The PDF document found here: https://bugzilla.redhat.com/show_bug.cgi?id=229174#c1 crashes ghostscript-8.62, and HEAD, like this: GPL Ghostscript 8.62 (2008-02-29) Copyright (C) 2008 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 **** Warning: stream operator not terminated by valid EOL. **** Warning: stream operator not terminated by valid EOL. **** Warning: File has insufficient data for an image. Segmentation fault (core dumped) I have tracked this down to a buffer underrun in src/scfd.c. A single bit of the obj_header_t structure for the ss->lbuf object gets inverted.
Created attachment 4143 [details] gs-scfd.patch This patch works around the problem and shows where the buffer underrun occurs. I have not discovered the real cause of the bug.
Assigning to Ralph as the current owner of filter issues.
Created attachment 4245 [details] 689917.pdf -- local copy of the sample file.
*** Bug 688075 has been marked as a duplicate of this bug. ***
I've applied the patch as a work around for the 8.63 release. Thanks Tim. I suspect the problem is invalid data; libpopper shows the image but there are some corrupt lines about halfway down the page. With the patch we just show a blank page. Attempting to resync and continue decoding would be better.
Alex, the change the cluster regression reports in 23-32.PS is on the second page. The limitcheck error from the test: /f { (123) } 0 () /SubFileDecode filter def f token Prints a different pointer from the stack, --@0x497bf0-- instead of --@0x497bc0--. This affects the checksum as well. I don't see how this is related. What is the pointer value referring to?
The hex value represents an operator. Ken suggests this might be static data, since he's seen similar variations in his testing based on how the code is compiled. I'd still like to understand it though, both because it's an interpreter change in freeze and because it seems to be a common instability in the regression suite.
When an operator has no name gs prints its address. This address changes sometimes when C code is modified. We can fix this bug by giving a name to the operator. This bug is known from the beginning of CET testing.
Created attachment 4249 [details] A patch for indeterminism in 23-32.ps Give a name to a continuation operator that was printed by 23-32.ps test file as an address, which changed between builds. Reduce the number of false positives in regression testing.
The patch from comment #9 (for intdeterminism in 23-32.ps) was committed as rev. 8927 on 2008-08-03.
Created attachment 4884 [details] ghostscript-scfd.patch I wonder if this is the real fix. At this point, rows_left is -1, yet we still carry on. The reason we were writing outside the buffer was that wpos was -1 when invert_data() was invoked. I can't help thinking the root cause is a missing or incomplete validity check somewhere, and perhaps this is it. Any ideas?
Created attachment 4886 [details] ghostscript-scfd-invert_data.patch Here is a different patch to make the invert_data macro more robust. The idea is that when qbit==0 we don't want to change any bits in the current byte; in fact q might be pointing to the byte immediately before the buffer. This patch advances q in that situation, and resets qbit to 8. Comparing with skip_data this seems to be what is needed to avoid accessing memory outside the buffer. This gives a mostly white page with the sample input file, but the diagnostic messages seem to indicate other problems with that file anyway so perhaps that is expected.
Grabbing a Ralph's bugs.
The file no longer cause segfault ; gs svn head shows half a page texts+graphics, acroread linux 9 shows none, and xpdf and evince shows some visual artifects around the point where gs stops, and some warning/error messages, but show a full page of text+graphics.
Re-assigning bugs which still have work to do.
Ghostscript no longer crashes on the sample file.