Bug 691586

Summary: Ghostscript segfaults when rendering a certain PDF file with the CUPS Raster device in Page Mode
Product: Ghostscript Reporter: Till Kamppeter <till.kamppeter>
Component: PDF InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED FIXED    
Severity: major CC: andyrtr, chris.liddell, christinedelight.top85, henry.stiles, jackie.rosen, michael.vrhel
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: cv_libertine-evince.pdf
rx500.ppd
out.raster
log

Description Till Kamppeter 2010-09-02 09:37:54 UTC 
The attached PDF file segfaults Ghostscript with the following command line:

cat ../testfiles/cv_libertine-evince.pdf | RIP_MAX_CACHE=256M PPD=rx500.ppd LD_PRELOAD=sobin/libgs.so.9.01 GS_LIB=Resource/Init:lib debugobj/gs -dNOPAUSE -dBATCH -sDEVICE=cups -r720x360 -dcupsBitsPerColor=8 -dcupsColorSpace=0 -_ > out.raster 2>log

Note that I did not install Ghostscript (but installed GS 8.71 fails the same way). Also both sobin/gsc (from "make so") and debugobj/gs (from "make debug") segfault. The segfault does not happen if not supplying "PPD=..." or not supplying "RIP_MAX_CACHE=..." or setting a small cache for example "RIP_MAX_CACHE=8M". Looks like that the problem occurs in page mode (large cache) and not in banding mode (small cache). It also happens with all -dcupsColorSpace=X with X = 0, 1, 2, 3, so it seems independent of the color space, but it only happens with -dcupsBitsPerColor=8 and -dcupsBitsPerColor=16.

PDF file, PPD file, out.raster, and log are attached.

System is x86_64.

Here is also the gdb output:

till@till:~/ghostscript/gpl/gs-test$ gdb -c core debugobj/gsGNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/till/ghostscript/gpl/gs-test/debugobj/gs...done.
[New Thread 12657]

warning: Can't read pathname for load map: Input/output error.
Reading symbols from sobin/libgs.so.9.01...(no debugging symbols found)...done.
Loaded symbols for sobin/libgs.so.9.01
Reading symbols from /usr/lib/libcupsimage.so.2...Reading symbols from /usr/lib/debug/usr/lib/libcupsimage.so.2...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcupsimage.so.2
Reading symbols from /usr/lib/libcups.so.2...Reading symbols from /usr/lib/debug/usr/lib/libcups.so.2...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcups.so.2
Reading symbols from /usr/lib/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libgnutls.so.26...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgnutls.so.26
Reading symbols from /lib/libgcrypt.so.11...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcrypt.so.11
Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib/libm.so.6...Reading symbols from /usr/lib/debug/lib/libm-2.12.1.so...done.
done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib/libcrypt-2.12.1.so...done.
done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libdl.so.2...Reading symbols from /usr/lib/debug/lib/libdl-2.12.1.so...done.
done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libpaper.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpaper.so.1
Reading symbols from /usr/lib/libstdc++.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /usr/lib/libfontconfig.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfontconfig.so.1
Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.12.1.so...done.
done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.12.1.so...done.
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /usr/lib/libtiff.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtiff.so.4
Reading symbols from /lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpng12.so.0
Reading symbols from /usr/lib/libjpeg.so.62...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libjpeg.so.62
Reading symbols from /usr/lib/libavahi-common.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libavahi-common.so.3
Reading symbols from /usr/lib/libavahi-client.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libavahi-client.so.3
Reading symbols from /usr/lib/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /usr/lib/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /lib/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5support.so.0
Reading symbols from /lib/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libkeyutils.so.1
Reading symbols from /lib/libresolv.so.2...Reading symbols from /usr/lib/debug/lib/libresolv-2.12.1.so...done.
done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /lib/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libgpg-error.so.0
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.12.1.so...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /usr/lib/libfreetype.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /lib/libexpat.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libexpat.so.1
Reading symbols from /lib/libdbus-1.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libdbus-1.so.3
Reading symbols from /lib/librt.so.1...Reading symbols from /usr/lib/debug/lib/librt-2.12.1.so...done.
done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /usr/lib/ghostscript/9.00/X11.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/ghostscript/9.00/X11.so
Reading symbols from /usr/lib/libXt.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXt.so.6
Reading symbols from /usr/lib/libSM.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libSM.so.6
Reading symbols from /usr/lib/libICE.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libICE.so.6
Reading symbols from /usr/lib/libXext.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXext.so.6
Reading symbols from /usr/lib/libX11.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libX11.so.6
Reading symbols from /lib/libuuid.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libuuid.so.1
Reading symbols from /usr/lib/libxcb.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libxcb.so.1
Reading symbols from /usr/lib/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXau.so.6
Reading symbols from /usr/lib/libXdmcp.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXdmcp.so.6
Core was generated by `debugobj/gs -dQUIET -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%s'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000a3b028 in mapped8_copyN1 (
    dest=0x3e2 <Address 0x3e2 out of bounds>, line=0x2e690d8 "", 
    first_bit=128, sraster=16, draster=5960, w=120, h=56, b1=0 '\000')
    at ./base/gdevm8.c:126
126		*pptr = b1;
(gdb) bt
#0  0x0000000000a3b028 in mapped8_copyN1 (
    dest=0x3e2 <Address 0x3e2 out of bounds>, line=0x2e690d8 "", 
    first_bit=128, sraster=16, draster=5960, w=120, h=56, b1=0 '\000')
    at ./base/gdevm8.c:126
#1  0x0000000000a3aed7 in mem_mapped8_copy_mono (dev=0x7fe8ee03e068, 
    base=0x2e690d8 "", sourcex=0, sraster=16, id=0, x=995, y=463, w=120, h=57, 
    zero=18446744073709551615, one=0) at ./base/gdevm8.c:83
#2  0x00000000009c384d in gx_image_cached_char (penum=0x2c17698, cc=0x2e69070)
    at ./base/gxccache.c:409
#3  0x00000000009c9350 in show_update (penum=0x2c17698) at ./base/gxchar.c:839
#4  0x00000000009c9022 in continue_show_update (penum=0x2c17698)
    at ./base/gxchar.c:750
#5  0x00000000009c9008 in gx_show_text_process (pte=0x2c17698)
    at ./base/gxchar.c:739
#6  0x00000000009bef05 in gs_text_process (pte=0x2c17698)
    at ./base/gstext.c:546
#7  0x000000000054efac in op_show_continue (i_ctx_p=0x2955dc0)
    at ./psi/zchar.c:524
#8  0x000000000051b5bd in call_operator (op_proc=0x54ef5c <op_show_continue>, 
    i_ctx_p=0x2955dc0) at ./psi/interp.c:94
---Type <return> to continue, or q <return> to quit---
#9  0x000000000051dabf in interp (pi_ctx_p=0x2913298, pref=0x7fff4aaff330, 
    perror_object=0x7fff4aaff5a0) at ./psi/interp.c:1150
#10 0x000000000051bd23 in gs_call_interp (pi_ctx_p=0x2913298, 
    pref=0x7fff4aaff4a0, user_errors=1, pexit_code=0x7fff4aaff5bc, 
    perror_object=0x7fff4aaff5a0) at ./psi/interp.c:484
#11 0x000000000051bb35 in gs_interpret (pi_ctx_p=0x2913298, 
    pref=0x7fff4aaff4a0, user_errors=1, pexit_code=0x7fff4aaff5bc, 
    perror_object=0x7fff4aaff5a0) at ./psi/interp.c:442
#12 0x000000000050eabb in gs_main_interpret (minst=0x2913200, 
    pref=0x7fff4aaff4a0, user_errors=1, pexit_code=0x7fff4aaff5bc, 
    perror_object=0x7fff4aaff5a0) at ./psi/imain.c:240
#13 0x000000000050f75e in gs_main_run_string_end (minst=0x2913200, 
    user_errors=1, pexit_code=0x7fff4aaff5bc, perror_object=0x7fff4aaff5a0)
    at ./psi/imain.c:556
#14 0x000000000050f60c in gs_main_run_string_with_length (minst=0x2913200, 
    str=0xa53896 ".runstdin", length=9, user_errors=1, 
    pexit_code=0x7fff4aaff5bc, perror_object=0x7fff4aaff5a0)
    at ./psi/imain.c:514
#15 0x000000000050f571 in gs_main_run_string (minst=0x2913200, 
    str=0xa53896 ".runstdin", user_errors=1, pexit_code=0x7fff4aaff5bc, 
---Type <return> to continue, or q <return> to quit---
    perror_object=0x7fff4aaff5a0) at ./psi/imain.c:496
#16 0x00000000005129cb in run_string (minst=0x2913200, 
    str=0xa53896 ".runstdin", options=2) at ./psi/imainarg.c:814
#17 0x0000000000510fba in swproc (minst=0x2913200, arg=0x7fff4ab026ae "", 
    pal=0x7fff4aaffe60) at ./psi/imainarg.c:282
#18 0x0000000000510bc7 in gs_main_init_with_args (minst=0x2913200, argc=22, 
    argv=0x7fff4ab00968) at ./psi/imainarg.c:200
#19 0x000000000045da05 in main (argc=22, argv=0x7fff4ab00968) at ./psi/gs.c:96
(gdb) quit
till@till:~/ghostscript/gpl/gs-test$
Comment 1 Till Kamppeter 2010-09-02 09:40:45 UTC 
Created attachment 6689 [details]
cv_libertine-evince.pdf

PDF file which causes the segfault.
Comment 2 Till Kamppeter 2010-09-02 09:42:00 UTC 
Created attachment 6690 [details]
rx500.ppd

PPD file used when the segfault happened.
Comment 3 Till Kamppeter 2010-09-02 09:43:30 UTC 
Created attachment 6691 [details]
out.raster

CUPS Raster output of the Ghostscript command line. Only a header gets written before the segfault happens.
Comment 4 Till Kamppeter 2010-09-02 09:44:51 UTC 
Created attachment 6692 [details]
log

Debug logging output of the Ghostscript command line.
Comment 5 Till Kamppeter 2010-09-02 10:05:38 UTC 
It works perfectly when not hardwiring the buffer size with RIP_MAX_CACHE, so it seems to be another problem of this cache-setting facility.
Comment 6 Till Kamppeter 2010-09-02 11:03:12 UTC 
Problems seems to be in the page mode. If I do not set RIP_MAX_CACHE but supply "-dMaxBitmap=16000000 -dBufferSpace=16000000" or lower, it works and I supply "-dMaxBitmap=32000000 -dBufferSpace=32000000" or higher, it fails. So Banding mode seems to be OK and Page mode seems to be broken.
Comment 7 Till Kamppeter 2010-09-02 18:40:01 UTC 
Original bug report from Ubuntu:

https://bugs.launchpad.net/bugs/628030
Comment 8 Till Kamppeter 2011-08-01 11:17:15 UTC 
Ghostscript is (at least currently) not able to work with hard-limited space parameters. It crashes with a segmentation fault on many input files then. Leaving the setting of these parameters fully automatic Ghostscript works just fine. As in most distributions (Currently all except Debian, Ubuntu, and their derivatives) CUPS imposes a hard limit via the RIP_MAX_CACHE environment variable, the only way to assure reliable working of Ghostscript is to ignore the parameter, leaving the space parameters in automatic mode. For CUPS this should be no regression, as print queues with other Ghostscript drivers (like
pxlcolor, ljet4, ...) worked without hard limits all the time and no
one complained.
    
In Ghostscript 9.04 we will deactivate he cups_get_space_params() function in cups/gdevcups.c and will reactivate as soon as a real fix gets into place.
Comment 9 Chris Liddell (chrisl) 2011-08-04 13:54:00 UTC 
Fixed properly in master:
3e07ccf224b0811b017fd41d1fdb24310240294a

and gs904:
e173d22697b5489624783a805311337d053e53fe