Bug 114056

Summary: "double free or corruption" for "bmpa*" Ghostscript devices
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Johannes Meixner <jsmeix>
Component: PrintingAssignee: Dr. Werner Fink <werner>
Status: RESOLVED FIXED QA Contact: Johannes Meixner <jsmeix>
Severity: Normal    
Priority: P5 - None CC: jsmeix
Version: Beta 3   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: environment of jsmeix@nelson (i.e. output of "set")
environment of root@nelson (i.e. output of "set")

Description Johannes Meixner 2005-08-30 09:03:08 UTC 
On i386 and x86_64 I get "double free or corruption" errors
and no output for "bmpa*" Ghostscript devices.

The other "bmp*" devices (bmp16, bmp16m, bmp256, bmp32b,
bmpgray, bmpmono, bmpsep1, bmpsep8) work well.
Perhaps we can ignore this problem for 10.0?

I have the newest ghostscript packages (where bug #112659 is fixed)
installed on nelson.suse.de (i386) and caps.suse.de (x86_64).

I tested all ghostscript devices (except cups, ijs, omni, stp)
with the following command which uses the same fd-redirection
as the print filter foomatic-rip does:
--------------------------------------------------------------------
for d in $( gs -h \
            | grep '^   [a-t]' \
            | tr -d '\n' \
            | tr -s ' ' '\n' \
            | egrep -v 'cups|ijs|omni|stp' )
do echo -e "\n$d"
   cat /usr/share/doc/packages/ghostscript/examples/colorcir.ps \
   | gs -dBATCH -dSAFER -dQUIET -dNOPAUSE -sDEVICE=$d \
        -sOutputFile='| cat >&3' /dev/fd/0 3>&1 1>&2 \
   | cat - >/tmp/$d.prn
   ls -l /tmp/$d.prn
done
--------------------------------------------------------------------

In the output on x86_64 there is:
--------------------------------------------------------------------
bmpa16
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpa16.prn

bmpa16m
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpa16m.prn

bmpa256
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpa256.prn

bmpa32b
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpa32b.prn

bmpamono
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpamono.prn

bmpasep1
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpasep1.prn

bmpasep8
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0xfc6f20 not found!
*** glibc detected *** double free or corruption (!prev): 0x0000000000fc6ef0 ***
-rw-r--r--  1 root root 0 2005-08-30 10:44 /tmp/bmpasep8.prn
--------------------------------------------------------------------

In the output on i386 there is almost the same:
---------------------------------------------------------------------
bmpa16
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpa16.prn

bmpa16m
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpa16m.prn

bmpa256
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpa256.prn

bmpa32b
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpa32b.prn

bmpamono
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpamono.prn

bmpasep1
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpasep1.prn

bmpasep8
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype):
 free 0x89e67b8 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67a0 ***
-rw-r--r--  1 root root 0 Aug 30 10:44 /tmp/bmpasep8.prn
---------------------------------------------------------------------
Comment 1 Dr. Werner Fink 2005-08-30 09:26:44 UTC 
Ahmm ... why I get this so late????
Hopefully you know that ghostscript triggers many
packages for rebuild and Rudi may reject a new
version.
Comment 5 Dr. Werner Fink 2005-08-30 11:26:27 UTC 
I can not reproduce this:

g31:espgs-8.15rc1 # cat /usr/share/doc/packages/ghostscript/examples/colorcir.ps|\
  gs -dBATCH -dSAFER -dQUIET -dNOPAUSE -sDEVICE=bmp16 -sOutputFile='| cat >&3' \
  /dev/fd/0 3>&1 1>&2 | file -      
/dev/stdin: PC bitmap data, Windows 3.x format, 595 x 842 x 4
Comment 6 Johannes Meixner 2005-08-30 13:27:50 UTC 
Answering comment 3 from bug 114068 here:

It happens both for jsmeix@nelson and for root@nelson
after I switched from jsmeix to root using "su -".

jsmeix@nelson:~> locale 
LANG=en_GB.iso885915
LC_CTYPE="en_GB.iso885915"
LC_NUMERIC="en_GB.iso885915"
LC_TIME="en_GB.iso885915"
LC_COLLATE="en_GB.iso885915"
LC_MONETARY="en_GB.iso885915"
LC_MESSAGES="en_GB.iso885915"
LC_PAPER="en_GB.iso885915"
LC_NAME="en_GB.iso885915"
LC_ADDRESS="en_GB.iso885915"
LC_TELEPHONE="en_GB.iso885915"
LC_MEASUREMENT="en_GB.iso885915"
LC_IDENTIFICATION="en_GB.iso885915"
LC_ALL=en_GB.iso885915

nelson:~ # locale
LANG=POSIX
LC_CTYPE=en_GB.UTF-8
LC_NUMERIC="POSIX"
LC_TIME="POSIX"
LC_COLLATE="POSIX"
LC_MONETARY="POSIX"
LC_MESSAGES="POSIX"
LC_PAPER="POSIX"
LC_NAME="POSIX"
LC_ADDRESS="POSIX"
LC_TELEPHONE="POSIX"
LC_MEASUREMENT="POSIX"
LC_IDENTIFICATION="POSIX"
LC_ALL=
Comment 7 Johannes Meixner 2005-08-30 13:29:13 UTC 
Created attachment 48166 [details]
environment of jsmeix@nelson (i.e. output of "set")
Comment 8 Johannes Meixner 2005-08-30 13:30:08 UTC 
Created attachment 48167 [details]
environment of root@nelson (i.e. output of "set")
Comment 9 Dr. Werner Fink 2005-08-30 13:36:53 UTC 
the locale en_GB.iso885915 does not exist, please use

          en_GB.ISO-8859-15
Comment 10 Dr. Werner Fink 2005-08-30 13:53:47 UTC 
~$ hostname 
nelson
~$ cat /usr/share/doc/packages/ghostscript/examples/colorcir.ps | \
   gs -dBATCH -dSAFER -dQUIET -dNOPAUSE -sDEVICE=bmp16 -sOutputFile='| cat >&3' \
   /dev/fd/0 3>&1 1>&2 | file -
/dev/stdin: PC bitmap data, Windows 3.x format, 595 x 842 x 4

???
Comment 11 Dr. Werner Fink 2005-08-30 13:55:56 UTC 
/suse/werner> su
Password: 
nelson:/suse/werner # cat
/usr/share/doc/packages/ghostscript/examples/colorcir.ps | \
  gs -dBATCH -dSAFER -dQUIET -dNOPAUSE -sDEVICE=bmp16 -sOutputFile='| cat >&3' \ 
  /dev/fd/0 3>&1 1>&2 | file -
/dev/stdin: PC bitmap data, Windows 3.x format, 595 x 842 x 4
nelson:/suse/werner #
Comment 12 Dr. Werner Fink 2005-08-30 13:57:11 UTC 
What does your script do?
Comment 13 Johannes Meixner 2005-08-30 14:10:07 UTC 
Werner, you must use the bmpa* devices not the bmp* devices,
for example bmpa16 not bmp16, see the initial comment.

Regarding comment #9:

jsmeix@nelson:~> locale -a | grep en_GB
en_GB
en_GB.iso885915
en_GB.utf8

For me it looks as if en_GB.iso885915 exists but not en_GB.ISO-8859-15.

Anyway:
Using 100% POSIX fails as well:
----------------------------------------------------------------------------
jsmeix@nelson:~> export LC_ALL=POSIX
jsmeix@nelson:~> export LANG=POSIX
jsmeix@nelson:~> locale
LANG=POSIX
LC_CTYPE="POSIX"
LC_NUMERIC="POSIX"
LC_TIME="POSIX"
LC_COLLATE="POSIX"
LC_MONETARY="POSIX"
LC_MESSAGES="POSIX"
LC_PAPER="POSIX"
LC_NAME="POSIX"
LC_ADDRESS="POSIX"
LC_TELEPHONE="POSIX"
LC_MEASUREMENT="POSIX"
LC_IDENTIFICATION="POSIX"
LC_ALL=POSIX
jsmeix@nelson:~> cat /usr/share/doc/packages/ghostscript/examples/colorcir.ps |
gs -dBATCH -dSAFER -dQUIET -dNOPAUSE -sDEVICE=bmpa16 -sOutputFile='| cat >&3'
/dev/fd/0 3>&1 1>&2 | file -
ESP Ghostscript 8.15.0: ./src/gsmalloc.c(337): gs_copydevice(stype): free
0x89e6800 not found!
*** glibc detected *** double free or corruption (fasttop): 0x089e67e8 ***
/dev/stdin: writable, no read permission
----------------------------------------------------------------------------
Comment 14 Dr. Werner Fink 2005-08-31 12:26:25 UTC 
Fixed double corruption
and removed useless example driver bmpa*