Ubuntu
poppler package

Crash in GfxICCBasedColorSpace::parse

Bug #1640670 reported by Joel Stanley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
poppler (Ubuntu)
New
Undecided
Unassigned

Bug Description

#0 cmsGetColorSpace (hProfile=0x0) at cmsio0.c:934
#1 0x00007f174b47b438 in GfxICCBasedColorSpace::parse(Array*, OutputDev*, GfxState*, int) ()
   from /usr/lib/x86_64-linux-gnu/libpoppler.so.61
#2 0x00007f174b47a952 in GfxColorSpace::parse(GfxResources*, Object*, OutputDev*, GfxState*, int) ()
   from /usr/lib/x86_64-linux-gnu/libpoppler.so.61
#3 0x00007f174b4a0872 in Page::loadThumb(unsigned char**, int*, int*, int*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.61
#4 0x00007f174bbb7de9 in poppler_page_get_thumbnail () from /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#5 0x00007f174bdf5b1b in ?? () from /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#6 0x0000557297930bb2 in evince_thumbnail_pngenc_get (document=0x7f1744003700,
    thumbnail=0x5572995948c0 "/tmp/.gnome_desktop_thumbnail.ZD13QY", size=256) at evince-thumbnailer.c:182
#7 0x00005572979307d0 in main (argc=<optimised out>, argv=<optimised out>) at evince-thumbnailer.c:301

getColorSpace, part of lcms, is passed a null pointer.

GfxICCBasedColorSpace::parse has this sequence of code:

  if (hp == 0) {
    error(errSyntaxWarning, -1, "read ICCBased color space profile error");
  } else {
    cmsHPROFILE dhp = (state != NULL && state->getDisplayProfile() != NULL) ? state->getDisplayProfile() : displayProfile;
    if (dhp == NULL) dhp = RGBProfile;
    unsigned int cst = getCMSColorSpaceType(cmsGetColorSpace(hp));
    unsigned int dNChannels = getCMSNChannels(cmsGetColorSpace(dhp));
    unsigned int dcst = getCMSColorSpaceType(cmsGetColorSpace(dhp));

hp can't be null, or else we wouldn't be calling cmsGetColorSpace. This means dhp must be NULL, which can only happen if RGBProfile is null.

RGBProfile is set up in GfxColorSpace::setupColorProfiles(). Assuming this function has been called, it does the following:

  RGBProfile = loadColorProfile("RGB.icc");
  if (RGBProfile == NULL) {
    /* use built in sRGB profile */
    RGBProfile = cmsCreate_sRGBProfile();
  }

cmsCreate_sRGBProfile can return NULL in a number of ways.

I'm not sure what the fix is though.

Revision history for this message
Joel Stanley (shenki) wrote :

libpoppler61:
  Installed: 0.44.0-3ubuntu2

liblcms2-2:
  Installed: 2.7-1ubuntu1

evince:
  Installed: 3.22.0-0ubuntu1

On Ubuntu 16.10 amd64.

Revision history for this message
Vlad Orlov (monsta) wrote :

Backtrace is the same as in #1635812 (also see the patch there).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.