Bug 694275 - ps2pdf causes crash with __fortify_fail ***buffer overflow detected***
Summary: ps2pdf causes crash with __fortify_fail ***buffer overflow detected***
Status: RESOLVED WORKSFORME
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PDF Writer (show other bugs)
Version: 9.07
Hardware: PC Linux
: P4 normal
Assignee: Ken Sharp
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-28 15:03 UTC by Till Kamppeter
Modified: 2014-02-17 04:41 UTC (History)
2 users (show)

See Also:
Customer:
Word Size: 32


Attachments
toc.preview-lp1184386.eps (130.78 KB, image/x-eps)
2013-05-28 15:03 UTC, Till Kamppeter
Details
xxx-lp1184386.ps (72 bytes, application/postscript)
2013-05-28 15:04 UTC, Till Kamppeter
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Till Kamppeter 2013-05-28 15:03:12 UTC
Created attachment 9909 [details]
toc.preview-lp1184386.eps

Original bug report at Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1184386

The crash occurs when converting the attached files to PDF with the ps2pdf utility only on 32-bit systems with Ghostscript 9.07. It does not happen with 9.06 and it also does not happen on 64-bit.

The second attached file is a much shorter file to cause the crash.

Original report:

---------
When running
ps2pdf toc.preview.eps
I get
*** buffer overflow detected ***: /usr/bin/gs terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x63)[0xb6d20bc3]
/lib/i386-linux-gnu/libc.so.6(+0x10593a)[0xb6d1f93a]
/lib/i386-linux-gnu/libc.so.6(+0x105008)[0xb6d1f008]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x8c)[0xb6c8de5c]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x5e1)[0xb6c5eec1]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0xb6d1f0d9]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xb6d1efef]
/usr/lib/libgs.so.9(+0x25f12d)[0xb702c12d]
/usr/lib/libgs.so.9(gs_closedevice+0x21)[0xb713a1e1]
/usr/lib/libgs.so.9(gs_main_finit+0x19d)[0xb6ebb85d]
/usr/lib/libgs.so.9(gs_to_exit_with_code+0x33)[0xb6ebbc73]
/usr/lib/libgs.so.9(gs_to_exit+0x2b)[0xb6ebbcab]
/usr/lib/libgs.so.9(gsapi_exit+0x29)[0xb6ebf329]
/usr/bin/gs(main+0xb9)[0x8048799]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0xb6c33935]
/usr/bin/gs[0x8048809]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:01 3985764 /usr/bin/gs
08049000-0804a000 r--p 00000000 08:01 3985764 /usr/bin/gs
0804a000-0804b000 rw-p 00001000 08:01 3985764 /usr/bin/gs
090b8000-094f5000 rw-p 00000000 00:00 0 [heap]
b62a6000-b62c1000 r-xp 00000000 08:01 2621696 /lib/i386-linux-gnu/libgcc_s.so.1
b62c1000-b62c2000 r--p 0001a000 08:01 2621696 /lib/i386-linux-gnu/libgcc_s.so.1
b62c2000-b62c3000 rw-p 0001b000 08:01 2621696 /lib/i386-linux-gnu/libgcc_s.so.1
b62df000-b6370000 rw-p 00000000 00:00 0
b6370000-b6375000 r-xp 00000000 08:01 3539896 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6375000-b6376000 r--p 00004000 08:01 3539896 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6376000-b6377000 rw-p 00005000 08:01 3539896 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6377000-b6379000 r-xp 00000000 08:01 3540354 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6379000-b637a000 r--p 00001000 08:01 3540354 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b637a000-b637b000 rw-p 00002000 08:01 3540354 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b637b000-b639b000 r-xp 00000000 08:01 3539910 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b639b000-b639c000 r--p 0001f000 08:01 3539910 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b639c000-b639d000 rw-p 00020000 08:01 3539910 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b639d000-b63b3000 r-xp 00000000 08:01 3539695 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b63b3000-b63b4000 r--p 00015000 08:01 3539695 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b63b4000-b63b5000 rw-p 00016000 08:01 3539695 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b63b5000-b63b7000 rw-p 00000000 00:00 0
b63b7000-b63be000 r-xp 00000000 08:01 3539759 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b63be000-b63bf000 r--p 00006000 08:01 3539759 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b63bf000-b63c0000 rw-p 00007000 08:01 3539759 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b63c0000-b64f2000 r-xp 00000000 08:01 3540384 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b64f2000-b64f3000 r--p 00132000 08:01 3540384 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b64f3000-b64f6000 rw-p 00133000 08:01 3540384 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b64f6000-b654e000 r-xp 00000000 08:01 3541462 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
b654e000-b654f000 r--p 00058000 08:01 3541462 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
b654f000-b6552000 rw-p 00059000 08:01 3541462 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
b6569000-b6571000 rw-p 00000000 00:00 0
b6571000-b6578000 r-xp 00000000 08:01 2621461 /lib/i386-linux-gnu/librt-2.17.so
b6578000-b6579000 r--p 00006000 08:01 2621461 /lib/i386-linux-gnu/librt-2.17.so
b6579000-b657a000 rw-p 00007000 08:01 2621461 /lib/i386-linux-gnu/librt-2.17.so
b657a000-b657d000 r-xp 00000000 08:01 2621449 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b657d000-b657e000 r--p 00002000 08:01 2621449 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b657e000-b657f000 rw-p 00003000 08:01 2621449 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b657f000-b6592000 r-xp 00000000 08:01 2631878 /lib/i386-linux-gnu/libresolv-2.17.so
b6592000-b6593000 r--p 00013000 08:01 2631878 /lib/i386-linux-gnu/libresolv-2.17.so
b6593000-b6594000 rw-p 00014000 08:01 2631878 /lib/i386-linux-gnu/libresolv-2.17.so
b6594000-b6596000 rw-p 00000000 00:00 0
b6596000-b6598000 r-xp 00000000 08:01 2621627 /lib/i386-linux-gnu/libkeyutils.so.1.4
b6598000-b6599000 r--p 00002000 08:01 2621627 /lib/i386-linux-gnu/libkeyutils.so.1.4
b6599000-b659a000 rw-p 00003000 08:01 2621627 /lib/i386-linux-gnu/libkeyutils.so.1.4
b659a000-b659b000 rw-p 00000000 00:00 0
b659b000-b65e3000 r-xp 00000000 08:01 2629145 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b65e3000-b65e4000 r--p 00047000 08:01 2629145 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b65e4000-b65e5000 rw-p 00048000 08:01 2629145 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b65e5000-b65f7000 r-xp 00000000 08:01 3539129 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b65f7000-b65f8000 r--p 00011000 08:01 3539129 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b65f8000-b65f9000 rw-p 00012000 08:01 3539129 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b65f9000-b6609000 r-xp 00000000 08:01 3539005 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b6609000-b660a000 r--p 0000f000 08:01 3539005 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b660a000-b660b000 rw-p 00010000 08:01 3539005 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b660b000-b668c000 r-xp 00000000 08:01 2621817 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b668c000-b668d000 r--p 00080000 08:01 2621817 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b668d000-b668f000 rw-p 00081000 08:01 2621817 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b668f000-b6696000 r-xp 00000000 08:01 3546318 /usr/lib/i386-linux-gnu/libkrb5support.so.0.1
b6696000-b6697000 r--p 00006000 08:01 3546318 /usr/lib/i386-linux-gnu/libkrb5support.so.0.1
b6697000-b6698000 rw-p 00007000 08:01 3546318 /usr/lib/i386-linux-gnu/libkrb5support.so.0.1
b6698000-b6699000 rw-p 00000000 00:00 0
b6699000-b669c000 r-xp 00000000 08:01 2622630 /lib/i386-linux-gnu/libcom_err.so.2.1
b669c000-b669d000 r--p 00002000 08:01 2622630 /lib/i386-linux-gnu/libcom_err.so.2.1
b669d000-b669e000 rw-p 00003000 08:01 2622630 /lib/i386-linux-gnu/libcom_err.so.2.1
b669e000-b66c4000 r-xp 00000000 08:01 3540070 /usr/lib/i386-linux-gnu/libk5crypto.so.3.1
b66c4000-b66c5000 r--p 00026000 08:01 3540070 /usr/lib/i386-linux-gnu/libk5crypto.so.3.1
b66c5000-b66c6000 rw-p 00027000 08:01 3540070 /usr/lib/i386-linux-gnu/libk5crypto.so.3.1
b66c6000-b678d000 r-xp 00000000 08:01 3546286 /usr/lib/i386-linux-gnu/libkrb5.so.3.3
b678d000-b6793000 r--p 000c6000 08:01 3546286 /usr/lib/i386-linux-gnu/libkrb5.so.3.3
b6793000-b6794000 rw-p 000cc000 08:01 3546286 /usr/lib/i386-linux-gnu/libkrb5.so.3.3
b6794000-b67b9000 r-xp 00000000 08:01 2621792 /lib/i386-linux-gnu/libexpat.so.1.6.0
b67b9000-b67bb000 r--p 00025000 08:01 2621792 /lib/i386-linux-gnu/libexpat.so.1.6.0
b67bb000-b67bc000 rw-p 00027000 08:01 2621792 /lib/i386-linux-gnu/libexpat.so.1.6.0
b67bc000-b67cc000 r-xp 00000000 08:01 3540039 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b67cc000-b67cd000 r--p 0000f000 08:01 3540039 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b67cd000-b67ce000 rw-p 00010000 08:01 3540039 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b67ce000-b67cf000 rw-p 00000000 00:00 0
b67cf000-b67db000 r-xp 00000000 08:01 3540026 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b67db000-b67dc000 r--p 0000b000 08:01 3540026 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b67dc000-b67dd000 rw-p 0000c000 08:01 3540026 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b67dd000-b689d000 r-xp 00000000 08:01 3540005 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b689d000-b68a1000 r--p 000bf000 08:01 3540005 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b68a1000-b68a2000 rw-p 000c3000 08:01 3540005 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b68a2000-b68dd000 r-xp 00000000 08:01 3542242 /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2.2
b68dd000-b68de000 r--p 0003a000 08:01 3542242 /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2.2
b68de000-b68df000 rw-p 0003b000 08:01 3542242 /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2.2
b68df000-b68ea000 r-xp 00000000 08:01 3546295 /usr/lib/i386-linux-gnu/libjbig.so.0.0.0
b68ea000-b68eb000 r--p 0000a000 08:01 3546295 /usr/lib/i386-linux-gnu/libjbig.so.0.0.0
b68eb000-b68ee000 rw-p 0000b000 08:01 3546295 /usr/lib/i386-linux-gnu/libjbig.so.0.0.0
b68ee000-b6913000 r-xp 00000000 08:01 2621579 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6913000-b6914000 r--p 00024000 08:01 2621579 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6914000-b6915000 rw-p 00025000 08:01 2621579 /lib/i386-linux-gnu/liblzma.so.5.0.0
b6915000-b6916000 rw-p 00000000 00:00 0
b6916000-b69ac000 r-xp 00000000 08:01 3539293 /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0
b69ac000-b69b0000 r--p 00095000 08:01 3539293 /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0
b69b0000-b69b1000 rw-p 00099000 08:01 3539293 /usr/lib/i386-linux-gnu/libfreetype.so.6.10.0
b69b1000-b69e8000 r-xp 00000000 08:01 3540381 /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b69e8000-b69e9000 r--p 00036000 08:01 3540381 /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b69e9000-b69ea000 rw-p 00037000 08:01 3540381 /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b69ea000-b69ec000 r-xp 00000000 08:01 3546323 /usr/lib/i386-linux-gnu/libpaper.so.1.1.2
b69ec000-b69ed000 r--p 00001000 08:01 3546323 /usr/lib/i386-linux-gnu/libpaper.so.1.1.2
b69ed000-b69ee000 rw-p 00002000 08:01 3546323 /usr/lib/i386-linux-gnu/libpaper.so.1.1.2
b69ee000-b6a1f000 r-xp 00000000 08:01 3539256 /usr/lib/i386-linux-gnu/libidn.so.11.6.8
b6a1f000-b6a20000 r--p 00030000 08:01 3539256 /usr/lib/i386-linux-gnu/libidn.so.11.6.8
b6a20000-b6a21000 rw-p 00031000 08:01 3539256 /usr/lib/i386-linux-gnu/libidn.so.11.6.8
b6a21000-b6a24000 r-xp 00000000 08:01 2631860 /lib/i386-linux-gnu/libdl-2.17.so
b6a24000-b6a25000 r--p 00002000 08:01 2631860 /lib/i386-linux-gnu/libdl-2.17.so
b6a25000-b6a26000 rw-p 00003000 08:01 2631860 /lib/i386-linux-gnu/libdl-2.17.so
b6a26000-b6a27000 rw-p 00000000 00:00 0
b6a27000-b6a3e000 r-xp 00000000 08:01 2622596 /lib/i386-linux-gnu/libz.so.1.2.7
b6a3e000-b6a3f000 r--p 00016000 08:01 2622596 /lib/i386-linux-gnu/libz.so.1.2.7
b6a3f000-b6a40000 rw-p 00017000 08:01 2622596 /lib/i386-linux-gnu/libz.so.1.2.7
b6a40000-b6a57000 r-xp 00000000 08:01 3540115 /usr/lib/libjbig2dec.so.0.0.0
b6a57000-b6a58000 r--p 00016000 08:01 3540115 /usr/lib/libjbig2dec.so.0.0.0
b6a58000-b6a59000 rw-p 00017000 08:01 3540115 /usr/lib/libjbig2dec.so.0.0.0
b6a59000-b6a80000 r-xp 00000000 08:01 2622611 /lib/i386-linux-gnu/libpng12.so.0.49.0
b6a80000-b6a81000 r--p 00026000 08:01 2622611 /lib/i386-linux-gnu/libpng12.so.0.49.0
b6a81000-b6a82000 rw-p 00027000 08:01 2622611 /lib/i386-linux-gnu/libpng12.so.0.49.0
b6a82000-b6a86000 r-xp 00000000 08:01 3539471 /usr/lib/libijs-0.35.so
b6a86000-b6a87000 r--p 00003000 08:01 3539471 /usr/lib/libijs-0.35.so
b6a87000-b6a88000 rw-p 00004000 08:01 3539471 /usr/lib/libijs-0.35.so
b6a88000-b6ac9000 r-xp 00000000 08:01 2628988 /lib/i386-linux-gnu/libm-2.17.so
b6ac9000-b6aca000 r--p 00040000 08:01 2628988 /lib/i386-linux-gnu/libm-2.17.so
b6aca000-b6acb000 rw-p 00041000 08:01 2628988 /lib/i386-linux-gnu/libm-2.17.so
b6acb000-b6acc000 rw-p 00000000 00:00 0
b6acc000-b6ae3000 r-xp 00000000 08:01 2631694 /lib/i386-linux-gnu/libpthread-2.17.so
b6ae3000-b6ae4000 r--p 00016000 08:01 2631694 /lib/i386-linux-gnu/libpthread-2.17.so
b6ae4000-b6ae5000 rw-p 00017000 08:01 2631694 /lib/i386-linux-gnu/libpthread-2.17.so
b6ae5000-b6ae7000 rw-p 00000000 00:00 0
b6ae7000-b6b41000 r-xp 00000000 08:01 3539642 /usr/lib/i386-linux-gnu/libcups.so.2
b6b41000-b6b42000 ---p 0005a000 08:01 3539642 /usr/lib/i386-linux-gnu/libcups.so.2
b6b42000-b6b45000 r--p 0005a000 08:01 3539642 /usr/lib/i386-linux-gnu/libcups.so.2
b6b45000-b6b46000 rw-p 0005d000 08:01 3539642 /usr/lib/i386-linux-gnu/libcups.so.2
b6b46000-b6b4d000 r-xp 00000000 08:01 3539177 /usr/lib/i386-linux-gnu/libcupsimage.so.2
b6b4d000-b6b4e000 r--p 00006000 08:01 3539177 /usr/lib/i386-linux-gnu/libcupsimage.so.2
b6b4e000-b6b4f000 rw-p 00007000 08:01 3539177 /usr/lib/i386-linux-gnu/libcupsimage.so.2
b6b4f000-b6b94000 r-xp 00000000 08:01 3539100 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b6b94000-b6b95000 r--p 00044000 08:01 3539100 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b6b95000-b6b96000 rw-p 00045000 08:01 3539100 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b6b96000-b6ba6000 rw-p 00000000 00:00 0
b6ba6000-b6c15000 r-xp 00000000 08:01 3539330 /usr/lib/i386-linux-gnu/libtiff.so.5.1.0
b6c15000-b6c16000 ---p 0006f000 08:01 3539330 /usr/lib/i386-linux-gnu/libtiff.so.5.1.0
b6c16000-b6c17000 r--p 0006f000 08:01 3539330 /usr/lib/i386-linux-gnu/libtiff.so.5.1.0
b6c17000-b6c19000 rw-p 00070000 08:01 3539330 /usr/lib/i386-linux-gnu/libtiff.so.5.1.0
b6c19000-b6c1a000 rw-p 00000000 00:00 0
b6c1a000-b6dc7000 r-xp 00000000 08:01 2629023 /lib/i386-linux-gnu/libc-2.17.so
b6dc7000-b6dc9000 r--p 001ad000 08:01 2629023 /lib/i386-linux-gnu/libc-2.17.so
b6dc9000-b6dca000 rw-p 001af000 08:01 2629023 /lib/i386-linux-gnu/libc-2.17.so
b6dca000-b6dcd000 rw-p 00000000 00:00 0
b6dcd000-b7305000 r-xp 00000000 08:01 3546522 /usr/lib/libgs.so.9.07
b7305000-b7440000 r--p 00537000 08:01 3546522 /usr/lib/libgs.so.9.07
b7440000-b7702000 rw-p 00672000 08:01 3546522 /usr/lib/libgs.so.9.07
b7702000-b7705000 rw-p 00000000 00:00 0
b7705000-b7709000 r-xp 00000000 08:01 2630555 /lib/i386-linux-gnu/libuuid.so.1.3.0
b7709000-b770a000 r--p 00003000 08:01 2630555 /lib/i386-linux-gnu/libuuid.so.1.3.0
b770a000-b770b000 rw-p 00004000 08:01 2630555 /lib/i386-linux-gnu/libuuid.so.1.3.0
b770b000-b7719000 r-xp 00000000 08:01 3670883 /usr/lib/ghostscript/9.07/X11.so
b7719000-b771a000 ---p 0000e000 08:01 3670883 /usr/lib/ghostscript/9.07/X11.so
b771a000-b771f000 r--p 0000e000 08:01 3670883 /usr/lib/ghostscript/9.07/X11.so
b771f000-b7720000 rw-p 00013000 08:01 3670883 /usr/lib/ghostscript/9.07/X11.so
b7720000-b7722000 rw-p 00000000 00:00 0
b7722000-b7723000 r-xp 00000000 00:00 0 [vdso]
b7723000-b7743000 r-xp 00000000 08:01 2631896 /lib/i386-linux-gnu/ld-2.17.so
b7743000-b7744000 r--p 0001f000 08:01 2631896 /lib/i386-linux-gnu/ld-2.17.so
b7744000-b7745000 rw-p 00020000 08:01 2631896 /lib/i386-linux-gnu/ld-2.17.so
bfe1e000-bfe3f000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
I append the file in question. It can't be all that long since this problem occurs, so it may have surfaced by some library upgrade rather than a Ghostscript update. Nevertheless, the problem would seem to be in the Ghostscript code, judging from the messages.

Since a buffer overflow in Ghostscript, as part of the printer system, may be exploited at privileged levels, I am marking this a security vulnerability.

The file is processed in the normal course of producing the LilyPond documentation tree, so it is not all that outlandish, and it caused no problem until recently. My current system is a fully updated Raring Ringtail.
---------

Further comments:

---------
Downgrading to ghostscript 9.06 (last version from Quantal) along with dependencies and putting it on hold did the trick for me:
hi ghostscript 9.06~dfsg-0ubuntu4 i386
ii ghostscript-x 9.06~dfsg-0ubuntu4 i386
ii libgs9 9.06~dfsg-0ubuntu4 i386
ii libgs9-common 9.06~dfsg-0ubuntu4 all
---------

---------
An independent tester has corroborated that the problem occurs for a default Raring Ringtail installation with the i386 package. Several testers have reported that the amd64 package is not affected. Downgrading to 9.06 solves the problem.
---------

---------
Here is a much smaller file triggering the core dump. Run ps2pdf on it. My guess is that it tries to print an error message but the formatting of the error message is done to insufficient or unallocated memory.
---------
Comment 1 Till Kamppeter 2013-05-28 15:04:30 UTC
Created attachment 9910 [details]
xxx-lp1184386.ps

Very small file which also triggers this bug.
Comment 2 Ken Sharp 2013-05-28 15:10:56 UTC
Unless this previously exited with an error, or it can be reproduced with some other device, this doesn't seem like its a PostScript interpreter problem.

There were many changes made to support 64-bit file offsets in 9.07 so I suspect the problem is more likely to lie there than anywhere else. There have also been some fixes in this area, would it be possible to get the original reporter to try the current code rather than the 9.07 release ?

I see the minimal file is a Link annotation, thanks for the much reduced file Till, I'll look at it now.
Comment 3 Ken Sharp 2013-05-28 15:42:18 UTC
I can't reproduce this on my 32-bit Linux VM using either the 9.07 released code or the current HEAD, using either of the supplied test files.

My suspicion would be that this is memory corruption, in which case changing the source will radically alter the memory layout and may result in quite different effects. This would also explain why the 64-bit version does not crash. (A different version of Ghostscript would also have different memory layout of course)

I'll ask other people here to try and reproduce the crash, can the original reporter (or Till) try a vanilla 9.07 release of Ghostscript and see if that crashes please ?
Comment 4 Chris Liddell (chrisl) 2013-05-28 16:35:36 UTC
Current master does not exhibit any problems, so it looks like this has been fixed.