Bug 695333 - tiffsep segfault within resolution range
Summary: tiffsep segfault within resolution range
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P2 major
Assignee: Ray Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-25 13:29 UTC by Jason Giglio
Modified: 2017-07-28 12:25 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
333.pdf (166.50 KB, application/pdf)
2017-07-28 12:23 UTC, Ray Johnston 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Giglio 2014-06-25 13:29:30 UTC 
Created attachment 11021 [details]
file that demonstrates the problem

We have a new resolution dependent segfault file.  This one renders below 113 dpi or above 184 but crashes at resolutions in that range.

gsc -dBATCH -dNOPAUSE -dUseCropBox -sDEVICE=tiffsep -sOutputFile=/tmp/output -r144 -f 13440059402.pdf

lseek(5, 311296, SEEK_SET)              = 311296
read(5, "\n3.15 5.117 l\n1.119 5.117 l\n1.11"..., 4096) = 4096
lseek(5, 1388544, SEEK_SET)             = 1388544
read(5, "0 0.0 1.0 0.0 1.0]>>stream\r\n{ 6 "..., 4096) = 4096
read(5, "1.0 0.0 1.0 0.0 1.0]/Decode[0.0 "..., 4096) = 4096
lseek(5, 311296, SEEK_SET)              = 311296
read(5, "\n3.15 5.117 l\n1.119 5.117 l\n1.11"..., 4096) = 4096
read(5, "6.93 -6.831 re\nf\nEMC\n/CREO_o868 "..., 4096) = 4096
read(5, ".262 6.931 -6.832 re\nf\nEMC\n/CREO"..., 4096) = 4096
read(5, " c\n-53.361 -2.674 -54.747 -2.971"..., 4096) = 4096
read(5, "-72.766 -25.245 c\n-73.459 -26.13"..., 4096) = 4096
read(5, "55.836 78.31 -55.242 c\n79.694 -5"..., 4096) = 4096
read(5, "4 144.837 -58.806 c\n146.223 -57."..., 4096) = 4096
read(5, "/Im2 Do\nEMC\n/Pattern cs\n/Pat14 s"..., 4096) = 4096
lseek(5, 1388544, SEEK_SET)             = 1388544
read(5, "0 0.0 1.0 0.0 1.0]>>stream\r\n{ 6 "..., 4096) = 4096
read(5, "1.0 0.0 1.0 0.0 1.0]/Decode[0.0 "..., 4096) = 4096
lseek(5, 335872, SEEK_SET)              = 335872
read(5, "4 144.837 -58.806 c\n146.223 -57."..., 4096) = 4096
write(3, "\337\4\6\n\0\0\0\0\0\0\0\20\377\377\340\0J\307\377F\350\0\f\220\0\31?\371g\375G\351"..., 132) = 132
write(3, "\337\1\2\1\20\0\0\0\0\0\0\337\1\2\0\337\1\3\7\20\0\0\0\0\0", 25) = 25
write(3, "\325 \6\1\3310\0\0\320\5\303\4\332\337\4\6\20\0\0\0\0\0\0\0M\377\377\336\17\237\272c"..., 4096) = 4096
write(3, " ?\367P\5!\347?\367H\2\314?\367P\5!\0+\207\3753\347\0\"\317\3754\0+\217\373"..., 4096) = 4096
write(3, "4\0+\207\376#\0+\217\376\232\347\0+\207\376#\0+\207\377\211\0004?\377\210\357\340\5\20p"..., 165) = 165
lseek(5, 14696448, SEEK_SET)            = 14696448
read(5, "@\207\334T/\242^\\\300\367?X\253\217\320;\217\267\\\375\210\357)\315;\347\373W\3277\335\353"..., 4096) = 4096
read(5, "\376\213\317a-0\310\363\220\35\34,\350@\226#?\314Q\364\16\6qP\317C\226\n\310\276\v\271"..., 4096) = 4096
read(5, "\353\350B\337\355\270\312~\216\16w\351\v\216\"ut\7:\206[\255\254\303\204e\373H\7\233]\307"..., 4096) = 4096
read(5, "g\214\232w\\\371\24\251y\245cf\324\235\16\323j\352\250:\362\321\274\247\324\252\306_\334\301\337\344"..., 4096) = 4096
read(5, "N\232\245\325\376\304\344\370hXN0\24\362\t\16Q^\202C\231\223\302\250\235\210\26\313Q+j\315"..., 4096) = 4096
lseek(5, 335872, SEEK_SET)              = 335872
read(5, "4 144.837 -58.806 c\n146.223 -57."..., 4096) = 4096
lseek(5, 1384448, SEEK_SET)             = 1384448
read(5, "\240\301\232.kx\3407\"\260\256\200Xg\301\271\264D\365?\247\320\233s\252\330\316\330L\325\200j"..., 4096) = 4096
lseek(5, 335872, SEEK_SET)              = 335872
read(5, "4 144.837 -58.806 c\n146.223 -57."..., 4096) = 4096
write(3, "\325 \6\1\3310\0\0\320\5\303\4\332\337\4\6\20\0\0\0\0\0\0\0M\377\377\336\17\237\272c"..., 2372) = 2372
write(3, "\337\1\2\1\177\0\0\0\0\0\0\337\1\3\7\20\1\0\0\0\0", 21) = 21
write(3, "\337\4\6\20\0\0\0\0\0\0\0M\377\377\336\17\237\272c{\321\206\0010\10\1\337\4\6\20\0\0"..., 12288) = 12288
lseek(5, 14696448, SEEK_SET)            = 14696448
read(5, "@\207\334T/\242^\\\300\367?X\253\217\320;\217\267\\\375\210\357)\315;\347\373W\3277\335\353"..., 4096) = 4096
brk(0x3409000)                          = 0x3409000
lseek(5, 1388544, SEEK_SET)             = 1388544
read(5, "0 0.0 1.0 0.0 1.0]>>stream\r\n{ 6 "..., 4096) = 4096
lseek(5, 14696448, SEEK_SET)            = 14696448
read(5, "@\207\334T/\242^\\\300\367?X\253\217\320;\217\267\\\375\210\357)\315;\347\373W\3277\335\353"..., 4096) = 4096
read(5, "\376\213\317a-0\310\363\220\35\34,\350@\226#?\314Q\364\16\6qP\317C\226\n\310\276\v\271"..., 4096) = 4096
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
Comment 1 Jason Giglio 2014-06-25 13:32:58 UTC 
64-bit debian squeeze
Comment 2 Henry Stiles 2014-06-27 15:19:09 UTC 
The immediate cause of the crash is pdf14clistcmykspot does not have a copy_planes procedure.  The crash is in clip_copy_planes:

            return dev_proc(tdev, copy_planes)
                (tdev, data, sourcex, raster, id, x, y, w, h, plane_height);

It appears at other resolutions the code is not going through the clipping, in tile_fill_init:

   if (m_tile == 0) {          /* no clipping */
        ptfs->cdev = NULL;
        ptfs->pcdev = dev;
 
when the resolution is not within range.  Very odd.  Best for Ray to have a look at this one but he's on vacation so it might be a bit.  I'm going to make it P2, it is a crash and looks like a problem a customer could trip over.
Comment 3 Ray Johnston 2017-07-28 12:23:19 UTC 
Created attachment 14028 [details]
333.pdf

Much reduced file that still caused the problem (psdcmyk -r144)
Comment 4 Ray Johnston 2017-07-28 12:25:31 UTC 
Fixed with commit 8321323b7c31828d79c0aa1b5c0312f156a53192

Not just the tiffsep device named in the bug, but the psdcmyk device would
also fail if the clist was used.

Fix by adding a pdf14_clist_copy_planes proc that forwards to the underlying
clist device. NB: The pdf14 rendering device already had a copy_planes device
which is used in page mode or during clist playback.