Bug 690338 - SIGSEGV in gs_interpret() when using CUPS Raster driver of Gutenprint
Summary: SIGSEGV in gs_interpret() when using CUPS Raster driver of Gutenprint
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: CUPS driver (show other bugs)
Version: 8.64
Hardware: PC Linux
: P4 major
Assignee: Alex Cherepanov
URL: https://bugs.launchpad.net/ubuntu/+so...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-19 04:51 UTC by Till Kamppeter
Modified: 2010-04-25 21:54 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
pdf-testpage-a4.pdf (11.89 KB, application/pdf)
2009-03-19 13:16 UTC, Till Kamppeter
Details
testpage-a4.ps (149.20 KB, application/postscript)
2009-03-24 15:58 UTC, Till Kamppeter
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Till Kamppeter 2009-03-19 04:51:58 UTC
See the Ubuntu bug report referred to in the URL field.

If Ghostscript is used with the CUPS Raster interface of the Gutenprint driver
(version 5.2.3), as segfault in gs_interpret() occurs.

See the Ubuntu bug report for Ghostscript command lines and stack traces.
Comment 1 Ralph Giles 2009-03-19 11:15:16 UTC
I had a look at the original launchpad bug. I can't reproduce with trunk or
jaunty's binary (8.64.dfsg.1-0ubuntu2). Assuming it's one of the system test
pages, I tried:

cat /usr/share/cups/data/testprint.ps | debugobj/gs -dQUIET -dPARANOIDSAFER
-dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr -sOutputFile=%stdout
-I/usr/share/cups/fonts -sMediaType=Plain -r720x360 -dDEVICEWIDTHPOINTS=595
-dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8 -dcupsColorOrder=0
-dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c -f -_ | md5sum

cat /usr/share/system-config-printer/testpage-a4.ps | debugobj/gs -dQUIET
-dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr
-sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain -r720x360
-dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ | md5sum

cat /usr/share/system-config-printer/testpage-letter.ps | debugobj/gs -dQUIET
-dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr
-sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain -r720x360
-dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ | md5sum

and with /usr/bin/gs. Command line based on the launchpad report. No segfaults.
This is on x86_64 though.

We're not going to be able to do anything without a reproducible command-line
and file.
Comment 2 Till Kamppeter 2009-03-19 12:51:18 UTC
I succeeded to reproduce the bug on 64-bit with the following command line:

cat /usr/share/system-config-printer/testpage-a4.ps |
/usr/lib/cups/filter/pstopdf 1 1 1 1 '' | gs -dPARANOIDSAFER -dNOPAUSE -dBATCH
-sDEVICE=cups -sstdout=%stderr -sOutputFile=%stdout -I/usr/share/cups/fonts
-sMediaType=Plain -r720x360 -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842
-dcupsBitsPerColor=8 -dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5
-scupsPageSizeName=A4 -c -f -_ > output

I get a segfault and the file "output" stays empty.

See also the Ubuntu bug report mentioned above and in addition this bug report
containing the backtrace info produced by my command line:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/345576
Comment 3 Till Kamppeter 2009-03-19 13:16:23 UTC
Created attachment 4852 [details]
pdf-testpage-a4.pdf

PDF input file which causes the crash. Created by

cat /usr/share/system-config-printer/testpage-a4.ps |
/usr/lib/cups/filter/pstopdf 1 1 1 1 '' > pdf-testpage-a4.pdf

on Ubuntu Jaunty.

Using this file, the following Ghostscript command line causes the crash:

cat pdf-testpage-a4.pdf | gs -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups
-sstdout=%stderr -sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain
-r720x360 -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ > x
Comment 4 Till Kamppeter 2009-03-19 13:29:27 UTC
Simpler command line which still segfaults. It contains only the color space
parameters for the "cups" device.

gs -sDEVICE=cups -sOutputFile=x -dcupsBitsPerColor=8 -dcupsColorOrder=0
-dcupsColorSpace=1 -dcupsRowFeed=5 pdf-testpage-a4.pdf
Comment 5 Ralph Giles 2009-03-19 14:01:32 UTC
The following is sufficient to reproduce for me:

debugobj/gs -sDEVICE=cups -o /dev/null -dcupsColorSpace=1 pdf-testpage-a4.pdf

valgrind reports some unitialized value decisions in the garbage collector
before the final attempt to execute a null transform proc. Running with -dNOGC
the segfault still happens, but the gc report is replaced by several hundred
unitialized value warnings in errprintf called from cups_put_params.

Since the file runs ok with other devices, the cups parameter handling
clobbering memory seems a likely place to look.
Comment 6 Till Kamppeter 2009-03-20 12:09:13 UTC
https://bugs.launchpad.net/bugs/343171 seems to be the same problem.
Comment 7 Till Kamppeter 2009-03-24 15:01:34 UTC
Problem seems to be that there is no get_color_comp_index() function in
cups/gdevcups.c.
Comment 8 Till Kamppeter 2009-03-24 15:54:50 UTC
Input data format (PDF or PostScript) does not matter.

gs -sDEVICE=cups -o /dev/null -dcupsColorSpace=1
/usr/share/system-config-printer/testpage-a4.ps

crashes as well.
Comment 9 Till Kamppeter 2009-03-24 15:58:31 UTC
Created attachment 4864 [details]
testpage-a4.ps

Example PostScript file of the previous comment.
Comment 10 Till Kamppeter 2009-03-25 06:00:38 UTC
Fixed in SVN repository, rev 9595.
Comment 11 Till Kamppeter 2010-04-25 21:54:10 UTC
rev 9595 was only a bad workaround, leading to color corruption with other files. The real fix is rev 11120 in the SVN repository.