crash while proccessing pdf with long path

Bug #1065845 reported by Basil Semuonov on 2012-10-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GS-GPL
Confirmed
Medium
ghostscript (Ubuntu)
Medium
Unassigned

Bug Description

gs chares while processing pdf by it's full path.

versions 8.71, 9.05 and 9.06 (pre-release freeze) are affected by this bug.

Expected: split first slide from pdf.

Example:
ghostscript -sDEVICE=pdfwrite -dNOPAUSE -dQUIET -dBATCH -dFirstPage=1 -dLastPage=1 -sOutputFile=/var/onlinestudios/recording/process/presentation/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/temp/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/presentation/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en/slide-1.pdf /etc/onlinestudios/nopdfmark.ps /var/onlinestudios/recording/process/presentation/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/temp/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/presentation/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en.pdf

crashes with "Unrecoverable error: rangecheck in .putdeviceprops"

And this works as expected:
ghostscript -sDEVICE=pdfwrite -dNOPAUSE -dQUIET -dBATCH -dFirstPage=1 -dLastPage=1 -sOutputFile=./presentation/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/temp/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/presentation/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en/slide-1.pdf /etc/onlinestudios/nopdfmark.ps ./presentation/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/temp/0bc06fff1cb99393f3e306002e9e544ff8510040-1349810405174/presentation/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en/MeeGo_1_2_Harmattan_Applications_Nokia_Store_Entry_Requirements_v1_1_en.pdf

Note: in second case long paths became shorter and current dir is /var/onlinestudios/recording/process.

My file nopdfmark.ps consists the followinf lines:
%!
/pdfmark {cleartomark} bind def

Additional information:

lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

apt-cache policy ghostscript
ghostscript:
  Installed: 9.06~dfsg-0ubuntu3
  Candidate: 9.06~dfsg-0ubuntu3
  Version table:
 *** 9.06~dfsg-0ubuntu3 0
        100 /var/lib/dpkg/status
     9.05~dfsg-0ubuntu4.2 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
     9.05~dfsg-0ubuntu4 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
     8.71.dfsg.1-0ubuntu5.5 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main amd64 Packages
     8.71.dfsg.1-0ubuntu5 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main amd64 Packages

ghostscript version info:
GPL Ghostscript 9.06 (2012-08-08)
Copyright (C) 2012 Artifex Software, Inc. All rights reserved.

Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF
Default output device: bbox
Available devices:
   alc1900 alc2000 alc4000 alc4100 alc8500 alc8600 alc9100 ap3250 appledmp
   atx23 atx24 atx38 bbox bit bitcmyk bitrgb bitrgbtags bj10e bj10v bj10vh
   bj200 bjc600 bjc800 bjc880j bjccmyk bjccolor bjcgray bjcmono bmp16 bmp16m
   bmp256 bmp32b bmpgray bmpmono bmpsep1 bmpsep8 ccr cdeskjet cdj1600 cdj500
   cdj550 cdj670 cdj850 cdj880 cdj890 cdj970 cdjcolor cdjmono cdnj500 cfax
   chp2200 cif cljet5 cljet5c cljet5pr coslw2p coslwxl cp50 cups declj250
   deskjet devicen dfaxhigh dfaxlow display dj505j djet500 djet500c dl2100
   dnj650c epl2050 epl2050p epl2120 epl2500 epl2750 epl5800 epl5900 epl6100
   epl6200 eplcolor eplmono eps9high eps9mid epson epsonc epswrite escp
   escpage faxg3 faxg32d faxg4 fmlbp fmpr fs600 gdi hl1240 hl1250 hl7x0
   hpdj1120c hpdj310 hpdj320 hpdj340 hpdj400 hpdj500 hpdj500c hpdj510
   hpdj520 hpdj540 hpdj550c hpdj560c hpdj600 hpdj660c hpdj670c hpdj680c
   hpdj690c hpdj850c hpdj855c hpdj870c hpdj890c hpdjplus hpdjportable ibmpro
   ijs imagen inferno inkcov iwhi iwlo iwlq jetp3852 jj100 jpeg jpegcmyk
   jpeggray la50 la70 la75 la75plus laserjet lbp310 lbp320 lbp8 lex2050
   lex3200 lex5700 lex7000 lips2p lips3 lips4 lips4v lj250 lj3100sw lj4dith
   lj4dithp lj5gray lj5mono ljet2p ljet3 ljet3d ljet4 ljet4d ljet4pjl
   ljetplus ln03 lp1800 lp1900 lp2000 lp2200 lp2400 lp2500 lp2563 lp3000c
   lp7500 lp7700 lp7900 lp8000 lp8000c lp8100 lp8200c lp8300c lp8300f
   lp8400f lp8500c lp8600 lp8600f lp8700 lp8800c lp8900 lp9000b lp9000c
   lp9100 lp9200b lp9200c lp9300 lp9400 lp9500c lp9600 lp9600s lp9800c
   lps4500 lps6500 lq850 lxm3200 lxm5700m m8510 mag16 mag256 md1xMono md2k
   md50Eco md50Mono md5k mgr4 mgr8 mgrgray2 mgrgray4 mgrgray8 mgrmono miff24
   mj500c mj6000c mj700v2c mj8000c ml600 necp6 npdl nullpage oce9050 oki182
   oki4w okiibm omni oprp opvp paintjet pam pamcmyk32 pamcmyk4 pbm pbmraw
   pcl3 pcx16 pcx24b pcx256 pcx256 pcx2up pcxcmyk pcxgray pcxmono pdfwrite
   pdfwrite pgm pgmraw pgnm pgnmraw photoex picty180 pj pjetxl pjxl pjxl300
   pkm pkmraw pksm pksmraw plan plan9bm planc plang plank planm png16 png16m
   png256 png48 pngalpha pnggray pngmono pnm pnmraw ppm ppmraw pr1000
   pr1000_4 pr150 pr201 ps2write psdcmyk psdrgb psgray psmono psrgb pswrite
   pxlcolor pxlmono r4081 rinkj rpdl samsunggdi sgirgb sj48 spotcmyk st800
   stcolor sunhmono t4693d2 t4693d4 t4693d8 tek4696 tiff12nc tiff24nc
   tiff32nc tiff48nc tiff64nc tiffcrle tiffg3 tiffg32d tiffg4 tiffgray
   tifflzw tiffpack tiffscaled tiffsep txtwrite uniprint xcf xes
Search path:
   /usr/share/ghostscript/9.06/Resource/Init :
   /usr/share/ghostscript/9.06/lib :
   /usr/share/ghostscript/9.06/Resource/Font :
   /usr/share/ghostscript/fonts : /var/lib/ghostscript/fonts :
   /usr/share/cups/fonts : /usr/share/ghostscript/fonts :
   /usr/local/lib/ghostscript/fonts : /usr/share/fonts
For more information, see /usr/share/doc/ghostscript/Use.htm.
Please report bugs to bugs.ghostscript.com.

Till Kamppeter (till-kamppeter) wrote :
Changed in ghostscript (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in gs-gpl:
importance: Unknown → Medium
status: Unknown → Confirmed
Basil Semuonov (basil-semuonov) wrote :

The problem is actually in processing "-sOutputFile" command line parameter.

File ./base/gsparam2.c contains a define:

#define MAX_PARAM_KEY 255

so if length of path -sOutputFile > MAX_PARAM_KEY security check performed:
gsparam2.c:73
---
char string_key[MAX_PARAM_KEY + 1];

if (sizeof(string_key) < key.size + 1) {
   code = gs_note_error(gs_error_rangecheck);
   break;
}
---

Seems not a bug, but a strong restriction for input arguments, and "magic" numbers in code.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.