692634 – ghostscript 9.04 crashes on certain postscript files

Bug 692634 - ghostscript 9.04 crashes on certain postscript files

Summary: ghostscript 9.04 crashes on certain postscript files

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Font API (show other bugs)
Version:	9.04
Hardware:	PC Linux

Importance:	P4 major
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-10-28 20:06 UTC by Orion Poplawski
Modified:	2011-10-29 15:55 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
Postscript file that triggers crash - landscape produced by IDL (23.60 KB, application/postscript) 2011-10-28 20:06 UTC, Orion Poplawski	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Orion Poplawski 2011-10-28 20:06:08 UTC

Created attachment 8048 [details]
Postscript file that triggers crash - landscape produced by IDL

This is on Fedora 15, 32 & 64 bit.  ghostscript 9.04 crashes on certain postscript files like the attached.  gs 9.02 works fine.

Version-Release number of selected component (if applicable):
9.04-3

How reproducible:
everytime

Steps to Reproduce:
1. gs idl.ps

gdb run:

Can't find (or can't open) font file
/usr/share/ghostscript/9.04/Resource/Font/NimbusSanL-Regu.
Can't find (or can't open) font file NimbusSanL-Regu.
Can't find (or can't open) font file
/usr/share/ghostscript/9.04/Resource/Font/NimbusSanL-Regu.
Can't find (or can't open) font file NimbusSanL-Regu.
Querying operating system for font files...
Loading NimbusSanL-Regu font from
/usr/share/fonts/default/Type1/n019003l.pfb... 2599620 1284189 3455088 1629536
3 done.

Program received signal SIGSEGV, Segmentation fault.
FT_Outline_Decompose (outline=0x14, func_interface=0x6e3ff4, user=0xbfffc8ac)
    at freetype/src/base/ftoutln.c:82
82          for ( n = 0; n < outline->n_contours; n++ )
Missing separate debuginfos, use: debuginfo-install
avahi-libs-0.6.30-3.fc15.i686 glibc-2.14-5.i686 gnutls-2.10.5-1.fc15.i686
keyutils-libs-1.2-7.fc15.i686 libgcrypt-1.4.6-1.fc15.i686
libgpg-error-1.9-2.fc15.i686 libtasn1-2.7-2.fc15.i686
libuuid-2.19.1-1.4.fc15.i686 libxcb-1.7-2.fc15.i686
nss-softokn-freebl-3.12.10-4.fc15.i686
(gdb) bt
#0  FT_Outline_Decompose (outline=0x14, func_interface=0x6e3ff4,
user=0xbfffc8ac)
    at freetype/src/base/ftoutln.c:82
#1  0x0030648a in get_char_outline (a_server=0x8051900, a_path=0xbfffc8f0) at
psi/fapi_ft.c:1373
#2  0x003041d9 in outline_char (i_ctx_p=0x80758a8, I=0x8051900,
penum_s=0x820eed4, 
    path=0x8075ea0, close_path=1, import_shift_v=-24) at psi/zfapi.c:1636
#3  0x0030447b in fapi_finish_render_aux (i_ctx_p=0x80758a8, pbfont=0x8103908,
I=0x8051900)
    at psi/zfapi.c:1891
#4  0x00304f66 in fapi_finish_render (i_ctx_p=0x80758a8) at psi/zfapi.c:1983
#5  0x0030320b in FAPI_do_char (i_ctx_p=0x80758a8, pbfont=0x8103908,
dev=0x80a877c, 
    font_file_path=0x0, bBuildGlyph=0, charstring=0x0) at psi/zfapi.c:2766
#6  0x00303e0b in FAPI_char (i_ctx_p=0x80758a8, bBuildGlyph=0, charstring=0x0)
    at psi/zfapi.c:2790
#7  0x00222674 in interp (pi_ctx_p=0x804a22c, pref=<optimized out>,
perror_object=0xbfffdb64)
    at psi/interp.c:1276
#8  0x0022380f in gs_call_interp (perror_object=0xbfffdb64,
pexit_code=0xbfffdb6c, 
    user_errors=1, pref=0xbfffdab8, pi_ctx_p=0x804a22c) at psi/interp.c:490
#9  gs_interpret (pi_ctx_p=0x804a22c, pref=0xbfffdab8, user_errors=1,
pexit_code=0xbfffdb6c, 
    perror_object=0xbfffdb64) at psi/interp.c:448
#10 0x0021775e in gs_main_interpret (perror_object=0xbfffdb64,
pexit_code=0xbfffdb6c, 
    user_errors=1, pref=0xbfffdab8, minst=0x804a1d8) at psi/imain.c:239
#11 gs_main_run_string_end (minst=0x804a1d8, user_errors=1,
pexit_code=0xbfffdb6c, 
    perror_object=0xbfffdb64) at psi/imain.c:591
#12 0x00217818 in gs_main_run_string_with_length (minst=0x804a1d8, 
    str=0x8253828 "<69646c2e7073>.runfile", length=22, user_errors=1,
pexit_code=0xbfffdb6c, 
    perror_object=0xbfffdb64) at psi/imain.c:549
#13 0x0021786f in gs_main_run_string (minst=0x804a1d8, str=0x8253828
"<69646c2e7073>.runfile", 
    user_errors=1, pexit_code=0xbfffdb6c, perror_object=0xbfffdb64) at
psi/imain.c:531
#14 0x00218dc4 in run_string (minst=0x804a1d8, str=<optimized out>, options=3)
    at psi/imainarg.c:822
#15 0x00218f36 in runarg (minst=0x804a1d8, pre=<optimized out>, arg=0x8051a90
"idl.ps", 
    post=0x59ef1e ".runfile", options=3) at psi/imainarg.c:813
#16 0x00219186 in argproc (arg=0xbfffe8e9 "idl.ps", minst=0x804a1d8) at
psi/imainarg.c:746
#17 argproc (minst=0x804a1d8, arg=0xbfffe8e9 "idl.ps") at psi/imainarg.c:731
#18 0x0021a7e4 in gs_main_init_with_args (minst=0x804a1d8, argc=2,
argv=0xbfffe634)
    at psi/imainarg.c:221
#19 0x0021b89a in gsapi_init_with_args (lib=0x804a118, argc=2, argv=0xbfffe634)
    at psi/iapi.c:172
#20 0x08048715 in main (argc=2, argv=0xbfffe634) at psi/dxmainc.c:84
(gdb) print outline
$1 = (FT_Outline *) 0x14
(gdb) print *outline
Cannot access memory at address 0x14
(gdb) up
#1  0x0030648a in get_char_outline (a_server=0x8051900, a_path=0xbfffc8f0) at
psi/fapi_ft.c:1373
1373        ft_error = FT_Outline_Decompose(&s->outline_glyph->outline,
&TheFtOutlineFuncs, &p);
(gdb) print s->outline_glyph
$2 = (FT_OutlineGlyph) 0x0
(gdb) print s
$3 = (FF_server *) 0x8051900
(gdb) print *s
$4 = {fapi_server = {ig = {d = 0x6e3fe8}, frac_shift = 16, face = {font_id =
799, ctm = {
        xx = 0, xy = 1.60126217e-06, yx = 1.60126217e-06, yy = 0, tx = 434, ty
= 223}, 
      log2_scale = {x = 0, y = 0}, align_to_pixels = 0, HWResolution =
{96.0756531, 
        96.0756531}}, ff = {server_font_data = 0x0, need_decrypt = 0, memory =
0x0, 
      font_file_path = 0x0, subfont = 0, is_type1 = 0, is_cid = 0,
is_outline_font = 0, 
      is_mtx_skipped = 0, is_vertical = 0, client_ctx_p = 0x0, client_font_data
= 0x0, 
      client_font_data2 = 0x0, char_data = 0x809dd02, char_data_len = 3, 
      get_word = 0x2fd6c0 <FAPI_FF_get_word>, get_long = 0x305780
<FAPI_FF_get_long>, 
      get_float = 0x2fcff0 <FAPI_FF_get_float>, get_name = 0x2fe1b0
<FAPI_FF_get_name>, 
      get_proc = 0x2fd4f0 <FAPI_FF_get_proc>, get_gsubr = 0x2fdfe0
<FAPI_FF_get_gsubr>, 
      get_subr = 0x2fdf00 <FAPI_FF_get_subr>, get_raw_subr = 0x2fe0c0
<FAPI_FF_get_raw_subr>, 
      get_glyph = 0x2ff250 <FAPI_FF_get_glyph>, 
      serialize_tt_font = 0x305700 <FAPI_FF_serialize_tt_font>, 
      get_charstring = 0x2fe3c0 <FAPI_FF_get_charstring>, 
      get_charstring_name = 0x2fe2e0 <FAPI_FF_get_charstring_name>}, max_bitmap
= 0, 
    skip_glyph = 1, use_outline = 1, initial_FontMatrix = {xx = 0.00100000005,
xy = 0, yx = 0, 
      yy = 0.00100000005, tx = 0, ty = 0}, ensure_open = 0x307b20
<ensure_open>, 
    get_scaled_font = 0x306e70 <get_scaled_font>, get_decodingID = 0x305d70
<get_decodingID>, 
    get_font_bbox = 0x305d90 <get_font_bbox>, 
    get_font_proportional_feature = 0x305dc0 <get_font_proportional_feature>, 
    can_retrieve_char_by_name = 0x306d60 <can_retrieve_char_by_name>, 
    can_replace_metrics = 0x305dd0 <can_replace_metrics>, 
    get_fontmatrix = 0x305de0 <get_fontmatrix>, get_char_width = 0x306c40
<get_char_width>, 
    get_char_raster_metrics = 0x306bf0 <get_char_raster_metrics>, 
    get_char_raster = 0x305e10 <get_char_raster>, 
    get_char_outline_metrics = 0x306ba0 <get_char_outline_metrics>, 
    get_char_outline = 0x306420 <get_char_outline>, 
    release_char_data = 0x306360 <release_char_data>, 
    release_typeface = 0x3062b0 <release_typeface>, 
    check_cmap_for_GID = 0x306260 <check_cmap_for_GID>}, freetype_library =
0x81f5630, 
  outline_glyph = 0x0, bitmap_glyph = 0x0, mem = 0x804a038, ftmemory =
0x8187658}
(gdb) print a_server
$5 = (FAPI_server *) 0x8051900
(gdb) print *a_server
$6 = {ig = {d = 0x6e3fe8}, frac_shift = 16, face = {font_id = 799, ctm = {xx =
0, 
      xy = 1.60126217e-06, yx = 1.60126217e-06, yy = 0, tx = 434, ty = 223},
log2_scale = {
      x = 0, y = 0}, align_to_pixels = 0, HWResolution = {96.0756531,
96.0756531}}, ff = {
    server_font_data = 0x0, need_decrypt = 0, memory = 0x0, font_file_path =
0x0, subfont = 0, 
    is_type1 = 0, is_cid = 0, is_outline_font = 0, is_mtx_skipped = 0,
is_vertical = 0, 
    client_ctx_p = 0x0, client_font_data = 0x0, client_font_data2 = 0x0,
char_data = 0x809dd02, 
    char_data_len = 3, get_word = 0x2fd6c0 <FAPI_FF_get_word>, 
    get_long = 0x305780 <FAPI_FF_get_long>, get_float = 0x2fcff0
<FAPI_FF_get_float>, 
    get_name = 0x2fe1b0 <FAPI_FF_get_name>, get_proc = 0x2fd4f0
<FAPI_FF_get_proc>, 
    get_gsubr = 0x2fdfe0 <FAPI_FF_get_gsubr>, get_subr = 0x2fdf00
<FAPI_FF_get_subr>, 
    get_raw_subr = 0x2fe0c0 <FAPI_FF_get_raw_subr>, get_glyph = 0x2ff250
<FAPI_FF_get_glyph>, 
    serialize_tt_font = 0x305700 <FAPI_FF_serialize_tt_font>, 
    get_charstring = 0x2fe3c0 <FAPI_FF_get_charstring>, 
    get_charstring_name = 0x2fe2e0 <FAPI_FF_get_charstring_name>}, max_bitmap =
0, 
  skip_glyph = 1, use_outline = 1, initial_FontMatrix = {xx = 0.00100000005, xy
= 0, yx = 0, 
    yy = 0.00100000005, tx = 0, ty = 0}, ensure_open = 0x307b20 <ensure_open>, 
  get_scaled_font = 0x306e70 <get_scaled_font>, get_decodingID = 0x305d70
<get_decodingID>, 
  get_font_bbox = 0x305d90 <get_font_bbox>, 
  get_font_proportional_feature = 0x305dc0 <get_font_proportional_feature>, 
  can_retrieve_char_by_name = 0x306d60 <can_retrieve_char_by_name>, 
  can_replace_metrics = 0x305dd0 <can_replace_metrics>, 
  get_fontmatrix = 0x305de0 <get_fontmatrix>, get_char_width = 0x306c40
<get_char_width>, 
  get_char_raster_metrics = 0x306bf0 <get_char_raster_metrics>, 
  get_char_raster = 0x305e10 <get_char_raster>, 
  get_char_outline_metrics = 0x306ba0 <get_char_outline_metrics>, 
  get_char_outline = 0x306420 <get_char_outline>, 
  release_char_data = 0x306360 <release_char_data>, 
  release_typeface = 0x3062b0 <release_typeface>, 
  check_cmap_for_GID = 0x306260 <check_cmap_for_GID>}
(gdb) print *a_server->outline_glyph
There is no member named outline_glyph.

Note that with 9.02 this line is different:

Loading NimbusSanL-Regu font from
/usr/share/fonts/default/Type1/n019003l.pfb... 2607364 1268057 3436356 1626469
3 done.

And there is:
GPL Ghostscript 9.02: Warning: the Xfonts feature is deprecated and will be
removed in a future release.

Comment 1 Chris Liddell (chrisl) 2011-10-28 20:18:38 UTC

Ghostscript 9.04 renders the file just fine for me.

Are you using GS as we ship it, or are you using the Fedora package?

Comment 2 Orion Poplawski 2011-10-28 20:28:28 UTC

Fedora package, but it also segfaults for me with the gs binary from your site.  So perhaps an issue in one of the Fedora libraries?

Comment 3 Chris Liddell (chrisl) 2011-10-28 20:39:20 UTC

It could be library related, yes, although I'm struggling to see which of the libraries that the binary from our site would use could cause such a crash.

Would you be able to download the GS source, build and test it? You won't need to install it, do the default build, and you can run the executable from the ghostscript-9.04/bin directory.

I don't currently have a Fedora install - I use Ubuntu........ but if it comes to it, I'll install it in a VM.

Comment 4 Orion Poplawski 2011-10-28 20:56:43 UTC

The binary from your site still uses a lot of system libraries:

$ ldd gs-904-linux_x86 
        linux-gate.so.1 =>  (0x00770000)
        libXt.so.6 => /usr/lib/libXt.so.6 (0x44d55000)
        libSM.so.6 => /usr/lib/libSM.so.6 (0x44c5f000)
        libICE.so.6 => /usr/lib/libICE.so.6 (0x4d24d000)
        libXext.so.6 => /usr/lib/libXext.so.6 (0x4d272000)
        libX11.so.6 => /usr/lib/libX11.so.6 (0x4cffd000)
        libdl.so.2 => /lib/libdl.so.2 (0x4cf4f000)
        libm.so.6 => /lib/libm.so.6 (0x4cf22000)
        libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x44d08000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x4cf56000)
        libc.so.6 => /lib/libc.so.6 (0x4cd75000)
        libuuid.so.1 => /lib/libuuid.so.1 (0x44c57000)
        libxcb.so.1 => /usr/lib/libxcb.so.1 (0x4cfd8000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x4cf73000)
        /lib/ld-linux.so.2 (0x4cd50000)
        libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x44c69000)
        libexpat.so.1 => /lib/libexpat.so.1 (0x4d3d5000)
        libXau.so.6 => /usr/lib/libXau.so.6 (0x4cff8000)

Same result with binary from local compile:

[orion@orca ghostscript-9.04]$ bin/gs ~/idl.ps
GPL Ghostscript 9.04 (2011-08-05)
Copyright (C) 2011 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusSanL-Regu font from %rom%Resource/Font/NimbusSanL-Regu... 2579524 1241105 2886692 1589409 3 done.
Segmentation fault (core dumped)

Comment 5 Chris Liddell (chrisl) 2011-10-28 21:09:08 UTC

It's pretty impractical to build a static linked binary these days, so we do end up risking ABI changes.

But, for example, the library that seems most likely to be problematic would be Freetype, but the binary from our site is linked to the Freetype *we* ship with out source.

I'm getting Fedora 15 now, but I may not have time to investigate until Monday.

Comment 6 Orion Poplawski 2011-10-28 21:14:42 UTC

/usr/lib/freetype shows up in the ldd list for the ghostcript supplied binary so it seems it is using the system freetype.

Thanks for looking at it.  I've been working around it by downgrading to 9.02 so not critical.

Comment 7 Orion Poplawski 2011-10-28 21:20:28 UTC

If I build with --disable-freetype it displays fine, so definitely a freetype issue.

Comment 8 Chris Liddell (chrisl) 2011-10-28 23:06:34 UTC

Okay, I can see the problem, and I think I have a fix. I'm confused by a couple of things: a) I didn't think the two circumstances that are occurring here could happen together (hence the code not covering this), and b) why I don't see the issue on Ubuntu.

I *do* need to test this fix properly before I commit/publish it - but it's late, and I'm too tired to do it right now. I should have a better idea in the next day or so.

Comment 9 Chris Liddell (chrisl) 2011-10-29 15:55:10 UTC

Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d8089a