Crash when open minimal PS file
Submitted by Germán Poo-Caamaño
Assigned to Carlos Campos @carlosgc
Description
This bug was report in evince. The minimal test is very simple:
%!PS-Adobe-3.0
<</Orientation 1>
> setpagedevice
%%EOF
The reporter seems to figure out the problem:
"The problem is, that libspectre is used to determine the page orientation.
Libspectre only parses the DSC comments of the PS file but not something like
„<</Orientation 1>
> setpagedevice“. That means, an orientation is return which
does not match the ghostscript page image output. This causes evince to
illegally access memory, because the page width and height are toggled. The
minimal example will be displayed sometimes and one will see a random (mostly
black) rectangle that represents the illegally accessed memory.
A solution would be either to patch libspectre in order to get the page
orientation from ghostscript or to let evince rotate the page image itself,
like in okular. The first solution would be more elegant, but it needs changes
in libspectre API calls (no backward compatibility).
The follwing ghostscript/postscript command will display the orientation:
(orientation=) print currentpagedevice /Orientation known {currentpagedevice /Orientation get ==} if
It has to be send by spectre_gs_send_string."
The stacktrace I got (sorry, some debugging symbols missing):
Thread 5 (Thread 0xa66f0b40 (LWP 10149)):
#0 __pthread_self () at pthread_self.c:28
#1 0xa566d9cf in gp_monitor_enter () from /usr/lib/libgs.so.9
#2 0xa57ab338 in ?? () from /usr/lib/libgs.so.9
#3 0xa57adc9e in gs_raw_alloc_struct_immovable () from /usr/lib/libgs.so.9
#4 0xa578f7f1 in ?? () from /usr/lib/libgs.so.9
#5 0xa579053d in ?? () from /usr/lib/libgs.so.9
#6 0xa5545c3f in gx_unshare_cie_caches () from /usr/lib/libgs.so.9
#7 0xa55460cb in gs_cie_cs_complete () from /usr/lib/libgs.so.9
#8 0xa5547b30 in gs_setcolorrendering () from /usr/lib/libgs.so.9
#9 0xa5544b47 in ?? () from /usr/lib/libgs.so.9
#10 0xa558019b in ?? () from /usr/lib/libgs.so.9
#11 0xa558100f in gs_interpret () from /usr/lib/libgs.so.9
#12 0xa55752aa in ?? () from /usr/lib/libgs.so.9
#13 0xa5575683 in gs_main_init2aux () from /usr/lib/libgs.so.9
#14 0xa5576132 in gs_main_init2 () from /usr/lib/libgs.so.9
#15 0xa557837c in gs_main_init_with_args () from /usr/lib/libgs.so.9
#16 0xa55791e9 in gsapi_init_with_args () from /usr/lib/libgs.so.9
#17 0xa5eb138d in spectre_gs_run () from /usr/lib/libspectre.so.1
#18 0xa5eb222d in spectre_device_render () from /usr/lib/libspectre.so.1
#19 0xa5eb27c4 in spectre_page_render () from /usr/lib/libspectre.so.1
#20 0xa5eec442 in ps_document_render (document=0x82d8ea0, rc=0xa5d00e00) at ev-spectre.c:311
#21 0xb7f6da87 in ev_document_render (document=0x82d8ea0, rc=0xa5d00e00) at ev-document.c:678
#22 0xb7f6dad5 in _ev_document_get_thumbnail (rc=<optimized out>, document=<optimized out>) at ev-document.c:688
#23 ev_document_get_thumbnail (document=0x82d8ea0, rc=0xa5d00e00) at ev-document.c:711
#24 0xb7f2853a in ev_job_thumbnail_run (job=0x841b548) at ev-jobs.c:847
#25 0xb7f2734f in ev_job_run (job=0x841b548) at ev-jobs.c:215
#26 0xb7f2a533 in ev_job_thread (job=0x841b548) at ev-job-scheduler.c:184
#27 ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:217
#28 0xb75950f3 in g_thread_proxy (data=0x8370e90) at gthread.c:798
#29 0xb7efcd4c in start_thread (arg=0xa66f0b40) at pthread_create.c:308
#30 0xb7441dde in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130