Bug 748083 - libfreetype6 causes ps2pdf to fail
libfreetype6 causes ps2pdf to fail
Classification: openSUSE
Product: openSUSE 12.1
Classification: openSUSE
Component: Other
x86-64 openSUSE 12.1
: P5 - None : Major (vote)
: ---
Assigned To: Fridrich Strba
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2012-02-21 15:49 UTC by Volker Barth
Modified: 2017-08-12 03:48 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

tarball, containing test.tex and test.eps (40.00 KB, application/x-tar)
2012-02-21 15:49 UTC, Volker Barth
Tarball of compiled .tex document (includes .dvi, .ps and .pdf) (130.00 KB, application/x-tar)
2012-04-16 11:58 UTC, Volker Barth
my version of test.pdf (3.54 KB, application/unknown)
2012-04-17 22:33 UTC, Werner Lemberg

Note You need to log in before you can comment on or make changes to this bug.
Description Volker Barth 2012-02-21 15:49:06 UTC
Created attachment 477093 [details]
tarball, containing test.tex and test.eps

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1

When compiling and converting the attached file "test.tex", using

latex test.tex ; dvips test.dvi ; ps2pdf test.ps

the last step "ps2pdf test.ps" fails (.dvi and .ps seem already to be corrupted) with the following error message:


GPL Ghostscript  9.00: Error: Font Renderer Plugin ( FreeType ) return code = -1
Error: /unknownerror in --.FAPIBuildChar--
Operand stack:
   --nostringval--   --dict:18/20(ro)(L)--   97
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1910   1   3   %oparray_pop   1909   1   3   %oparray_pop   1893   1   3   %oparray_pop   1787   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   --nostringval--   --nostringval--   %finish_stringwidth   --nostringval--   --nostringval--   16   8   1   --nostringval--   (gs_show_enum)   %op_show_continue
Dictionary stack:
   --dict:1174/3371(ro)(G)--   --dict:1/20(G)--   --dict:81/200(L)--   --dict:5/6(ro)(L)--   --dict:107/300(L)--   --dict:49/200(L)--   --dict:243/300(L)--   --dict:51/90(L)--
Current allocation mode is local
Current file position is 82161
GPL Ghostscript  9.00: Unrecoverable error, exit code 1


This happens for libfreetype6 in versions 2.4.7-1.2 and 2.4.7-3.1.

openSUSE 11.4 suffers now from the same (?) bug. libfreetype6 in versions 2.4.4-6.1 and 2.4.4-7.8.1 compile and convert the document without error. 
libfreetype6 in version 2.4.4-7.10.1 fails with the identical error as above.

Reproducible: Always
Comment 1 Kun Kun Zhang 2012-03-15 03:19:11 UTC
Hi,could you please look at this?I am not sure whether it is right to assign it to you.Feel free to reassign it whenever necessary.Thank you.
Comment 2 Dirk Mueller 2012-03-30 15:34:21 UTC
In essence, you're saying this changeset caused the issue: 

* Fr Dez 16 2011 meissner@suse.de
(from evergreen)
- bnc730124_CVE-2011-3256.patch:
  FreeType 2 before 2.4.7 allows remote attackers to execute arbitrary
  code or cause a denial of service (memory corruption) via a crafted
  font. (CVE-2011-3256, bnc#730124)
- bnc730124_CVE-2011-3439.patch:
  FreeType allows remote attackers to execute arbitrary code or cause a
  denial of service (memory corruption) via a crafted font.
  (CVE-2011-3439, bnc#730124)
Comment 3 Volker Barth 2012-04-02 07:25:43 UTC
Yes, it is sufficient to revert to an old enough version of libfreetype6 on a 11.4 system to compile the .tex file; no other changes of the system needed.
Comment 4 Marcus Meissner 2012-04-02 08:40:30 UTC
With libfreetype6-2.4.7-3.1  this works for me without error (openSUSE 12.1 x86_64)

wondering if there might be fonts i have not installed :/
Comment 5 Volker Barth 2012-04-02 09:05:28 UTC
Same setting here (12.1, x86_64, 2.4.7-3.1), still not working. I have the following font packages installed:

> rpm -qa | grep font | sort

> rpm -qa | grep fnt | sort
Comment 6 Marcus Meissner 2012-04-02 09:17:10 UTC
installation of fetchmsttfonts was sufficient, so its from the ms core fonts.
Comment 7 Marcus Meissner 2012-04-03 15:01:47 UTC
so 12.1 GA libfreetype6 2.4.7-1.2 is also crashing, so 12.1 was buggy from the start.

trigger font seems to be arial.ttf
Comment 8 Marcus Meissner 2012-04-03 17:06:28 UTC

bnc730124_CVE-2011-3256.patch  is the culprit, it has this patch hunk:
Index: freetype-2.4.4/src/raster/ftrend1.c
--- freetype-2.4.4.orig/src/raster/ftrend1.c
+++ freetype-2.4.4/src/raster/ftrend1.c
@@ -168,6 +168,13 @@
     width  = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
     height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+    if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+    {
+      error = Raster_Err_Invalid_Argument;
+      goto Exit;
+    }
     bitmap = &slot->bitmap;
     memory = render->root.memory;

The process the reproducer goes through triggers this case.

It has cbox.xMin -9699328 cbox.xMax -137887744  which turns
width to 2002944 which is larger than FT_USHORT_MAX and so triggers
the error exit.

Not sure if these large values are sensible, but I thimk they might
Comment 9 Marcus Meissner 2012-04-04 12:42:28 UTC
as this is also in 2.4.9 ... Werner, could you take a look here?

should be easily reproducible.
Comment 10 Werner Lemberg 2012-04-04 19:37:51 UTC
Well, processing the input file with

  pdfTeX 3.1415926-2.3-1.40.12 (from SVN TeXLive)
  dvips(k) 5.991 (ditto)
  ps2pdf from GhostScript 9.05 (using a self-compiled FreeType 2.4.9)

the output PDF is fine, and I don't get an error at all...

So I can't reproduce it, sorry.
Comment 11 Volker Barth 2012-04-16 10:52:19 UTC
openSUSE 12.1 packages:

> rpm -q --info texlive-bin-latex
Name        : texlive-bin-latex
Version     : 2011
Release     : 1.1.2
Architecture: x86_64

> dvips --version
This is dvips(k) 5.991 Copyright 2011 Radical Eye Software
kpathsea version 6.0.1
Copyright 2011 Radical Eye Software.
There is NO warranty.  You may redistribute this software
under the terms of the GNU General Public License
and the Dvips copyright.
For more information about these matters, see the files
named COPYING and dvips.h.
Primary author of Dvips: T. Rokicki.

> rpm -q --info ghostscript-library
Name        : ghostscript-library
Version     : 9.00
Release     : 13.1.3
Architecture: x86_64

> rpm -q --info libfreetype6
Name        : libfreetype6
Version     : 2.4.7
Release     : 6.1
Architecture: x86_64

libfreetype6 is a newer release (due to regular patch from 04/12/2012), but ps2pdf still does not work. Are those the information you needed?
Comment 12 Werner Lemberg 2012-04-16 11:38:38 UTC
Sorry, no.  Since everything works just fine with my self-compiled version of FreeType, I can't debug it easily on my side.  I suspect it is a 64bit issue, and I don't have access to such a machine.

The test in question (within FreeType) is correct, I think.

Maybe you can send me the corrupted intermediate files from TeX (compiled on your platform) for further investigation, this is, the DVI and PS files?
Comment 13 Marcus Meissner 2012-04-16 11:44:29 UTC
Werner, do you have the Microsoft Corefonts installed too? especiall arial*.ttf ? 
so freetype2 can check and use them for replacement?
Comment 14 Volker Barth 2012-04-16 11:58:43 UTC
Created attachment 486240 [details]
Tarball of compiled .tex document (includes .dvi, .ps and .pdf)

Here you go.
Comment 15 Werner Lemberg 2012-04-17 22:33:33 UTC
Created attachment 486547 [details]
my version of test.pdf
Comment 16 Werner Lemberg 2012-04-17 22:38:21 UTC
I get exactly the same DVI and PS files; the created PDF file is attached.

I've tested with both version 2.82 and 5.10 of arial.ttf.  Everything's fine.

So maybe you should upgrade to GS 9.05.
Comment 17 Volker Barth 2012-04-18 08:54:17 UTC
Installing http://download.opensuse.org/repositories/Printing:/ghostscript/openSUSE_12.1/x86_64/ghostscript-library-9.04-67.1.x86_64.rpm solves the problem for me (I did not find any 9.05 package). Thanks.
Comment 18 Johannes Meixner 2012-04-19 12:11:46 UTC
Only FYI:

Regarding the Ghostscript error
"Font Renderer Plugin ( FreeType ) return code = -1"
see bnc#753249

See also

Regarding Ghostscript 9.05 packages for testing
see bnc#735824 in particular
Comment 19 Urs Beyerle 2012-06-04 14:06:05 UTC
The problem seems to be fixed with Ghostscript 9.04 or 9.05. 

However in standard openSUSE 12.1 Ghostscript 9.00 is the default. Any chance to get a fix for Ghostscript 9.00 or to update to 9.04 or 9.05.
Comment 20 Urs Beyerle 2012-06-04 14:22:43 UTC
Small correction: 
In my case it's only fixed with Ghostscript 9.05 from openSUSE:Factory.
Comment 21 Werner Lemberg 2012-06-06 13:44:37 UTC
I'll do a new release of FreeType soon, then this problem should be fixed also with older GS versions, I believe.
Comment 22 Urs Beyerle 2012-06-06 15:03:47 UTC
Good to hear. Do you have already a package for testing?
Comment 23 Werner Lemberg 2012-06-15 05:40:01 UTC
FreeType 2.4.10 has been released.
Comment 24 Dominik Haumann 2012-08-15 14:45:24 UTC
In openSUSE 12.1, the following packages are available:
- libfreetype6 v2.4.7
- ghostscript-library v9.00

which means neither libfreetype6 v2.4.10 nor ghostscript-library v9.05 is available.

In other words, this bug is present since 4 months, a fix is known, but not backported to openSUSE 12.1. Guys, this is a serious issue, especially since the bug status is RESOLVED and WORKSFORME.

After investing > 10 hours (me and a colleague), we found the solution in comment #17 in this report. This is not really acceptable... I don't want to be rude, but this is a serious quality problem. We'd very much appreciate a true fix through the update system.

Can you *please* backport this top openSUSE 12.1? Thanks a lot! :)
Comment 25 Werner Lemberg 2012-08-26 19:31:46 UTC
This is no longer `my' bug :-)
Comment 26 Marcus Meissner 2012-08-30 16:08:45 UTC
Werner, you did commit some fixes to freetype2 2.4.10 for this, but
neither backporting nor upgrading to 2.4.10 fixed this issue.

Does it really also need a ghostscript 9.00->9.05 update?
Comment 27 Werner Lemberg 2012-08-30 19:26:34 UTC
I think so, yes, but I don't have time to test this.
Comment 28 Karl Cheng 2017-08-12 03:48:06 UTC
openSUSE 12.1 is long past EOL and later releases included updated packages with fixes to these issues.