Bug 700313 - Segfault with -sDEVICE=pngalpha since cbdc5405
Summary: Segfault with -sDEVICE=pngalpha since cbdc5405
Status: RESOLVED DUPLICATE of bug 700315
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Regression (show other bugs)
Version: master
Hardware: PC All
: P4 normal
Assignee: Default assignee
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-03 15:45 UTC by Patric Mueller
Modified: 2018-12-04 21:10 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
Example PDF producing the segmentation fault (64.28 KB, application/pdf)
2018-12-03 15:45 UTC, Patric Mueller
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Patric Mueller 2018-12-03 15:45:46 UTC
Created attachment 16468 [details]
Example PDF producing the segmentation fault

I have a reproducible segmentation fault that showed up after upgrading from 9.25 to 9.26.

The attached pdf crashes both on OSX and a Linux Ubuntu installation when called with
 gs -dBATCH -dNOPAUSE -dNOPROMPT '-sDEVICE=pngalpha' -dFirstPage=1 -dLastPage=1 -sOutputFile=output.png crash.pdf

I've generated this pdf with ImageMagick 6.9.9-40 Q16 with the following command line calls:
 convert -size 100x100 canvas:khaki tmp.pdf
 convert tmp.pdf crash.pdf

Note that tmp.pdf doesn't crash, only the converted crash.pdf.

Git bisecting took me to cbdc54055b7db024951daf3dcb3cafe0af458e47 as the commit that caused this bug.
Comment 1 Ken Sharp 2018-12-04 00:45:48 UTC

*** This bug has been marked as a duplicate of bug 699815 ***
Comment 2 Patric Mueller 2018-12-04 08:13:02 UTC
I don't think this is a duplicate of 699815. I get this crash on master on commit 86ed59a3b47bc4b57fbd9c76681558c300d1471b.

The backtrace of the crash is this:

Core was generated by `./bin/gs -dBATCH -dNOPAUSE -dNOPROMPT -sDEVICE=pngalpha -dFirstPage=1 -dLastPag'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000008dee24 in pngalpha_put_image (pdev=0x29909a8, mdev=0x26a5548, buffers=0x7fffa0f59b50, num_chan=3, xstart=0, ystart=0, width=100, height=100, row_stride=100,
    alpha_plane_index=3, tag_plane_index=0) at ./devices/gdevpng.c:904
904	            buffer_prn[des_position++] =  buffers[0][src_position];
(gdb) bt
#0  0x00000000008dee24 in pngalpha_put_image (pdev=0x29909a8, mdev=0x26a5548, buffers=0x7fffa0f59b50, num_chan=3, xstart=0, ystart=0, width=100, height=100, row_stride=100,
    alpha_plane_index=3, tag_plane_index=0) at ./devices/gdevpng.c:904
#1  0x00000000006977b2 in default_subclass_put_image (dev=0x26a5548, mdev=0x26a5548, buffers=0x7fffa0f59b50, num_chan=3, x=0, y=0, width=100, height=100, row_stride=100,
    alpha_plane_index=3, tag_plane_index=0) at ./base/gdevsclass.c:800
#2  0x00000000006895f0 in flp_put_image (dev=0x26a5548, mdev=0x26a5548, buffers=0x7fffa0f59b50, num_chan=3, x=0, y=0, width=100, height=100, row_stride=100, alpha_plane_index=3,
    tag_plane_index=0) at ./base/gdevflp.c:1145
#3  0x00000000005583e6 in pdf14_put_image (dev=0x2664aa8, pgs=0x7fffa0f5a1c0, target=0x26a5548) at ./base/gdevp14.c:1948
#4  0x000000000055cfc0 in gx_update_pdf14_compositor (pdev=0x2664aa8, pgs=0x2643168, pdf14pct=0x293ead8, mem=0x2610af8) at ./base/gdevp14.c:3736
#5  0x000000000055d343 in pdf14_create_compositor (dev=0x2664aa8, pcdev=0x7fffa0f5aa78, pct=0x293ead8, pgs=0x2643168, mem=0x2610af8, cdev=0x0) at ./base/gdevp14.c:3840
#6  0x000000000056563c in send_pdf14trans (pgs=0x2643168, dev=0x2664aa8, pcdev=0x7fffa0f5aa78, pparams=0x7fffa0f5aab0, mem=0x2610af8) at ./base/gdevp14.c:6597
#7  0x00000000005471a5 in gs_gstate_update_pdf14trans (pgs=0x2643168, pparams=0x7fffa0f5aab0) at ./base/gstrans.c:168
#8  0x00000000005485be in gs_pop_pdf14trans_device (pgs=0x2643168, is_pattern=0) at ./base/gstrans.c:807
#9  0x0000000000b43dcd in zpoppdf14devicefilter (i_ctx_p=0x265f590) at ./psi/ztrans.c:539
#10 0x0000000000ac7b17 in interp (pi_ctx_p=0x2610760, pref=0x7fffa0f5b700, perror_object=0x7fffa0f5ba50) at ./psi/interp.c:1256
#11 0x0000000000ac5c1f in gs_call_interp (pi_ctx_p=0x2610760, pref=0x7fffa0f5b960, user_errors=1, pexit_code=0x7fffa0f5ba48, perror_object=0x7fffa0f5ba50) at ./psi/interp.c:516
#12 0x0000000000ac59f4 in gs_interpret (pi_ctx_p=0x2610760, pref=0x7fffa0f5b960, user_errors=1, pexit_code=0x7fffa0f5ba48, perror_object=0x7fffa0f5ba50) at ./psi/interp.c:473
#13 0x0000000000ab77b4 in gs_main_interpret (minst=0x26106c0, pref=0x7fffa0f5b960, user_errors=1, pexit_code=0x7fffa0f5ba48, perror_object=0x7fffa0f5ba50) at ./psi/imain.c:235
#14 0x0000000000ab8940 in gs_main_run_string_end (minst=0x26106c0, user_errors=1, pexit_code=0x7fffa0f5ba48, perror_object=0x7fffa0f5ba50) at ./psi/imain.c:658
#15 0x0000000000ab87a5 in gs_main_run_string_with_length (minst=0x26106c0, str=0x272c660 "<2e2f63726173682e706466>.runfile", length=32, user_errors=1, pexit_code=0x7fffa0f5ba48,
    perror_object=0x7fffa0f5ba50) at ./psi/imain.c:610
#16 0x0000000000ab8717 in gs_main_run_string (minst=0x26106c0, str=0x272c660 "<2e2f63726173682e706466>.runfile", user_errors=1, pexit_code=0x7fffa0f5ba48, perror_object=0x7fffa0f5ba50)
    at ./psi/imain.c:591
#17 0x0000000000abc93c in run_string (minst=0x26106c0, str=0x272c660 "<2e2f63726173682e706466>.runfile", options=3) at ./psi/imainarg.c:1034
#18 0x0000000000abc8aa in runarg (minst=0x26106c0, pre=0x187c583 "", arg=0x7fffa0f5bbb8 "./crash.pdf", post=0x187c73d ".runfile", options=3) at ./psi/imainarg.c:1024
#19 0x0000000000abc539 in argproc (minst=0x26106c0, arg=0x7fffa0f5bbb8 "./crash.pdf") at ./psi/imainarg.c:957
#20 0x0000000000aba41f in gs_main_init_with_args (minst=0x26106c0, argc=9, argv=0x7fffa0f5c6a8) at ./psi/imainarg.c:233
#21 0x0000000000466c9e in main (argc=9, argv=0x7fffa0f5c6a8) at ./psi/gs.c:95
Comment 3 anis.moubarik 2018-12-04 09:45:37 UTC
I reproduced this bug with version 9.26 on macOS 10.12.6 and Ubuntu 16.04.5 LTS.
jpeg device works fine, so my workaround for this is just to not use pngalpha device. If you're using ImageMagick, you can change the device in delegates.xml ps:alpha section.
Comment 4 Ken Sharp 2018-12-04 21:10:10 UTC
(In reply to Patric Mueller from comment #2)
> I don't think this is a duplicate of 699815. I get this crash on master on
> commit 86ed59a3b47bc4b57fbd9c76681558c300d1471b.

Sorry, wrong number, should have been 700315

*** This bug has been marked as a duplicate of bug 700315 ***