Ubuntu
poppler package

evince crashed with SIGSEGV in OptionalContentGroup::getRef()

Bug #633574 reported by Daniel J Blueman
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Poppler
Fix Released
Medium
poppler (Ubuntu)
Fix Released
Medium
Unassigned
Maverick
Fix Released
Low
Unassigned

Bug Description

Binary package hint: evince

Reproduces when scrolling down to page 4 of http://www.ctan.org/tex-archive/macros/latex/contrib/microtype/microtype.pdf on at least x86-64 architecture.

ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: evince 2.31.90-0ubuntu2
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Uname: Linux 2.6.36-020636rc3-generic x86_64
Architecture: amd64
Date: Wed Sep 8 22:31:37 2010
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha amd64 (20100831)
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.36-020636rc3-generic root=UUID=5736708e-947e-455f-8423-4117c46aca01 ro quiet splash
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x7f4c03acaa80 <_ZNK20OptionalContentGroup6getRefEv>: mov 0x10(%rdi),%rax
 PC (0x7f4c03acaa80) ok
 source "0x10(%rdi)" (0x00000010) not located in a known VMA region (needed readable region)!
 destination "%rax" ok
 Stack memory exhausted (SP below stack segment)
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 OptionalContentGroup::getRef() const () from /usr/lib/libpoppler.so.7
 ?? () from /usr/lib/libpoppler-glib.so.5
 _poppler_action_new(_PopplerDocument*, LinkAction*, char const*) () from /usr/lib/libpoppler-glib.so.5
 poppler_page_get_link_mapping () from /usr/lib/libpoppler-glib.so.5
 ?? () from /usr/lib/evince/3/backends/libpdfdocument.so
Title: evince crashed with SIGSEGV in OptionalContentGroup::getRef()
UserGroups: adm admin audio cdrom dialout dip floppy kvm lpadmin plugdev video
XsessionErrors: (polkit-gnome-authentication-agent-1:1835): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

Revision history for this message
Daniel J Blueman (danielblueman) wrote :
visibility: private → public
Revision history for this message
In , Pedro Villavicencio (pedro) wrote :
Download full text (10.1 KiB)

this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/633574

"Reproduces when scrolling down to page 4 of http://www.ctan.org/tex-archive/macros/latex/contrib/microtype/microtype.pdf on at least x86-64 architecture."

"Hilo 5 (Thread 0xb2f12b70 (LWP 22406)):
#0 OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
No locales.
#1 0x051c58ca in get_layer_for_ref (document=<value optimized out>,
    layers=<value optimized out>, ref=0xb245abe0, preserve_rb=1)
    at poppler-action.cc:533
        layer = <value optimized out>
        ocgRef = <value optimized out>
        l = 0x225017b0
#2 0x051c61b7 in build_ocg_state (document=0x22678320, link=0xb2395830,
    title=0x0) at poppler-action.cc:586
        layer = <value optimized out>
        list = 0xb23e3e78
        preserve_rb = 1
        i = 0
        layer_state = 0x0
        st_list = 0xb24c33e8
        j = 1
#3 _poppler_action_new (document=0x22678320, link=0xb2395830, title=0x0)
    at poppler-action.cc:645
No locales.
#4 0x051ccf1f in poppler_page_get_link_mapping (page=0x226e7ee0)
    at poppler-page.cc:1261
        link_action = <value optimized out>
        link = 0xb239b160
        i = 0
        obj = {type = objNone, {booln = -1303332392, intg = -1303332392,
            uintg = 2991634904, real = 1.4780640309659756e-314,
            string = 0xb250b9d8, name = 0xb250b9d8 "Ȗn\"\360\271P\262\b",
            array = 0xb250b9d8, dict = 0xb250b9d8, stream = 0xb250b9d8, ref = {
              num = -1303332392, gen = 0},
            cmd = 0xb250b9d8 "Ȗn\"\360\271P\262\b"}}
        __PRETTY_FUNCTION__ = "GList* poppler_page_get_link_mapping(PopplerPage*)"
        map_list = <value optimized out>
        width = 595.27600000000007
        height = 841.88999999999999
#5 0x00c68e7c in pdf_document_links_get_links (document_links=0x224e3ec8,
    page=0xb23a0e00)
    at /build/buildd/evince-2.31.90/./backend/pdf/ev-poppler.cc:1268
        pdf_document = 0x224e3ec8
        retval = 0x226ec2e8
        list = <value optimized out>
        mapping_list = 0x0
        height = <value optimized out>
#6 0x00df467a in ev_document_links_get_links (document_links=0x224e3ec8,
    page=0xb23a0e00)
    at /build/buildd/evince-2.31.90/./libdocument/ev-document-links.c:63
No locales.
#7 0x00599363 in ev_job_page_data_run (job=0x224a05a8)
    at /build/buildd/evince-2.31.90/./libview/ev-jobs.c:692
        job_pd = 0x224a05a8
        ev_page = 0xb23a0e00
#8 0x00596361 in ev_job_run (job=0x224a05a8)
    at /build/buildd/evince-2.31.90/./libview/ev-jobs.c:214
No locales.
#9 0x0059a358 in ev_job_thread (data=0x0)
    at /build/buildd/evince-2.31.90/./libview/ev-job-scheduler.c:183
        result = <value optimized out>
#10 ev_job_thread_proxy (data=0x0)
    at /build/buildd/evince-2.31.90/./libview/ev-job-scheduler.c:213
        job = 0x2273af28
#11 0x00642eef in g_thread_create_proxy (data=0x2265f3d8)
    at /build/buildd/glib2.0-2.25.15/glib/gthread.c:1897
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#12 0x006d3cc9 in start_thread (arg=0xb2f12b70) at pthread_create.c:304
        __res = <value optimized out>
        __ignore1 = <value o...

Revision history for this message
In , Dsheil (dsheil) wrote :

I reproduced this bug with the poppler-glib-demo included with poppler with the same PDF file.

What I do reproduce the crash is I run the poppler-glib-demo included with poppler in poppler/glib/demo, go to Links, go to page 4, click "Get Links" and get a segmentation fault with the same backtrace. This is with poppler-0.14.2 which is 4 commits back.

Here is the backtrace, which is like the other one attached:

poppler-0.14.2.real/glib/demo/.libs/poppler-glib-demo ../../../microtype.pdf
[Thread debugging using libthread_db enabled]
Document successfully loaded in 0.0066 seconds

Program received signal SIGSEGV, Segmentation fault.
OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
314 OptionalContent.cc: No such file or directory.
        in OptionalContent.cc
(gdb) backtrace full
#0 OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
No locals.
#1 0x00007ffff7bb9f20 in get_layer_for_ref (document=0x6a31c0, layers=0x84a840, ref=0x8a8ef0, preserve_rb=1) at poppler-action.cc:533
        layer = 0x847080
        ocgRef = {num = 9337824, gen = 0}
        l = 0x84a840
#2 0x00007ffff7bba77e in build_ocg_state (document=0x6a31c0, link=<value optimized out>, title=<value optimized out>) at poppler-action.cc:586
        layer = <value optimized out>
        list = 0x8a8f10
        preserve_rb = 1
        i = 0
        layer_state = 0x0
        st_list = 0x8a8ed0
        j = 1
#3 _poppler_action_new (document=0x6a31c0, link=<value optimized out>, title=<value optimized out>) at poppler-action.cc:645
No locals.
#4 0x00007ffff7bc0ab3 in poppler_page_get_link_mapping (page=0x8d2b80) at poppler-page.cc:1261
        link_action = <value optimized out>
        link = 0x75ccc0
        i = 0
        obj = {type = objNone, {booln = 7119280, intg = 7119280, uintg = 7119280, real = 3.5173916711246697e-317, string = 0x6ca1b0, name = 0x6ca1b0 "\340>l", array = 0x6ca1b0,
            dict = 0x6ca1b0, stream = 0x6ca1b0, ref = {num = 7119280, gen = 0}, cmd = 0x6ca1b0 "\340>l"}}
        __PRETTY_FUNCTION__ = "GList* poppler_page_get_link_mapping(PopplerPage*)"
        map_list = <value optimized out>
        width = 595.27600000000007
        height = 841.88999999999999
#5 0x000000000040fc73 in pgd_links_get_links (button=<value optimized out>, demo=0x81f6c0) at links.c:80
        page = 0x8d2b80
        mapping = 0x8db2c0
        l = <value optimized out>
        timer = 0x8e7ac0
#6 0x00007ffff56e7afe in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
[...]

Revision history for this message
Pedro Villavicencio (pedro) wrote :

i can reproduce it as well, confirmed, but it's a poppler crash, reassigning.

affects: evince (Ubuntu) → poppler (Ubuntu)
Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
 https://bugs.freedesktop.org/show_bug.cgi?id=30106

Changed in poppler (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
tags: removed: need-amd64-retrace
Revision history for this message
In , Carlos Garcia Campos (carlosgc) wrote :

There were actually two problems with the layers in this document. Layers tree was not correctly built, and of course the crash with the action layer. I've just fixed both issues in master and poppler-0.14 branch. Thanks for reporting.

Revision history for this message
Pedro Villavicencio (pedro) wrote :

this has been fixed upstream now, thanks for reporting.

Changed in poppler (Ubuntu):
status: Triaged → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Medium
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Medium → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Medium
Revision history for this message
Marcel Stimberg (marcelstimberg) wrote :

Natty has poppler 0.16.2 and does not crash anymore.

Changed in poppler (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Marcel Stimberg (marcelstimberg) wrote :

I think this qualifies for a stable release update. I cherrypicked the two upstream commits and that fixes the bug for me. See the attached branch and patch.

Sebastien Bacher (seb128)
Changed in poppler (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your work, I've sponsored the update, it needs to be reviewed and accepted by ubuntu-sru next

Changed in poppler (Ubuntu Maverick):
status: Confirmed → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted poppler into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Fabri Velas (fabrivelas) wrote :

Before I had the maverick-proposed package page 4 of the above mentioned document crashed evince, after installing the maverick-proposed package scrolling to page 4 did not crash evince any more. Thanks.

Martin Pitt (pitti)
tags: added: verification-donee
removed: verification-needed
tags: added: verification-done
removed: verification-donee
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.14.3-0ubuntu1.2

---------------
poppler (0.14.3-0ubuntu1.2) maverick-proposed; urgency=low

  * debian/patches/20_layer_fix_part1.patch: [glib] Fix layers array generation
    when it contains multiple arrays
  * debian/patches/21_layer_fix_part2.patch: [glib] Fix a crash when building
    layer actions (fixes LP: #633574)
 -- Marcel Stimberg <email address hidden> Sat, 19 Feb 2011 17:50:11 +0100

Changed in poppler (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.