Bug 689750 has been marked as a duplicate of this bug. ***