Ubuntu
poppler package

evince crashed with SIGSEGV in CairoType3Font::create()

Bug #657587 reported by smpahlman on 2010-10-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Poppler	Fix Released	Medium	freedesktop-bugs #30985
	poppler (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

evince crashes with segfault when opening the attached PDF. The problem itself is a null deref not it's not a critical one. The problem seems to lie within libcairo, not poppler, but I am not complete sure so marking this a poppler bug. valgrind output:

==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x5111EF1: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558== by 0x9B20C7B: Gfx::opShowText(Object*, int) (Gfx.cc:3470)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC7B: lround (s_lround.c:51)
==13558== by 0x5111EF1: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558== by 0x9B20C7B: Gfx::opShowText(Object*, int) (Gfx.cc:3470)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x5111F11: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558== by 0x9B20C7B: Gfx::opShowText(Object*, int) (Gfx.cc:3470)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x5111F11: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558== by 0x9B20C7B: Gfx::opShowText(Object*, int) (Gfx.cc:3470)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x50FD55B: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5111F33: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC7B: lround (s_lround.c:51)
==13558== by 0x50FD55B: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5111F33: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC4C: lround (s_lround.c:40)
==13558== by 0x50FD56D: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5111F33: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x50FD56D: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5111F33: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558==
Error (183270): Bad image parameters
Error (183485): Inline image dictionary key must be a name object
Error: Weird page contents
Error (183973): CCITTFax row is wrong length (1742)
Error (183986): CCITTFax row is wrong length (2547)
Error (183995): CCITTFax row is wrong length (2171)
Error (184012): CCITTFax row is wrong length (2402)
Error (185098): CCITTFax row is wrong length (58)
Error (185101): CCITTFax row is wrong length (58)
Error (185102): CCITTFax row is wrong length (58)
Error (185103): CCITTFax row is wrong length (59)
Error (185107): CCITTFax row is wrong length (58)
Error (185108): CCITTFax row is wrong length (59)
Error (185112): CCITTFax row is wrong length (73)
Error: Weird page contents
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x5111EF1: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558== by 0x9B20C7B: Gfx::opShowText(Object*, int) (Gfx.cc:3470)
==13558==
==13558== Conditional jump or move depends on uninitialised value(s)
==13558== at 0x540DC52: lround (s_lround.c:42)
==13558== by 0x50FD55B: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5111F33: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50FEE62: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x51006B5: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D5D52: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50E3A3C: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x5104DC6: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D9D08: ??? (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x50D016C: cairo_show_glyphs (in /usr/lib/libcairo.so.2.11000.0)
==13558== by 0x9A78039: CairoOutputDev::endString(GfxState*) (CairoOutputDev.cc:915)
==13558== by 0x9B208B3: Gfx::doShowText(GooString*) (Gfx.cc:3728)
==13558==
Error: Weird page contents
==13558== Invalid read of size 4
==13558== at 0x9A72725: CairoType3Font::create(GfxFont*, XRef*, Catalog*, CairoFontEngine*, int) (CairoFontEngine.cc:697)
==13558== by 0x9A739AA: CairoFontEngine::getFont(GfxFont*, XRef*, Catalog*, int) (CairoFontEngine.cc:781)
==13558== by 0x9A79132: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:571)
==13558== by 0x9B20CB1: Gfx::opShowText(Object*, int) (Gfx.cc:3466)
==13558== by 0x9B1E715: Gfx::execOp(Object*, Object*, int) (Gfx.cc:840)
==13558== by 0x9B1F2DB: Gfx::go(int) (Gfx.cc:700)
==13558== by 0x9B1FD28: Gfx::display(Object*, int) (Gfx.cc:667)
==13558== by 0x9B6C89F: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, Catalog*, int (*)(void*), void*, int (*)(Annot*, void*), void*) (Page.cc:474)
==13558== by 0x9A6C100: _poppler_page_render(_PopplerPage*, _cairo*, int) (poppler-page.cc:336)
==13558== by 0x9A6C3B7: _poppler_page_render_to_pixbuf(_PopplerPage*, int, int, int, int, double, int, int, _GdkPixbuf*) (poppler-page.cc:568)
==13558== by 0x9A4139C: ??? (ev-poppler.cc:1404)
==13558== by 0x9A41482: ??? (ev-poppler.cc:1467)
==13558== Address 0xc is not stack'd, malloc'd or (recently) free'd
==13558==
==13558==
==13558== Process terminating with default action of signal 11 (SIGSEGV)
==13558== Access not within mapped region at address 0xC
==13558== at 0x9A72725: CairoType3Font::create(GfxFont*, XRef*, Catalog*, CairoFontEngine*, int) (CairoFontEngine.cc:697)
==13558== by 0x9A739AA: CairoFontEngine::getFont(GfxFont*, XRef*, Catalog*, int) (CairoFontEngine.cc:781)
==13558== by 0x9A79132: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:571)
==13558== by 0x9B20CB1: Gfx::opShowText(Object*, int) (Gfx.cc:3466)
==13558== by 0x9B1E715: Gfx::execOp(Object*, Object*, int) (Gfx.cc:840)
==13558== by 0x9B1F2DB: Gfx::go(int) (Gfx.cc:700)
==13558== by 0x9B1FD28: Gfx::display(Object*, int) (Gfx.cc:667)
==13558== by 0x9B6C89F: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, Catalog*, int (*)(void*), void*, int (*)(Annot*, void*), void*) (Page.cc:474)
==13558== by 0x9A6C100: _poppler_page_render(_PopplerPage*, _cairo*, int) (poppler-page.cc:336)
==13558== by 0x9A6C3B7: _poppler_page_render_to_pixbuf(_PopplerPage*, int, int, int, int, double, int, int, _GdkPixbuf*) (poppler-page.cc:568)
==13558== by 0x9A4139C: ??? (ev-poppler.cc:1404)
==13558== by 0x9A41482: ??? (ev-poppler.cc:1467)
==13558== If you believe this happened as a result of a stack
==13558== overflow in your program's main thread (unlikely but
==13558== possible), you can try to increase the size of the
==13558== main thread stack using the --main-stacksize= flag.
==13558== The main thread stack size used in this run was 8388608.
==13558==
==13558== HEAP SUMMARY:
==13558== in use at exit: 6,354,318 bytes in 54,316 blocks
==13558== total heap usage: 1,125,706 allocs, 1,071,390 frees, 548,432,449 bytes allocated
==13558==
==13558== LEAK SUMMARY:
==13558== definitely lost: 5,876 bytes in 33 blocks
==13558== indirectly lost: 15,394 bytes in 755 blocks
==13558== possibly lost: 4,110,691 bytes in 45,097 blocks
==13558== still reachable: 2,222,357 bytes in 8,431 blocks
==13558== suppressed: 0 bytes in 0 blocks
==13558== Rerun with --leak-check=full to see details of leaked memory
==13558==
==13558== For counts of detected and suppressed errors, rerun with: -v
==13558== Use --track-origins=yes to see where uninitialised values come from
==13558== ERROR SUMMARY: 42 errors from 15 contexts (suppressed: 218 from 13)
Killed

ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: evince 2.32.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-19.28-generic 2.6.35.3
Uname: Linux 2.6.35-19-generic i686
Architecture: i386
Date: Sun Oct 10 11:42:56 2010
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha i386 (20100803.1)
KernLog:

ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.35-19-generic root=UUID=b3362ce7-07a5-489a-a2dd-3f83cd0c19ed ro
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x6e61725 <CairoType3Font::create(GfxFont*, XRef*, Catalog*, CairoFontEngine*, GBool)+229>: mov 0xc(%edi),%eax
PC (0x06e61725) ok
source "0xc(%edi)" (0x0000000c) not located in a known VMA region (needed readable region)!
destination "%eax" ok
Stack memory exhausted (SP below stack segment)
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
CairoType3Font::create (gfxFont=0x21dc6d00, xref=0x2196ad90, catalog=0x219ba8e0, fontEngine=0x21961c88, printing=0) at CairoFontEngine.cc:697
CairoFontEngine::getFont (this=0x21961c88, gfxFont=0x21dc6d00, xref=0x2196ad90, catalog=0x219ba8e0, printing=0) at CairoFontEngine.cc:781
CairoOutputDev::updateFont (this=0x219859b8, state=0x21d1a4e0) at CairoOutputDev.cc:571
Gfx::opShowText (this=0x2198fb58, args=0xb639fc84, numArgs=1) at Gfx.cc:3466
Gfx::execOp (this=0x2198fb58, cmd=0xb639fe24, args=0xb639fc84, numArgs=1) at Gfx.cc:840
Title: evince crashed with SIGSEGV in CairoType3Font::create()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Tags:

Revision history for this message

smpahlman (sauli-pahlman) wrote on 2010-10-10:

Reproducer Edit (261.6 KiB, application/pdf)
Dependencies.txt Edit (4.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (2.0 KiB, text/plain; charset="utf-8")
ProcMaps.txt Edit (26.6 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (781 bytes, text/plain; charset="utf-8")
Registers.txt Edit (546 bytes, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (155 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (12.4 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (28.2 KiB, text/plain; charset="utf-8")
XsessionErrors.txt Edit (1.2 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2010-10-15:

StacktraceTop:
CairoType3Font::create (gfxFont=0x21dc6d00, xref=0x2196ad90,
CairoFontEngine::getFont (this=0x21961c88,
CairoOutputDev::updateFont (this=0x219859b8,
Gfx::opShowText (this=0x2198fb58, args=0xb639fc84,
Gfx::execOp (this=0x2198fb58, cmd=0xb639fe24,

Revision history for this message

Apport retracing service (apport) wrote on 2010-10-15: Stacktrace.txt

Stacktrace.txt Edit (12.5 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2010-10-15: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (70.5 KiB, text/plain)

Changed in poppler (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-i386-retrace

smpahlman (sauli-pahlman) on 2010-10-16

security vulnerability:

yes → no

Revision history for this message

Pedro Villavicencio (pedro) wrote on 2010-10-19:

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
https://bugs.freedesktop.org/show_bug.cgi?id=30985

visibility:	private → public
Changed in poppler (Ubuntu):
status:	New → Triaged

Revision history for this message

Pedro Villavicencio (pedro) wrote on 2010-12-01:

fixed upstream now, thanks for reporting.

Changed in poppler (Ubuntu):
status:	Triaged → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2011-01-24

Changed in poppler:
status:	Unknown → Fix Released

Revision history for this message

Sebastien Bacher (seb128) wrote on 2011-01-24:

the crash is fixed in the current version

Changed in poppler (Ubuntu):
status:	Fix Committed → Fix Released
status:	Fix Released → Fix Committed
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-02-03

Changed in poppler:
importance:	Unknown → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

freedesktop-bugs #30985
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntupoppler package

evince crashed with SIGSEGV in CairoType3Font::create()

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
poppler package