Ubuntu
fontconfig package

evince crashes in FcConfigParseAndLoad

Bug #1800003 reported by Mirko Hessel-von Molo
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
fontconfig (Ubuntu)
Confirmed
High
Unassigned

Bug Description

I have the following situation persistently on my system (Ubuntu 18.04.1 on Dell Latitude E6500):

Evince called with any pdf file crashes immediately with a segmentation fault. From the crash dump, I see that the crash happens in fontconfig's FcConfigParseAndLoad function, i.e. when the system fonts.conf is read. I can reproduce the crash with the following minimal example:

----
#include </usr/include/fontconfig/fontconfig.h>

const FcChar8* filename = "/home/mirkoh/fontconfig-test/fonts.conf";
FcConfig* config;

int main(){
   FcConfigParseAndLoad(config, filename, FcTrue);
}
----

The fonts.conf file used here is also absolutely minimal:

----
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
</fontconfig>
----

(Get me right. It first happened with my system fonts.conf, which is not empty. In order to find out whether a specific entry lead to the crash, I deleted entry after entry, ultimately reaching the file above, and always FcConfigParseAndLoad crashes.

I have no idea how to go on from here.

Tags: bionic
Revision history for this message
Sebastien Bacher (seb128) wrote :

Can you get a backtrace using gdb and the output of those commands
- dpkg -l | grep evince
- which evince
- ldd -r /usr/bin/evince
?

Changed in fontconfig (Ubuntu):
importance: Undecided → High
status: New → Incomplete
Revision history for this message
Mirko Hessel-von Molo (mhvm) wrote :

Both is attached. Let me know if this is not what you needed.

Brian Murray (brian-murray)
tags: added: bionic
Revision history for this message
Jérémie Corbier (jeremie-corbier) wrote :

Using the same sample as above:

==19477== Memcheck, a memory error detector
==19477== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19477== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==19477== Command: ../../fc-test
==19477==
==19477== Invalid read of size 8
==19477== at 0x4E5FC7C: FcConfigParseAndLoad (fcxml.c:3378)
==19477== by 0x108766: main (fc-test.c:8)
==19477== Address 0x20 is not stack'd, malloc'd or (recently) free'd
==19477==
==19477==
==19477== Process terminating with default action of signal 11 (SIGSEGV)
==19477== Access not within mapped region at address 0x20
==19477== at 0x4E5FC7C: FcConfigParseAndLoad (fcxml.c:3378)
==19477== by 0x108766: main (fc-test.c:8)
==19477== If you believe this happened as a result of a stack
==19477== overflow in your program's main thread (unlikely but
==19477== possible), you can try to increase the size of the
==19477== main thread stack using the --main-stacksize= flag.
==19477== The main thread stack size used in this run was 8388608.
==19477==
==19477== HEAP SUMMARY:
==19477== in use at exit: 192,962 bytes in 5,678 blocks
==19477== total heap usage: 11,118 allocs, 5,440 frees, 3,905,324 bytes allocated
==19477==
==19477== LEAK SUMMARY:
==19477== definitely lost: 6,656 bytes in 26 blocks
==19477== indirectly lost: 2,151 bytes in 101 blocks
==19477== possibly lost: 0 bytes in 0 blocks
==19477== still reachable: 184,155 bytes in 5,551 blocks
==19477== suppressed: 0 bytes in 0 blocks
==19477== Rerun with --leak-check=full to see details of leaked memory
==19477==
==19477== For counts of detected and suppressed errors, rerun with: -v
==19477== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for fontconfig (Ubuntu) because there has been no activity for 60 days.]

Changed in fontconfig (Ubuntu):
status: Incomplete → Expired
Revision history for this message
J B (buchner-johannes) wrote :
Download full text (17.1 KiB)

Please re-open. I have the same bug.

$ /usr/bin/evince

(evince:2751): Gtk-WARNING **: 00:31:32.744: Attempting to read the recently used resources file at '/home/user/.local/share/recently-used.xbel', but the parser failed: Failed to open file “/home/user/.local/share/recently-used.xbel”: Permission denied.
Segmentation fault (core dumped)

 $ { echo run; echo thread apply all bt full; quit; } | gdb /usr/bin/evince
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/evince...
Command 'quit' not found, did you mean:

  command 'luit' from deb x11-utils
  command 'quiz' from deb bsdgames
  command 'qgit' from deb qgit
  command 'quilt' from deb quilt
  command 'quot' from deb quota

Try: sudo apt install <deb name>

(no debugging symbols found)...done.
(gdb) Starting program: /usr/bin/evince
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f82dcba5700 (LWP 1767)]
[New Thread 0x7f82d7fff700 (LWP 1768)]
[New Thread 0x7f82d698b700 (LWP 1770)]

(evince:1763): Gtk-WARNING **: 00:25:28.185: Attempting to read the recently used resources file at '/home/user/.local/share/recently-used.xbel', but the parser failed: Failed to open file “/home/user/.local/share/recently-used.xbel”: Permission denied.

Thread 1 "evince" received signal SIGSEGV, Segmentation fault.
tcache_get (tc_idx=2) at malloc.c:2943
2943 malloc.c: No such file or directory.
(gdb)
Thread 4 (Thread 0x7f82d698b700 (LWP 1770)):
#0 0x00007f82e51f2839 in syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1 0x00007f82e5b175ca in g_cond_wait_until () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007f82e5aa4571 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007f82e5af98b4 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007f82e5af8f15 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5 0x00007f82e54cf6db in start_thread (arg=0x7f82d698b700) at pthread_create.c:463
        pd = 0x7f82d698b700
        now = <optimized out>
        unwind_buf =
              {cancel_jmp_buf = {{jmp_buf = {140199922808576, 1224657468070533167, 140199922805888, 0, 93940877964608, 140722239005440, -1154198811298523089, -1154309211113678801}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#6 0x00007f82e51f888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

...

Revision history for this message
J B (buchner-johannes) wrote :

I can also reproduce the crash with the minimal test program provided in the bug report (nice catch!). I am on Ubuntu 18.04.2.

Changed in fontconfig (Ubuntu):
status: Expired → Confirmed
Revision history for this message
J B (buchner-johannes) wrote :

This bug https://gitlab.freedesktop.org/fontconfig/fontconfig/issues/71 suggests that substantial improvements have been made to the fontconfig package against null pointer dereferences after version 2.13.0-5.

https://cgit.freedesktop.org/fontconfig/commit/?id=efac784b0108d3140d7ec51cf22cb8a4453bd566
https://cgit.freedesktop.org/fontconfig/commit/?id=b1762935c3db2bc611750c61ce9cb38b9008db6b
https://cgit.freedesktop.org/fontconfig/commit/?id=b047e299546ac3abb79cf0bac3c67f5c2dfc7fb6
https://cgit.freedesktop.org/fontconfig/commit/?id=f3981a8bcd97a0388bf150ea7c1b4a1015e5e358

Can fontconfig be updated?

Revision history for this message
Johannes Martin (jmartin-notamusica) wrote :

I experienced the same problem on an Ubuntu 18.04.5 system.

It was appearantly caused by .config being a symbolic link to a directory on a different file system. Once I moved that .config directory to my home directory, I was able to start evince. If the symbolic link points to a directory on the same file system, evince seems to work fine.

Linking .local to a directory on some other file system might cause similar problems.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.