Ghostscript segmentation fault on PDF using -dFirstPage and -dLastPage

Bug #1806517 reported by Laurent Dinclaux on 2018-12-04
56
This bug affects 6 people
Affects Status Importance Assigned to Milestone
GS-GPL
Fix Released
Medium
ghostscript (Ubuntu)
Status tracked in Disco
Trusty
Undecided
Marc Deslauriers
Xenial
Undecided
Marc Deslauriers
Bionic
Undecided
Marc Deslauriers
Cosmic
Undecided
Marc Deslauriers
Disco
Undecided
Unassigned

Bug Description

In order to convert a PDF file in PNG I use the command:

» convert "myfile.pdf[0]" test.png

Which gives this error:

convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -dFirstPage=1 -dLastPage=1 '-sOutputFile=/tmp/magick-11774WIkYdVETEs9I%d' '-f/tmp/magick-11774JZhknqCDhkN0' '-f/tmp/magick-11774twGtf-JFihri'' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
convert-im6.q16: no images defined `test.png' @ error/convert.c/ConvertImageCommand/3258.

So I tried using ghostscript directly:

» ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pngalpha -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -dFirstPage=1 -dLastPage=1 '-sOutputFile=test.png' '-fmyfile.pdf'

Which gives an error:

GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
[1] 10954 segmentation fault (core dumped) ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000

If I omit -dFirstPage=1 -dLastPage=1 it works properly:

» ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pngalpha -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 '-sOutputFile=test.png' '-fmyfile.pdf'
GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 2.
Page 1
Page 2

Please note that it also affects imagemagick convert command and PHP readimage command. I have confirmed the bug on Ubuntu 16.04 too.

The recent ghostscript 9.26 version is definitely guilty.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: ghostscript 9.26~dfsg+0-0ubuntu0.18.10.1
ProcVersionSignature: Ubuntu 4.18.0-11.12-generic 4.18.12
Uname: Linux 4.18.0-11-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: GNOME
Date: Tue Dec 4 12:59:59 2018
InstallationDate: Installed on 2018-06-28 (158 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: ghostscript
UpgradeStatus: Upgraded to cosmic on 2018-10-20 (44 days ago)

Download full text (48.2 KiB)

Created attachment 16469
PDF which causes segfault in 9.26

We use ImageMagick to extract a the first page of a PDF as a thumbnail and recently started getting exceptions with some PDFs. Traced it to the call that ImageMagick was making:

gs -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -dLastPage=1 -sOutputFile=1.png -f Bloomfire-Security_and_Redundancy.pdf

When this is run with GS version 9.25, the thumbnail is extracted with no error.
When this is run with GS version 9.26, I see "Segmentation fault: 11"

I've attached a file that causes there error. Observed on both OSX and Ubuntu Linux.

Here is the output from running the same command with -dDEBUG:

START 0 1455888 160729 1310728 29572 true 587 3 <0>
END PROCS 0 1504736 208805 1330928 35516 true 709 3 <0>
gs_std_e.ps 0 1524936 219150 1330928 38012 true 717 3 <0>
gs_il1_e.ps 0 1524936 225026 1330928 38012 true 718 3 <0>
END FONTDIR/ENCS 0 1524936 225302 1330928 38012 true 720 3 <0>
END DEVS 0 1601672 291074 1330928 38012 true 724 3 <0>
END STATD 0 1601672 305936 1330928 40908 true 729 3 <0>
END GS_FONTS 0 1662272 362977 1330928 40908 true 777 3 <0>
END BASIC COLOR 0 1662272 370569 1330928 40908 true 797 3 <0>
END IMAGE 0 1682472 383205 1330928 40908 true 802 3 <0>
gs_btokn.ps 0 1682472 390509 1330928 40908 true 806 3 <1>
gs_dps1.ps 0 1702672 397919 1330928 40908 true 808 3 <1>
gs_dps2.ps 0 1731320 419098 1330928 40908 true 809 3 <1>
gs_agl.ps 0 2465232 1119600 1330928 40908 true 811 3 <1>
gs_type1.ps 0 2465232 1126479 1330928 41186 true 819 3 <1>
gs_lev2.ps 0 2554480 1192135 1436088 146788 true 825 3 <1>
BEGIN RESOURCES 0 2554480 1194793 1436088 146788 true 825 4 <2>
END CATEGORY 0 2554480 1198912 1436088 147084 true 826 5 <2>
END GENERIC 0 2564516 1219750 1436088 147084 true 828 4 <2>
END FIXED 0 2584716 1237312 1436088 147084 true 828 4 <2>
END MISC 0 2604916 1252528 1436088 147084 true 828 4 <2>
END ENCODING 0 2734596 1382958 1436088 150722 true 828 4 <2>
gs_resmp.ps 10 2774996 1412399 1436088 152568 true 832 3 <2>
gs_res.ps 10 2774996 1410261 1436088 152568 true 832 3 <1>
gs_typ42.ps 10 2774996 1411595 1436088 152568 true 835 3 <1>
gs_cidfn.ps 10 2815396 1446804 1436088 152568 true 843 3 <1>
gs_cidcm.ps 10 2835596 1472845 1436088 152568 true 843 3 <1>
gs_fntem.ps 10 2884444 1520727 1436088 152568 true 845 3 <1>
gs_cidtt.ps 10 2904644 1540784 1436088 152568 true 845 3 <1>
gs_cidfm.ps 10 2924844 1554924 1436088 152568 true 845 3 <1>
gs_cmap.ps 10 2945044 1574218 1436088 152568 true 850 3 <1>
gs_setpd.ps 10 2965244 1599534 1436088 152568 true 850 3 <1>
gs_fapi.ps 10 3005644 1632658 1436088 152568 true 848 3 <1>
gs_typ32.ps 10 3005644 1635417 1436088 152568 true 846 3 <1>
gs_frsd.ps 10 3005644 1638227 1436088 152568 true 846 3 <1>
gs_ll3.ps 10 3167244 1792468 1436088 152816 true 847 3 <1>
gs_icc.ps 10 3167244 1798386 1436088 152816 true 848 3 <1>
gs_mex_e.ps 10 3187444 1804404 1436088 152816 true 848 3 <1>
gs_mro_e.ps 10 3187444 1805591 1436088 152816 true 848 3 <1>
gs_pdf_e.ps 10 3187444 1806824 1436088 152816 true 848 3 <1>
gs_wan_e.ps 10 3187444 1808074 1436088 1...

We use ImageMagick to extract a the first page of a PDF as a thumbnail and recently started getting exceptions with some PDFs. Traced it to the call that ImageMagick was making:

gs -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -dLastPage=1 -sOutputFile=1.png -f Bloomfire-Security_and_Redundancy.pdf

When this is run with GS version 9.25, the thumbnail is extracted with no error.
When this is run with GS version 9.26, I see "Segmentation fault: 11"

I've attached a file that causes there error. Observed on both OSX and Ubuntu Linux.

Created attachment 16470
Output of run with -dDEBUG

Created attachment 16471
PDF example that causes the segfault

*** This bug has been marked as a duplicate of bug 699815 ***

Laurent Dinclaux (dreadlox) wrote :
Changed in gs-gpl:
importance: Unknown → Medium
status: Unknown → New

I have the same issue on multiple servers running ubuntu 16.04 or 18.04 since the 9.26 upgrade. In order to convert a PDF file in PNG I use the command:

» convert "myfile.pdf[0]" test.png

Which gives this error:

convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -dFirstPage=1 -dLastPage=1 '-sOutputFile=/tmp/magick-11774WIkYdVETEs9I%d' '-f/tmp/magick-11774JZhknqCDhkN0' '-f/tmp/magick-11774twGtf-JFihri'' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
convert-im6.q16: no images defined `test.png' @ error/convert.c/ConvertImageCommand/3258.

So I tried using ghostscript directly:

» ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pngalpha -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -dFirstPage=1 -dLastPage=1 '-sOutputFile=test.png' '-fmyfile.pdf'

Which gives an error:

GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
[1] 10954 segmentation fault (core dumped) ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000

If I omit -dFirstPage=1 -dLastPage=1 it works properly:

» ghostscript -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pngalpha -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 '-sOutputFile=test.png' '-fmyfile.pdf'
GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 2.
Page 1
Page 2

Please note that it also affects imagemagick convert command and PHP readimage command.

NOTE: This won't survive an apt upgrade and may raise security issues (gs has been update to 9.26 because of security issues, see http://changelogs.ubuntu.com/changelogs/pool/main/g/ghostscript/ghostscript_9.26~dfsg+0-0ubuntu0.18.04.1/changelog)

As a temporary workaround one can downgrade.

For xenial (ubuntu 16.04):

# apt install libgs9-common=9.18~dfsg~0-0ubuntu2 libgs9=9.18~dfsg~0-0ubuntu2 ghostscript=9.18~dfsg~0-0ubuntu2

For bionic (ubuntu 18.04):

# apt install libgs9-common=9.22~dfsg+1-0ubuntu1 libgs9=9.22~dfsg+1-0ubuntu1 ghostscript=9.22~dfsg+1-0ubuntu1

For cosmic (ubuntu 18.10):

# apt install libgs9-common=9.25~dfsg+1-0ubuntu1 libgs9=9.25~dfsg+1-0ubuntu1 ghostscript=9.25~dfsg+1-0ubuntu1

Till Kamppeter (till-kamppeter) wrote :

Subscribing Ubuntu Security Team as this is a regression caused by the recent security updates.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ghostscript (Ubuntu):
status: New → Confirmed

I can confirm this problem on Ubuntu 16.04 and ghostscript 9.26~dfsg+0-0ubuntu0.16.04.1:

$ gs --version
9.26
$ convert "confidential.pdf[0]" confidential.png
convert: FailedToExecuteCommand `"gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r72x72" -dFirstPage=1 -dLastPage=1 "-sOutputFile=/tmp/magick-12412a591aAW0c1rp%d" "-f/tmp/magick-12412pbD9WU9tgyvz" "-f/tmp/magick-12412_OoIhBmXubzJ"' (-1) @ error/delegate.c/ExternalDelegateCommand/461.
convert: no images defined `confidential.png' @ error/convert.c/ConvertImageCommand/3210.

The problem doesn't happen with ghostscript 9.25~dfsg+1-0ubuntu0.16.04.3:

$ dpkg --install libgs9_9.25~dfsg+1-0ubuntu0.16.04.3_amd64.deb libgs9-common_9.25~dfsg+1-0ubuntu0.16.04.3_all.deb ghostscript_9.25~dfsg+1-0ubuntu0.16.04.3_amd64.deb ghostscript-x_9.25~dfsg+1-0ubuntu0.16.04.3_amd64.deb
$ gs --version
9.25
$ convert "confidential.pdf[0]" confidential.png
$ identify confidential.png
confidential.png PNG 595x842 595x842+0+0 8-bit sRGB 22.5KB 0.000u 0:00.000

Not every PDF is affected by this problem.

*** This bug has been marked as a duplicate of bug 700315 ***

*** Bug 700314 has been marked as a duplicate of this bug. ***

*** Bug 700313 has been marked as a duplicate of this bug. ***

Fixed in commit fae21f1668d2b44b18b84cf0923a1d5f3008a696

Changed in gs-gpl:
status: New → Invalid

I have changed the upstream related bug which has been resolved (patch available)

no longer affects: gs-gpl
Changed in gs-gpl:
importance: Unknown → Medium
status: Unknown → Fix Released
summary: - Ghostscript segmentation fault onb PDF using -dFirstPage and -dLastPage
+ Ghostscript segmentation fault on PDF using -dFirstPage and -dLastPage

Fix applied to GS 9.26 in Disco.

To the security team: This is also a regression caused by the security updates to GS 9.26.

Changed in ghostscript (Ubuntu):
status: Confirmed → Fix Committed
Laurent Dinclaux (dreadlox) wrote :

A side note that 9.26 upgrade has been sent to all supported Ubuntu versions https://packages.ubuntu.com/search?keywords=ghostscript

Marc Deslauriers (mdeslaur) wrote :

I'll work on updates. They will probably be released tomorrow afternoon.

Changed in ghostscript (Ubuntu Trusty):
status: New → Confirmed
Changed in ghostscript (Ubuntu Xenial):
status: New → Confirmed
Changed in ghostscript (Ubuntu Bionic):
status: New → Confirmed
Changed in ghostscript (Ubuntu Cosmic):
status: New → Confirmed
Changed in ghostscript (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ghostscript (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ghostscript (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ghostscript (Ubuntu Cosmic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.26~dfsg+0-0ubuntu3

---------------
ghostscript (9.26~dfsg+0-0ubuntu3) disco; urgency=low

  * Backported upstream patch to prevent crashes when calling Ghostscript
    with a PDF file and "-dLastPage=1" (LP: #1806517, upstream bug #700315).

 -- Till Kamppeter <email address hidden> Wed, 5 Dec 2018 16:47:06 +0100

Changed in ghostscript (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.26~dfsg+0-0ubuntu0.18.10.3

---------------
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.3) cosmic-security; urgency=medium

  * SECURITY REGRESSION: multiple regressions (LP: #1806517)
    - debian/patches/020181126-96c381c*.patch: fix duplex issue.
    - debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
      -dLastPage issue.

 -- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:14:48 -0500

Changed in ghostscript (Ubuntu Cosmic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.26~dfsg+0-0ubuntu0.16.04.3

---------------
ghostscript (9.26~dfsg+0-0ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY REGRESSION: multiple regressions (LP: #1806517)
    - debian/patches/020181126-96c381c*.patch: fix duplex issue.
    - debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
      -dLastPage issue.

 -- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:17:51 -0500

Changed in ghostscript (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.26~dfsg+0-0ubuntu0.18.04.3

---------------
ghostscript (9.26~dfsg+0-0ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY REGRESSION: multiple regressions (LP: #1806517)
    - debian/patches/020181126-96c381c*.patch: fix duplex issue.
    - debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
      -dLastPage issue.

 -- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:17:16 -0500

Changed in ghostscript (Ubuntu Bionic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.26~dfsg+0-0ubuntu0.14.04.3

---------------
ghostscript (9.26~dfsg+0-0ubuntu0.14.04.3) trusty-security; urgency=medium

  * SECURITY REGRESSION: multiple regressions (LP: #1806517)
    - debian/patches/020181126-96c381c*.patch: fix duplex issue.
    - debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
      -dLastPage issue.

 -- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:18:19 -0500

Changed in ghostscript (Ubuntu Trusty):
status: Confirmed → Fix Released

*** Bug 700350 has been marked as a duplicate of this bug. ***

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.