evince crashed with SIGSEGV in CairoType3Font::create()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Poppler |
Fix Released
|
Medium
|
|||
poppler (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
evince crashes with segfault when opening the attached PDF. The problem itself is a null deref not it's not a critical one. The problem seems to lie within libcairo, not poppler, but I am not complete sure so marking this a poppler bug. valgrind output:
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x5111EF1: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558== by 0x9B20C7B: Gfx::opShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC7B: lround (s_lround.c:51)
==13558== by 0x5111EF1: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558== by 0x9B20C7B: Gfx::opShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x5111F11: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558== by 0x9B20C7B: Gfx::opShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x5111F11: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558== by 0x9B20C7B: Gfx::opShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x50FD55B: ??? (in /usr/lib/
==13558== by 0x5111F33: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC7B: lround (s_lround.c:51)
==13558== by 0x50FD55B: ??? (in /usr/lib/
==13558== by 0x5111F33: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x50FD56D: ??? (in /usr/lib/
==13558== by 0x5111F33: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x50FD56D: ??? (in /usr/lib/
==13558== by 0x5111F33: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558==
Error (183270): Bad image parameters
Error (183485): Inline image dictionary key must be a name object
Error: Weird page contents
Error (183973): CCITTFax row is wrong length (1742)
Error (183986): CCITTFax row is wrong length (2547)
Error (183995): CCITTFax row is wrong length (2171)
Error (184012): CCITTFax row is wrong length (2402)
Error (185098): CCITTFax row is wrong length (58)
Error (185101): CCITTFax row is wrong length (58)
Error (185102): CCITTFax row is wrong length (58)
Error (185103): CCITTFax row is wrong length (59)
Error (185107): CCITTFax row is wrong length (58)
Error (185108): CCITTFax row is wrong length (59)
Error (185112): CCITTFax row is wrong length (73)
Error: Weird page contents
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x5111EF1: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558== by 0x9B20C7B: Gfx::opShowText
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x50FD55B: ??? (in /usr/lib/
==13558== by 0x5111F33: ??? (in /usr/lib/
==13558== by 0x50FEE62: ??? (in /usr/lib/
==13558== by 0x51006B5: ??? (in /usr/lib/
==13558== by 0x50D5D52: ??? (in /usr/lib/
==13558== by 0x50E3A3C: ??? (in /usr/lib/
==13558== by 0x5104DC6: ??? (in /usr/lib/
==13558== by 0x50D9D08: ??? (in /usr/lib/
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/
==13558== by 0x9A78039: CairoOutputDev:
==13558== by 0x9B208B3: Gfx::doShowText
==13558==
Error: Weird page contents
==13558== Invalid read of size 4
==13558== at 0x9A72725: CairoType3Font:
==13558== by 0x9A739AA: CairoFontEngine
==13558== by 0x9A79132: CairoOutputDev:
==13558== by 0x9B20CB1: Gfx::opShowText
==13558== by 0x9B1E715: Gfx::execOp(
==13558== by 0x9B1F2DB: Gfx::go(int) (Gfx.cc:700)
==13558== by 0x9B1FD28: Gfx::display(
==13558== by 0x9B6C89F: Page::displaySl
==13558== by 0x9A6C100: _poppler_
==13558== by 0x9A6C3B7: _poppler_
==13558== by 0x9A4139C: ??? (ev-poppler.
==13558== by 0x9A41482: ??? (ev-poppler.
==13558== Address 0xc is not stack'd, malloc'd or (recently) free'd
==13558==
==13558==
==13558== Process terminating with default action of signal 11 (SIGSEGV)
==13558== Access not within mapped region at address 0xC
==13558== at 0x9A72725: CairoType3Font:
==13558== by 0x9A739AA: CairoFontEngine
==13558== by 0x9A79132: CairoOutputDev:
==13558== by 0x9B20CB1: Gfx::opShowText
==13558== by 0x9B1E715: Gfx::execOp(
==13558== by 0x9B1F2DB: Gfx::go(int) (Gfx.cc:700)
==13558== by 0x9B1FD28: Gfx::display(
==13558== by 0x9B6C89F: Page::displaySl
==13558== by 0x9A6C100: _poppler_
==13558== by 0x9A6C3B7: _poppler_
==13558== by 0x9A4139C: ??? (ev-poppler.
==13558== by 0x9A41482: ??? (ev-poppler.
==13558== If you believe this happened as a result of a stack
==13558== overflow in your program's main thread (unlikely but
==13558== possible), you can try to increase the size of the
==13558== main thread stack using the --main-stacksize= flag.
==13558== The main thread stack size used in this run was 8388608.
==13558==
==13558== HEAP SUMMARY:
==13558== in use at exit: 6,354,318 bytes in 54,316 blocks
==13558== total heap usage: 1,125,706 allocs, 1,071,390 frees, 548,432,449 bytes allocated
==13558==
==13558== LEAK SUMMARY:
==13558== definitely lost: 5,876 bytes in 33 blocks
==13558== indirectly lost: 15,394 bytes in 755 blocks
==13558== possibly lost: 4,110,691 bytes in 45,097 blocks
==13558== still reachable: 2,222,357 bytes in 8,431 blocks
==13558== suppressed: 0 bytes in 0 blocks
==13558== Rerun with --leak-check=full to see details of leaked memory
==13558==
==13558== For counts of detected and suppressed errors, rerun with: -v
==13558== Use --track-origins=yes to see where uninitialised values come from
==13558== ERROR SUMMARY: 42 errors from 15 contexts (suppressed: 218 from 13)
Killed
ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: evince 2.32.0-0ubuntu1
ProcVersionSign
Uname: Linux 2.6.35-19-generic i686
Architecture: i386
Date: Sun Oct 10 11:42:56 2010
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha i386 (20100803.1)
KernLog:
ProcCmdline: BOOT_IMAGE=
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x6e61725 <CairoType3Font
PC (0x06e61725) ok
source "0xc(%edi)" (0x0000000c) not located in a known VMA region (needed readable region)!
destination "%eax" ok
Stack memory exhausted (SP below stack segment)
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
CairoType3Font
CairoFontEngin
CairoOutputDev
Gfx::opShowText (this=0x2198fb58, args=0xb639fc84, numArgs=1) at Gfx.cc:3466
Gfx::execOp (this=0x2198fb58, cmd=0xb639fe24, args=0xb639fc84, numArgs=1) at Gfx.cc:840
Title: evince crashed with SIGSEGV in CairoType3Font:
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
security vulnerability: | yes → no |
Changed in poppler: | |
status: | Unknown → Fix Released |
Changed in poppler: | |
importance: | Unknown → Medium |
StacktraceTop: ::create (gfxFont= 0x21dc6d00, xref=0x2196ad90, e::getFont (this=0x21961c88, ::updateFont (this=0x219859b8,
CairoType3Font
CairoFontEngin
CairoOutputDev
Gfx::opShowText (this=0x2198fb58, args=0xb639fc84,
Gfx::execOp (this=0x2198fb58, cmd=0xb639fe24,