Bug 698615 - Another PDF file that causes pdfwrite crash (segmentation fault)
Summary: Another PDF file that causes pdfwrite crash (segmentation fault)
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PDF Writer (show other bugs)
Version: 9.21
Hardware: PC Linux
: P1 normal
Assignee: Ray Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-02 05:55 UTC by andreptb
Modified: 2017-10-03 07:38 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
Zip containing the PDF document that produce the sigfault, the core dump data and gs log output (6.10 MB, application/zip)
2017-10-02 05:55 UTC, andreptb
Details

Note You need to log in before you can comment on or make changes to this bug.
Description andreptb 2017-10-02 05:55:43 UTC
Created attachment 14355 [details]
Zip containing the PDF document that produce the sigfault, the core dump data and gs log output

I'm trying to rewrite a PDF applying a few pdfwrite tweaks such as image/font compression, annotations removal and so on. Already used this technique with hundreds of millions of documents without a failure that I couldn't work around. This is the first one I got with "segmentation fault", so I'm reporting as a bug.

Though I tried running the command with multiple pdfwrite parameters, all produces the same result (segmentation fault). Below the used binary, command and segfault data.

Also, I would like to thank you guys for the great work on this project!

Binary used:

https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21-linux-x86_64.tgz

Command:

gs -dSAFER -dNOPAUSE -sDEVICE=pdfwrite -sOutputFile=output.pdf -f document.pdf

Coredump info:

PID: 8379 (gs)
UID: 1000 (andre)
GID: 1000 (andre)
Signal: 11 (SEGV)
Timestamp: Mon 2017-10-02 09:42:26 -03 (6min ago)
Command Line: gs -dDEBUG -dSAFER -dNOPAUSE -sDEVICE=pdfwrite -sOutputFile=output.pdf -f DocSigFault9Pages.pdf
Executable: /usr/bin/gsc
Control Group: /user.slice/user-1000.slice/session-c1.scope
Unit: session-c1.scope
Slice: user-1000.slice
Session: c1
Owner UID: 1000 (andre)
Boot ID: 17d2de35c6884957801d985b5c583b9c
Machine ID: bd0f83a5be9a4b278aef7d3a142ded0c
Hostname: soft021-021
Storage: /var/lib/systemd/coredump/core.gs.1000.17d2de35c6884957801d985b5c583b9c.8379.1506948146000000.lz4
Message: Process 8379 (gs) of user 1000 dumped core.

Stack trace of thread 8379:
#00x00007fcdf403aa8e n/a (libgs.so.9)
#10x00007fcdf403ebf7 n/a (libgs.so.9)
#20x00007fcdf403abc7 n/a (libgs.so.9)
#30x00007fcdf403c02b gs_gc_reclaim (libgs.so.9)
#40x00007fcdf4066b14 n/a (libgs.so.9)
#50x00007fcdf400a359 n/a (libgs.so.9)
#60x00007fcdf4005ff7 interp_reclaim (libgs.so.9)
#70x00007fcdf400737e n/a (libgs.so.9)
#80x00007fcdf4007f35 gs_interpret (libgs.so.9)
#90x00007fcdf3ffbaaa gs_main_run_string_end (libgs.so.9)
#10 0x00007fcdf3ffd56a n/a (libgs.so.9)
#11 0x00007fcdf3ffd6e4 n/a (libgs.so.9)
#12 0x00007fcdf3fff4b8 gs_main_init_with_args (libgs.so.9)
#13 0x000055af622d69f4 n/a (gsc)
#14 0x00007fcdf3868f6a __libc_start_main (libc.so.6)
#15 0x000055af622d6a8a n/a (gsc)
Comment 1 Ken Sharp 2017-10-02 06:22:59 UTC
This appears to be some kind of memory corruption error. It doesn't exhibit on 32-bit builds, and if I run the 64-bit build in a debugger the problem doesn't exhibit either. If I run just the final page (where the error occurs for me) then the problem doesn't exhibit, in fact if I run anything except all 9 pages the problem doesn't exhibit.

This may take some time to resolve.
Comment 2 Ray Johnston 2017-10-02 09:56:48 UTC
On Windows, with a debug build, using the command line:
  debugbin/gswin64c -sDEVICE=pdfwrite -o x.pdf Bug698615.pdf
I see normal output:
GPL Ghostscript GIT PRERELEASE 9.23 (2017-09-12)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 9.
Page 1
Loading NimbusSans-Regular font from %rom%Resource/Font/NimbusSans-Regular... 7262384 5933683 2928548 1514088 3 done.
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\ilocate.c(377): Clump parsing error, 0x47099ad8 != 0x470923a0
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\igc.c(622): Clump parsing error, 0x47099ad8 != 0x470923a0
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\igc.c(1208): Clump parsing error, 0x47099ad8 != 0x470923a0
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\igc.c(1251): Clump parsing error, 0x47099ad8 != 0x470923a0
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\igc.c(1353): Clump parsing error, 0x47099ad8 != 0x470923a0

Running with:
   debugbin/gswin64c -Z@\$\? -sDEVICE=pdfwrite -o x.pdf Bug698615.pdf
I get:
GPL Ghostscript GIT PRERELEASE 9.23 (2017-09-12)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 9.
Page 1
Loading NimbusSans-Regular font from %rom%Resource/Font/NimbusSans-Regular... 7262384 5933683 2928548 1514112 3 done.
Page 2
Page 3
Page 4
Page 5
Page 6
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\ilocate.c(607): Bad object 0x9069a048(2711724449),
 ssize = 352, in clump 0x903fca80!
while validating clump 0x903fca80 (0x90698de0..0x9069a1a8, 0x9069a707..0x9069ae60..0x9069b4ac)
GPL Ghostscript GIT PRERELEASE 9.23: c:\artifex\cgit\ghostpdl\psi\ilocate.c(258): while validating memory 0x8e7172d8, space 8, level 0

I'll take a look at it while kens is concentrating on a different issue, then
if it looks like it is in the guts of pdfwrite, I'll send it back to ken.
Comment 3 Ray Johnston 2017-10-02 10:02:56 UTC
P1 as a segfault. Note that a release build on Windows also segfaults.
Comment 4 Chris Liddell (chrisl) 2017-10-03 03:33:52 UTC
This fixes a memory corruption issue with this file on Linux, it may be the source of the root problem:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=71e8599455
Comment 5 Ray Johnston 2017-10-03 07:38:01 UTC
Fixed by Chris' commit 71e8599455a7befc7a14f6cd1353c9231fb93d48