Bug 690338

Summary: SIGSEGV in gs_interpret() when using CUPS Raster driver of Gutenprint
Product: Ghostscript Reporter: Till Kamppeter <till.kamppeter>
Component: CUPS driverAssignee: Alex Cherepanov <alex>
Status: RESOLVED FIXED    
Severity: major    
Priority: P4    
Version: 8.64   
Hardware: PC   
OS: Linux   
URL: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/333429
Customer: Word Size: ---
Attachments: pdf-testpage-a4.pdf
testpage-a4.ps

Description Till Kamppeter 2009-03-19 04:51:58 UTC 
See the Ubuntu bug report referred to in the URL field.

If Ghostscript is used with the CUPS Raster interface of the Gutenprint driver
(version 5.2.3), as segfault in gs_interpret() occurs.

See the Ubuntu bug report for Ghostscript command lines and stack traces.
Comment 1 Ralph Giles 2009-03-19 11:15:16 UTC 
I had a look at the original launchpad bug. I can't reproduce with trunk or
jaunty's binary (8.64.dfsg.1-0ubuntu2). Assuming it's one of the system test
pages, I tried:

cat /usr/share/cups/data/testprint.ps | debugobj/gs -dQUIET -dPARANOIDSAFER
-dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr -sOutputFile=%stdout
-I/usr/share/cups/fonts -sMediaType=Plain -r720x360 -dDEVICEWIDTHPOINTS=595
-dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8 -dcupsColorOrder=0
-dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c -f -_ | md5sum

cat /usr/share/system-config-printer/testpage-a4.ps | debugobj/gs -dQUIET
-dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr
-sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain -r720x360
-dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ | md5sum

cat /usr/share/system-config-printer/testpage-letter.ps | debugobj/gs -dQUIET
-dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr
-sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain -r720x360
-dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ | md5sum

and with /usr/bin/gs. Command line based on the launchpad report. No segfaults.
This is on x86_64 though.

We're not going to be able to do anything without a reproducible command-line
and file.
Comment 2 Till Kamppeter 2009-03-19 12:51:18 UTC 
I succeeded to reproduce the bug on 64-bit with the following command line:

cat /usr/share/system-config-printer/testpage-a4.ps |
/usr/lib/cups/filter/pstopdf 1 1 1 1 '' | gs -dPARANOIDSAFER -dNOPAUSE -dBATCH
-sDEVICE=cups -sstdout=%stderr -sOutputFile=%stdout -I/usr/share/cups/fonts
-sMediaType=Plain -r720x360 -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842
-dcupsBitsPerColor=8 -dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5
-scupsPageSizeName=A4 -c -f -_ > output

I get a segfault and the file "output" stays empty.

See also the Ubuntu bug report mentioned above and in addition this bug report
containing the backtrace info produced by my command line:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/345576
Comment 3 Till Kamppeter 2009-03-19 13:16:23 UTC 
Created attachment 4852 [details]
pdf-testpage-a4.pdf

PDF input file which causes the crash. Created by

cat /usr/share/system-config-printer/testpage-a4.ps |
/usr/lib/cups/filter/pstopdf 1 1 1 1 '' > pdf-testpage-a4.pdf

on Ubuntu Jaunty.

Using this file, the following Ghostscript command line causes the crash:

cat pdf-testpage-a4.pdf | gs -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups
-sstdout=%stderr -sOutputFile=%stdout -I/usr/share/cups/fonts -sMediaType=Plain
-r720x360 -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=842 -dcupsBitsPerColor=8
-dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsRowFeed=5 -scupsPageSizeName=A4 -c
-f -_ > x
Comment 4 Till Kamppeter 2009-03-19 13:29:27 UTC 
Simpler command line which still segfaults. It contains only the color space
parameters for the "cups" device.

gs -sDEVICE=cups -sOutputFile=x -dcupsBitsPerColor=8 -dcupsColorOrder=0
-dcupsColorSpace=1 -dcupsRowFeed=5 pdf-testpage-a4.pdf
Comment 5 Ralph Giles 2009-03-19 14:01:32 UTC 
The following is sufficient to reproduce for me:

debugobj/gs -sDEVICE=cups -o /dev/null -dcupsColorSpace=1 pdf-testpage-a4.pdf

valgrind reports some unitialized value decisions in the garbage collector
before the final attempt to execute a null transform proc. Running with -dNOGC
the segfault still happens, but the gc report is replaced by several hundred
unitialized value warnings in errprintf called from cups_put_params.

Since the file runs ok with other devices, the cups parameter handling
clobbering memory seems a likely place to look.
Comment 6 Till Kamppeter 2009-03-20 12:09:13 UTC 
https://bugs.launchpad.net/bugs/343171 seems to be the same problem.
Comment 7 Till Kamppeter 2009-03-24 15:01:34 UTC 
Problem seems to be that there is no get_color_comp_index() function in
cups/gdevcups.c.
Comment 8 Till Kamppeter 2009-03-24 15:54:50 UTC 
Input data format (PDF or PostScript) does not matter.

gs -sDEVICE=cups -o /dev/null -dcupsColorSpace=1
/usr/share/system-config-printer/testpage-a4.ps

crashes as well.
Comment 9 Till Kamppeter 2009-03-24 15:58:31 UTC 
Created attachment 4864 [details]
testpage-a4.ps

Example PostScript file of the previous comment.
Comment 10 Till Kamppeter 2009-03-25 06:00:38 UTC 
Fixed in SVN repository, rev 9595.
Comment 11 Till Kamppeter 2010-04-25 21:54:10 UTC 
rev 9595 was only a bad workaround, leading to color corruption with other files. The real fix is rev 11120 in the SVN repository.