#582846 ghostscript: example CJK postscript files cause segfault when gs quit

Package:
ghostscript
Source:
ghostscript
Description:
interpreter for the PostScript language and for PDF
Submitter:
Date:
2024-02-25 03:09:03 UTC
Severity:
normal
Tags:
#582846#5
Date:
2010-05-24 03:25:09 UTC
From:
To:
When quitting ghostscript, after some example CJK postscript files processed,
it segfault.

/usr/share/doc/ghostscript/examples/cjk:

all_ac1.ps.gz
all_ag1.ps.gz
all_aj1.ps.gz
all_aj2.ps.gz
all_ak1.ps.gz
article9.ps
gscjk_ac.ps
gscjk_ag.ps
gscjk_aj.ps
gscjk_ak.ps
iso2022.ps.gz
iso2022v.ps.gz

iso2022.ps.gz and iso2022.ps.gz make gs segfault when quit.
Others are OK.

% zcat /usr/share/doc/ghostscript/examples/cjk/iso2022.ps.gz > iso2022.ps
% gs iso2022.ps
GPL Ghostscript 8.71 (2010-02-10)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
------------------------------------------------------------------------
This is a script to test CJK fonts such as CID-keyed fonts.
If you have not done CID-keyed fonts installation and definitions at
/Resource/CMap and CIDFnmap or /Resource/CIDFont of ghostscript, then
this script can't work correctly.
For details, please see README at http://www.gyve.org/gs-cjk/supplement.

If you throw this script into a printer, it requires PostScript 3
printer and CID-keyed fonts specified in this script.
------------------------------------------------------------------------
Loading NimbusMonL-Regu font from /usr/share/fonts/type1/gsfonts/n022003l.pfb... 3909104 2177679 6773592 5444181 1 done.
Loading NimbusMonL-Bold font from /usr/share/fonts/type1/gsfonts/n022004l.pfb... 3952096 2314304 6773592 5460478 1 done.
Loading a TT font from /usr/share/fonts/truetype/ttf-japanese-mincho.ttf to emulate a CID font Japanese-Mincho-Regular ... Done.
Loading a TT font from /usr/share/fonts/truetype/arphic/uming.ttc to emulate a CID font BousungEG-Light-GB ... Done.
Loading a TT font from /usr/share/fonts/truetype/unfonts/UnBatang.ttf to emulate a CID font UnBatang-Regular ... Done.
Can't find (or can't open) font file /usr/share/ghostscript/8.71/Resource/Font/HeiseiMin-W3H-Hojo-H.
Can't find (or can't open) font file HeiseiMin-W3H-Hojo-H.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/8.71/Resource/Font/HeiseiMin-W3H-Hojo-H.
Can't find (or can't open) font file HeiseiMin-W3H-Hojo-H.
Didn't find this font on the system!
Substituting font Courier for HeiseiMin-W3H-Hojo-H.
Loading a TT font from /usr/share/fonts/truetype/arphic/uming.ttc to emulate a CID font ShanHeiSun-Light ... Done.
Loading a TT font from /usr/share/fonts/truetype/ttf-japanese-gothic.ttf to emulate a CID font Japanese-Gothic-Regular ... Done.
Loading a TT font from /usr/share/fonts/truetype/unfonts/UnDotum.ttf to emulate a CID font UnDotum-Regular ... Done.
Can't find (or can't open) font file /usr/share/ghostscript/8.71/Resource/Font/HeiseiKakuGo-W5H-Hojo-H.
Can't find (or can't open) font file HeiseiKakuGo-W5H-Hojo-H.
Didn't find this font on the system!
Substituting font Courier for HeiseiKakuGo-W5H-Hojo-H.
Loading a TT font from /usr/share/fonts/truetype/arphic/ukai.ttc to emulate a CID font ZenKai-Medium ... Done.
Loading NimbusSanL-Regu font from /usr/share/fonts/type1/gsfonts/n019003l.pfb... 18364328 16950211 7472224 5505865 1 done.
Loading NimbusSanL-Bold font from /usr/share/fonts/type1/gsfonts/n019004l.pfb... 18486056 17067725 8252544 6524718 1 done.

GS>quit
zsh: segmentation fault (core dumped)  gs iso2022.ps
%

I want to get backtrace, so I run not stripped binary.

% LD_LIBRARY_PATH=./ghostscript-8.71\~dfsg2/sobin ./ghostscript-8.71\~dfsg2/bin/gs iso2022.ps
	:
zsh: segmentation fault (core dumped)  LD_LIBRARY_PATH=./ghostscript-8.71\~dfsg2/sobin  iso2022.ps
%

% gdb ./ghostscript-8.71\~dfsg2/bin/gs core
	:
Core was generated by `./ghostscript-8.71~dfsg2/bin/gs iso2022.ps'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000007064ed in i_free_object (mem=0x2a0c848, ptr=0x3132488,
    cname=0x7a04c0 "subst_CID_on_WMode_finalize") at ./base/gsalloc.c:787

warning: Source file is more recent than executable.
787             gs_alloc_fill(ptr, gs_alloc_fill_free, size);
(gdb) bt
#0  0x00000000007064ed in i_free_object (mem=0x2a0c848, ptr=0x3132488,
    cname=0x7a04c0 "subst_CID_on_WMode_finalize") at ./base/gsalloc.c:787
#1  0x000000000049f5e9 in subst_CID_on_WMode_finalize (data=0x3132470)
    at ./base/gsfcid.c:112
#2  0x00000000007064f0 in i_free_object (mem=0x2a0c848, ptr=0x3132470,
    cname=0x79c965 "release_subst_CID_on_WMode") at ./base/gsalloc.c:787
#3  0x0000000000463cf7 in release_subst_CID_on_WMode (data=0x30e9570,
    event=<value optimized out>) at ./psi/zfcid1.c:294
#4  0x000000000072c048 in gs_notify_all (nlist=<value optimized out>,
    event_data=0x0) at ./base/gsnotify.c:103
#5  0x00000000007199f2 in gs_font_finalize (vptr=<value optimized out>)
    at ./base/gsfont.c:165
#6  0x0000000000522cf5 in restore_finalize (mem=<value optimized out>)
    at ./psi/isave.c:950
#7  0x0000000000523e8b in alloc_restore_step_in (dmem=0x2a4ebf8, save=0x3101348)
    at ./psi/isave.c:775
#8  0x0000000000523f7b in alloc_restore_all (dmem=0x2a4ebf8) at ./psi/isave.c:886
#9  0x00000000004d2035 in gs_main_finit (minst=0x2a0c2b0, exit_status=0,
    code=-101) at ./psi/imain.c:796
#10 0x0000000000451975 in main (argc=2, argv=0x7fff99da0838) at ./psi/gs.c:119
(gdb)

#582846#10
Date:
2010-05-24 09:49:44 UTC
From:
To:
Hi dai,

Thanks for filing this bugreport!

CJK support requires cjk font packages installed (as I understand it).

Which cjk packages did you have installed on the system?


Kind regards,

  - Jonas

#582846#15
Date:
2010-05-24 10:39:46 UTC
From:
To:
Hi,

At Mon, 24 May 2010 11:49:44 +0200,
Jonas Smedegaard wrote:

I confirmed this bug.

I installed:

otf-ipafont-mincho otf-ipafont-gothic ttf-unfonts-core ttf-arphic-uming
ttf-arphic-ukai
gs-cjk-resource
cmap-adobe-japan1 cmap-adobe-japan2 cmap-adobe-korea1 cmap-adobe-cns1 cmap-adobe-gb1

of Sid and got same error.
I'll investigate details.

Thanks,

#582846#20
Date:
2010-05-24 11:04:00 UTC
From:
To:
Great that you will work on this!


  - Jonas

#582846#25
Date:
2010-05-25 00:19:14 UTC
From:
To:
Hi,

I installed below fonts.

gsfonts
gsfonts-other
gsfonts-wadalab-common
gsfonts-wadalab-gothic
gsfonts-wadalab-mincho
gsfonts-x11

gs-cjk-resource

cmap-adobe-cns1
cmap-adobe-gb1
cmap-adobe-japan1
cmap-adobe-japan2
cmap-adobe-korea1

ttf-arphic-ukai
ttf-arphic-uming
ttf-bitstream-vera
ttf-dejavu
ttf-dejavu-core
ttf-dejavu-extra
ttf-freefont
ttf-kiloji
ttf-lyx
ttf-opensymbol
ttf-sazanami-gothic
ttf-sazanami-mincho
ttf-unfonts-core
ttf-vlgothic

xfonts-100dpi
xfonts-base
xfonts-encodings
xfonts-mathml
xfonts-scalable
xfonts-utils

#582846#30
Date:
2010-05-28 17:09:45 UTC
From:
To:
Hi,

I found out where ghostscript crashed.
So, I modify random shot and it does not crash.
But I do not know what original and modified line means.

Here is debug built ghostscript's execution log.

dai@qemu-i386:~$ ./src/ghostscript-8.71~dfsg2/debugobj/gs -Z^ -dSAFER -dBATCH -dNOPAUSE iso2022.ps > log 2>&1
セグメンテーション違反です (core dumped)
dai@qemu-i386:~$ grep gs_subst_CID_on_WMode log
Loading a TT font from /usr/share/fonts/truetype/ttf-japanese-mincho.ttf to emulate a CID font Japanese-Mincho-Regular ... Done.[^]gs_subst_CID_on_WMode 0xa1bae80 init = 1
[^]gs_subst_CID_on_WMode 0xa1bae80 ++ => 2
[^]gs_subst_CID_on_WMode 0xa1326a4 init = 1
[^]gs_subst_CID_on_WMode 0xa1326a4 ++ => 2
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 3
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 4
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 5
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 6
Loading a TT [^]gs_subst_CID_on_WMode 0xa132538 ++ => 7
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 8
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 9
[^]gs_subst_CID_on_WMode 0xa132538 ++ => 10
[^]gs_subst_CID_on_WMode 0xa132538 -2 => 8
[^]gs_subst_CID_on_WMode 0xa132538 -2 => 6
[^]gs_subst_CID_on_WMode 0xa132538 -2 => 4
[^]gs_subst_CID_on_WMode 0xa132538 -2 => 2
[^]gs_subst_CID_on_WMode 0xa132538 -2 => 0
[^]gs_subst_CID_on_WMode 0xa132538 => free (release_subst_CID_on_WMode)
dai@qemu-i386:~$

I suspect that -2 is over subtraction, but no reason.
So, I modify release_subst_CID_on_WMode in ghostscript-8.71~dfsg/psi/zfcid1.c.

diff -urNp ghostscript-8.71~dfsg2/psi/zfcid1.c.orig ghostscript-8.71~dfsg2/psi/zfcid1.c
--- ghostscript-8.71~dfsg2/psi/zfcid1.c.orig    2009-12-06 04:21:42.000000000 +0900
+++ ghostscript-8.71~dfsg2/psi/zfcid1.c 2010-05-28 18:03:53.000000000 +0900
@@ -291,7 +291,7 @@ release_subst_CID_on_WMode(void *data, v

     gs_font_notify_unregister((gs_font *)pfcid, release_subst_CID_on_WMode, data);
     pfcid->subst_CID_on_WMode = NULL;
-    rc_adjust(subst, -2, "release_subst_CID_on_WMode");
+    rc_adjust(subst, -1, "release_subst_CID_on_WMode");
     return 0;
 }

Then, Here is modify ghostscript's execution log.

dai@qemu-i386:~$ ./src/ghostscript-8.71~dfsg2/debugobj/gs -Z^ -dSAFER -dBATCH -dNOPAUSE iso2022.ps > log 2>&1
dai@qemu-i386:~$ grep gs_subst_CID_on_WMode log
Loading a TT font from /usr/share/fonts/truetype/ttf-japanese-mincho.ttf to emulate a CID font Japanese-Mincho-Regular ... Done.[^]gs_subst_CID_on_WMode 0x8ff7e80 init = 1
[^]gs_subst_CID_on_WMode 0x8ff7e80 ++ => 2
[^]gs_subst_CID_on_WMode 0x8f6f6a4 init = 1
[^]gs_subst_CID_on_WMode 0x8f6f6a4 ++ => 2
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 3
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 4
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 5
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 6
Loading a TT [^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 7
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 8
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 9
[^]gs_subst_CID_on_WMode 0x8f6f538 ++ => 10
[^]gs_subst_CID_on_WMode 0x8f6f538 -1 => 9
[^]gs_subst_CID_on_WMode 0x8f6f538 -1 => 8
[^]gs_subst_CID_on_WMode 0x8f6f538 -1 => 7
[^]gs_subst_CID_on_WMode 0x8f6f538 -1 => 6
[^]gs_subst_CID_on_WMode 0x8f6f538 -1 => 5
[^]gs_subst_CID_on_WMode 0x8ff7e80 -1 => 1
dai@qemu-i386:~$

It does not crash.
But I do not know whether it is correct and
why original code is not -1 but -2.

This code was introduced about 1.5 years ago.

http://bugs.ghostscript.com/show_bug.cgi?id=689304
http://ghostscript.com/pipermail/gs-cvs/2008-November/008789.html

Should I ask this bug to upstream?

#582846#35
Date:
2012-07-23 15:08:45 UTC
From:
To:
tags 582846 +moreinfo
thanks

Dear VDR dai,

Could you try to reproduce this bug with the newer ghostscript.

I could not reproduce with 9.05~dfsg-6

thanks

#582846#42
Date:
2012-07-24 09:36:20 UTC
From:
To:
submitter 582846 !
thanks
I think it depends installed fonts.

% ghostscript iso2022.ps
GPL Ghostscript 9.05 (2012-02-08)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
------------------------------------------------------------------------
This is a script to test CJK fonts such as CID-keyed fonts.
If you have not done CID-keyed fonts installation and definitions at
/Resource/CMap and CIDFnmap or /Resource/CIDFont of ghostscript, then
this script can't work correctly.
For details, please see README at http://www.gyve.org/gs-cjk/supplement.

If you throw this script into a printer, it requires PostScript 3
printer and CID-keyed fonts specified in this script.
------------------------------------------------------------------------
Loading NimbusMonL-Regu font from /usr/share/fonts/type1/gsfonts/n022003l.pfb... 3732144 2230667 4600464 3242359 1 done.
Loading NimbusMonL-Bold font from /usr/share/fonts/type1/gsfonts/n022004l.pfb... 3775136 2365854 4600464 3262388 1 done.
Loading a TT font from /usr/share/fonts/truetype/fonts-japanese-mincho.ttf to emulate a CID font Japanese-Mincho-Regular ... Done.
Loading a TT font from /usr/share/fonts/truetype/arphic/uming.ttc to emulate a CID font BousungEG-Light-GB ... Done.
Loading a TT font from /usr/share/fonts/truetype/unfonts-core/UnBatang.ttf to emulate a CID font UnBatang-Regular ... Done.
Can't find (or can't open) font file /usr/share/ghostscript/9.05/Resource/Font/HeiseiMin-W3H-Hojo-H.
Can't find (or can't open) font file HeiseiMin-W3H-Hojo-H.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.05/Resource/Font/HeiseiMin-W3H-Hojo-H.
Can't find (or can't open) font file HeiseiMin-W3H-Hojo-H.
Didn't find this font on the system!
Substituting font Courier for HeiseiMin-W3H-Hojo-H.
Loading a TT font from /usr/share/fonts/truetype/arphic/uming.ttc to emulate a CID font ShanHeiSun-Light ... Done.
Loading a TT font from /usr/share/fonts/truetype/fonts-japanese-gothic.ttf to emulate a CID font Japanese-Gothic-Regular ... Done.
Loading a TT font from /usr/share/fonts/truetype/unfonts-core/UnDotum.ttf to emulate a CID font UnDotum-Regular ... Done.
Can't find (or can't open) font file /usr/share/ghostscript/9.05/Resource/Font/HeiseiKakuGo-W5H-Hojo-H.
Can't find (or can't open) font file HeiseiKakuGo-W5H-Hojo-H.
Didn't find this font on the system!
Substituting font Courier for HeiseiKakuGo-W5H-Hojo-H.
Loading a TT font from /usr/share/fonts/truetype/arphic/ukai.ttc to emulate a CID font ZenKai-Medium ... Done.
Loading NimbusSanL-Regu font from /usr/share/fonts/type1/gsfonts/n019003l.pfb... 17815720 16348056 5326264 3286463 1 done.
Loading NimbusSanL-Bold font from /usr/share/fonts/type1/gsfonts/n019004l.pfb... 17876896 16453460 6106584 4278370 1 done.

GS>quit
zsh: segmentation fault (core dumped)  ghostscript iso2022.ps
%

% dpkg --get-selections | grep poppler
libpoppler-glib8:amd64				install
libpoppler19:amd64				install
poppler-data					install
poppler-utils					install
ruby-poppler					install
%

% dpkg --get-selections | grep ^cmap
%

% dpkg --get-selections | grep ^gsfonts
gsfonts						install
gsfonts-other					install
gsfonts-x11					install
%

% dpkg --get-selections | grep ^fonts
fonts-arphic-ukai				install
fonts-arphic-uming				install
fonts-freefont-ttf				install
fonts-ipaexfont-gothic				install
fonts-ipaexfont-mincho				install
fonts-ipafont-gothic				install
fonts-ipafont-mincho				install
fonts-liberation				install
fonts-lyx					install
fonts-opensymbol				install
fonts-unfonts-core				install
fonts-vlgothic					install
%

% dpkg --get-selections | grep ^ttf
ttf-bitstream-vera				install
ttf-dejavu-core					install
ttf-dejavu-extra				install
ttf-marvosym					install
%

% dpkg --get-selections | grep ^xfonts
xfonts-100dpi					install
xfonts-base					install
xfonts-encodings				install
xfonts-mathml					install
xfonts-scalable					install
xfonts-utils					install
%

#582846#49
Date:
2012-07-27 08:16:56 UTC
From:
To:
tags 582846 - moreinfo
tags 582846 + confirmed
thanks

Dear dai,

Could you retry under gdb and get a backtrace (with ghostscript-dbg installed).

Thanks

Bastien

#582846#58
Date:
2012-07-27 11:25:59 UTC
From:
To:
Hi,

Here is backtrace.

GS>quit

Program received signal SIGSEGV, Segmentation fault.
i_free_object (mem=<optimized out>, ptr=0x8606c8, cname=<optimized out>)
    at ./base/gsalloc.c:846
846	./base/gsalloc.c: No such file or directory.
(gdb) bt
#0  i_free_object (mem=<optimized out>, ptr=0x8606c8, cname=<optimized out>)
    at ./base/gsalloc.c:846
#1  0x00002aaaaae1f849 in subst_CID_on_WMode_finalize (cmem=<optimized out>,
    data=0x8606b0) at ./base/gsfcid.c:113
#2  0x00002aaaab02ccc8 in i_free_object (mem=0x6028d8, ptr=0x8606b0,
    cname=<optimized out>) at ./base/gsalloc.c:846
#3  0x00002aaaaade5e69 in release_subst_CID_on_WMode (data=<optimized out>,
    event=<optimized out>) at ./psi/zfcid1.c:292
#4  0x00002aaaab0482e8 in gs_notify_all (nlist=<optimized out>, event_data=0x0)
    at ./base/gsnotify.c:103
#5  0x00002aaaab03b9f0 in gs_font_finalize (cmem=<optimized out>,
    vptr=<optimized out>) at ./base/gsfont.c:164
#6  0x00002aaaaae80d79 in restore_finalize (mem=0x603e68) at ./psi/isave.c:933
#7  0x00002aaaaae82133 in alloc_restore_step_in (dmem=0x644fb0, save=0x82dcc8)
    at ./psi/isave.c:758
#8  0x00002aaaaae82239 in alloc_restore_all (dmem=0x644fb0)
    at ./psi/isave.c:869
#9  0x00002aaaaae40f51 in gs_main_finit (minst=0x602340, exit_status=0, code=0)
    at ./psi/imain.c:880
#10 0x00002aaaaae442d3 in gsapi_exit (lib=<optimized out>) at ./psi/iapi.c:263
#11 0x00000000004009e4 in main (argc=<optimized out>, argv=0x7fffffffe908)
    at ./psi/dxmainc.c:88
(gdb)

#582846#63
Date:
2012-08-08 13:05:24 UTC
From:
To:
Till could you try to reproduce this bug on the ubuntu side and forward
upstream?

Thanks

Bastien

#582846#68
Date:
2024-02-25 02:55:55 UTC
From:
To:

I have tested ghostscript 10.02.1 on these two files and encountered no
segfault.