Ubuntu
poppler package

Evince crashes upon attempting to select text, for certain PDF(s)

Bug #50697 reported by Chris Wagner
16
Affects Status Importance Assigned to Milestone
Poppler
Fix Released
Critical
poppler (Ubuntu)
Fix Released
Medium
Ubuntu Desktop Bugs
Ubuntu dapper-updates

Bug Description

Binary package hint: evince

I am using the version of evince that comes with dapper, 0.5.2.

Open the attached PDF in evince and opt to select some of the text that is rendered. Sometimes it seems to take a few tries to get it to crash (just keep selecting different portions of text).

This could be a problem with libpoppler.

See original description
Revision history for this message
In , Kristian Hoegsberg (krh-bitplanet) wrote :

Is it possible to provide the pdf that cause the crash?

Revision history for this message
In , Sean (sproctor) wrote :

Hello,

I'm still getting this with current statements. Before the issue was on Debian,
now it's on FC4. I've sent an inquiry to Chase asking for them to send me a
statement without my account information.

Sean

Revision history for this message
In , Adam Olsen (rhamph) wrote :

I reported a (presumably?) related bug against evince in the GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=328810
It is provoked by selecting text from a PDF attached to another report in the
GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=314847
http://bugzilla.gnome.org/attachment.cgi?id=51717

Hopefully that PDF will be enough to debug this. (Again, assuming a crash from
selecting is the same as a crash from an input field.)

Revision history for this message
Chris Wagner (chris-wagner) wrote :

Binary package hint: evince

I am using the version of evince that comes with dapper, 0.5.2.

Open the attached PDF in evince and opt to select some of the text that is rendered. Sometimes it seems to take a few tries to get it to crash (just keep selecting different portions of text).

This could be a problem with libpoppler.

Revision history for this message
Chris Wagner (chris-wagner) wrote : PDF to Crash Evince

Just select some text, after opening this document in evince.

Revision history for this message
Chris Wagner (chris-wagner) wrote : Backtrace

Here's the backtrace produced when evince crashes. I copied this from the "bug buddy" window.

Revision history for this message
Tim Butler (timbutler) wrote :

Confirmed, this happens for me in Ubuntu Dapper for me also.

Changed in evince:
status: Unconfirmed → Confirmed
Daniel Holbach (dholbach)
Changed in evince:
assignee: nobody → desktop-bugs
importance: Untriaged → Medium
Revision history for this message
In , Sebastien Bacher (seb128) wrote :

Ubuntu bug about that: https://launchpad.net/products/poppler/+bug/50697

'I am using the version of evince that comes with dapper, 0.5.2.

Open the attached PDF in evince and opt to select some of the text that is
rendered. Sometimes it seems to take a few tries to get it to crash (just keep
selecting different portions of text).

This could be a problem with libpoppler.

http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf
PDF to Crash Evince

Just select some text, after opening this document in evince.

http://librarian.launchpad.net/3134694/evince-backtrace.txt
Backtrace

Here's the backtrace produced when evince crashes. I copied this from the "bug
buddy" window.
..."

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for your bug, the backtrace is similar to https://bugs.freedesktop.org/show_bug.cgi?id=4649 upstream

Revision history for this message
Chris Wagner (chris-wagner) wrote :

Hey Sebastien - Did you intentionally link this bug to the GNOME bug tracker? GNOME BT is claiming that the bug is "invalid".

Revision history for this message
Sebastien Bacher (seb128) wrote :

No, the right URL was to my previous comment and to the freedesktop bugzilla, I'm just used to forward most of the bugs to GNOME, that's fixed now

Bug Watch Updater (bug-watch-updater)
Changed in poppler:
status: Unknown → Confirmed
Revision history for this message
In , Christian Kirbach (christian-kirbach-e) wrote :
Download full text (3.4 KiB)

reproducable with latest cvs

steps to reproduce:
1. open http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf
2. edit->select all

#3 <signal handler called>
No symbol table info available.
#4 0xb7d10775 in CairoFont::create (gfxFont=0x84441f8, xref=0x8487280,
    lib=0x8317388, useCIDs=1) at Object.h:279
 cmap = <value optimized out>
 ctu = <value optimized out>
 cairo_font_face_key = {unused = 0}
 tmpFileName = (GooString *) 0x839a8d8
 dfp = <value optimized out>
 uBuf = {0, 0, 3076259048, 3220933992, 3075990618, 138965644,
  3074958112, 3220934008}
 codeToGID = <value optimized out>
 strObj = {type = objNull, {booln = 138965632, intg = 138965632,
    real = -7.0562016071739042e-44, string = 0x8487280, name = 0x8487280 "",
    array = 0x8487280, dict = 0x8487280, stream = 0x8487280, ref = {
      num = 138965632, gen = -1225183896}, cmd = 0x8487280 ""}}
 fileName = <value optimized out>
 c = <value optimized out>
 ff1c = <value optimized out>
 codeToGIDLen = 0
 tmpFileName2 = <value optimized out>
 n = <value optimized out>
 code = <value optimized out>
 fontType = 1079655961
 enc = <value optimized out>
 name = <value optimized out>
 ff = <value optimized out>
 cairo_font_face = <value optimized out>
 refObj = {type = objNone, {booln = 1890821786, intg = 1890821786,
    real = 114.96346681159994, string = 0x70b3a69a,
    name = 0x70b3a69a <Address 0x70b3a69a out of bounds>, array = 0x70b3a69a,
    dict = 0x70b3a69a, stream = 0x70b3a69a, ref = {num = 1890821786,
      gen = 1079819689}, cmd = 0x70b3a69a <Address 0x70b3a69a out of bounds>}}
 tmpFile = <value optimized out>
 face = <value optimized out>
#5 0xb7d10fa1 in CairoFontEngine::getFont (this=0x831d0f0,
    gfxFont=0x84441f8, xref=0x8487280) at CairoFontEngine.cc:353
 i = 64
 ref = {num = -1694248026, gen = 1079410369}
 font = (CairoFont *) 0x0
#6 0xb7d12d5e in CairoOutputDev::updateFont (this=0x830a780, state=0x8486fa8)
    at CairoOutputDev.cc:276
 font_face = <value optimized out>
 m11 = -1.722381591796875
 m22 = 1
 fontSize = 0
 m = <value optimized out>
 m12 = -3.919002195208072e-44
 m21 = 1
 matrix = {xx = 1, yx = 1, xy = -nan(0xfffffffffffff),
  yy = 3.1524664462486777e-269, x0 = -7.8446562264848481e-40, y0 = 1}
#7 0xb6f0ec1d in TextSelectionPainter::visitWord (this=0xbffb90c4,
    word=0x8443838, begin=0, end=6, selection=0xbffb8fb8)
    at TextOutputDev.cc:3383
 string = (GooString *) 0x80000000
#8 0xb6f0ee44 in TextWord::visitSelection (this=0x8443838,
    visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3422
 i = 6
 begin = 0
 end = 6
 mid = 0
#9 0xb6f0f072 in TextLine::visitSelection (this=0x8442ea8,
    visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3460
 begin = (TextWord *) 0x8443838
 end = (TextWord *) 0x0
 i = 6
 p = (TextWord *) 0x8443838
 edge_begin = <value optimized out>
 edge_end = 6
#10 0xb6f1491e in TextBlock::visitSelection (this=0x8443990,
    visitor=0xbffb90c4, selection=0xbffb9050) at TextOutputDev.cc:3532
 begin = (TextLine *) 0x8442ea8
 end = (TextLine *) 0x0
 child_selection = {x1 = 0, y1 = 0, x2 = 595, y2 = 842}
 start_x = 0
 stop_y = 842
 p = (TextLine *) 0x8442ea8
 start_y = 0
 stop_x = ...

Read more...

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

Created an attachment (id=6605)
Don't add NULL font to the cache

This patch avoided the crash here. This is really not a fix and I don't ask for
inclusion as I think it hides several other bugs. I just put it here if someone
needs a temporary solution.

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

Sorry for the noise, I don't understand why it started working repeatidly here
on the various crashing PDF with this patch but no longer does now...

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :
Download full text (22.3 KiB)

On this document there is a first crash in CairoFont::create :
strObj.getTypeName() giving "null" (create is entered about 20 times with the
same invalid ref on the given doc and each time fontType is also invalid).
A check on the type before using the stream might be nice.

For the real bug, valgrind is quite helpful :

==32431==
==32431== Invalid read of size 4
==32431== at 0x408D4D6: GfxFont::incRefCnt() (GfxFont.cc:172)
==32431== by 0x40F1205: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3381)
==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431== by 0x806B2D4: ev_pixbuf_cache_get_selection_pixbuf (in /usr/bin/evince)
==32431== Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd
==32431== at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431==
==32431== Invalid read of size 4
==32431== at 0x4031490: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:273)
==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor...

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

I think I got it this time !
GfxFontDict::~GfxFontDict calls decRefCnt on all fonts, but
GfxFontDict::GfxFontDict does not call incRefCnt, so fonts get freed.

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

Created an attachment (id=6611)
increment the refcount and be more robust

Revision history for this message
In , Christian Kirbach (christian-kirbach-e) wrote :

patch fixes the crash for me!

Revision history for this message
In , Jeff Muizelaar (jeff-infidigm) wrote :

GfxFontDict makes the fonts which start of with a refCount of 1. So inc them
looks wrong.

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

OK, I'll try to have another look at the counters to find if there is unmatched
dec somewhere else, but I don't remember seeing another one.

Revision history for this message
In , Jeff Muizelaar (jeff-infidigm) wrote :

Created an attachment (id=7091)
Properly RefCnt inside TextFontInfo

The attached patch should fix things.

TextFontInfo takes a reference to a GfxFont but doesn't do a incRefCnt(). This
patch fixes that.

Revision history for this message
In , Jeff Muizelaar (jeff-infidigm) wrote :

Pascal,

Are the robustness enhancements needed? i.e. is there a pdf that shows a problem
that the robustness enhancements fix?

Revision history for this message
In , Pascal Terjan (pterjan42) wrote :

It's not really needed as fixing the real issue to have a valid stream there is
better.
I just prefer avoiding crashes when something goes wrong elsewhere in the code
and actually added this before finding the refcount issue to hide it.

Revision history for this message
In , Jeff Muizelaar (jeff-infidigm) wrote :

Fixed in cvs.

Bug Watch Updater (bug-watch-updater)
Changed in poppler:
status: Confirmed → Fix Released
Revision history for this message
Erik Meitner (e.meitner) wrote :
Download full text (4.1 KiB)

Same prolem here with 0.6.0-0ubuntu1 in Edgy beta.
These messages appear the moment I select and the crash happens:

Error: Embedded font file is not a stream
** (bug-buddy:29045): WARNING **: Couldn't load icon for Decrypt File
** (bug-buddy:29045): WARNING **: Couldn't load icon for Import Key
** (bug-buddy:29045): WARNING **: Couldn't load icon for Open Folder
** (bug-buddy:29045): WARNING **: Couldn't load icon for Verify Signature

-- System Information:
Debian Release: testing/unstable
  APT prefers edgy-updates
  APT policy: (500, 'edgy-updates'), (500, 'edgy-security'), (500, 'edgy-backports'), (500, 'edgy')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-27-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages evince depends on:
ii gconf2 2.14.0-1ubuntu2 GNOME configuration database syste
ii gs-esp [gs 8.15.2.dfsg.0ubuntu1-0ubuntu4 The Ghostscript PostScript interpr
ii libart-2.0 2.3.17-1 Library of functions for 2D graphi
ii libatk1.0- 1.12.3-0ubuntu1 The ATK accessibility toolkit
ii libbonobo2 2.16.0-0ubuntu1 Bonobo CORBA interfaces library
ii libbonobou 2.16.0-0ubuntu1 The Bonobo UI library
ii libc6 2.4-1ubuntu10 GNU C Library: Shared libraries
ii libcairo2 1.2.4-1ubuntu1 The Cairo 2D vector graphics libra
ii libdbus-1- 0.93-0ubuntu2 simple interprocess messaging syst
ii libdbus-gl 0.71-1ubuntu1 simple interprocess messaging syst
ii libdjvulib 3.5.17-1ubuntu1 Runtime support for the DjVu image
ii libfontcon 2.3.2-7ubuntu2 generic font configuration library
ii libgconf2- 2.14.0-1ubuntu2 GNOME configuration database syste
ii libglade2- 1:2.6.0-1ubuntu1 library to load .glade files at ru
ii libglib2.0 2.12.4-0ubuntu1 The GLib library of C routines
ii libgnome-k 0.6.0-0ubuntu1 GNOME keyring services library
ii libgnome2- 2.16.0-0ubuntu1 The GNOME 2 library - runtime file
ii libgnomeca 2.14.0-3ubuntu1 A powerful object-oriented display
ii libgnomeui 2.16.0-0ubuntu2 The GNOME 2 libraries (User Interf
ii libgnomevf 2.16.1-0ubuntu1 GNOME virtual file-system (runtime
ii libgtk2.0- 2.10.5-0ubuntu1 The GTK+ graphical user interface
ii libice6 2:1.0.1-1ubuntu1 X11 Inter-Client Exchange library
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libkpathse 3.0-17ubuntu1 path search library for teTeX (run
ii liblaunchp 0.1.4 library for launchpad integration
ii libnautilu 2.16.0-0ubuntu3 libraries for nautilus components
ii liborbit2 1:2.14.3-0ubuntu1 libraries for ORBit2 - a CORBA ORB
ii libpango1. 1.14.4-0ubuntu1 Layout and rendering of internatio
ii libpoppler 0.5.3-0ubuntu9 PDF rendering library (GLib-based
ii libpopt0 1.10-2 lib for parsing cmdline parameters
ii libsm6 2...

Read more...

Revision history for this message
istoyanov (istoyanov) wrote :

I confirm the bug and would be happy if a fix for it gets into Dapper Drake.

Revision history for this message
Daniel Holbach (dholbach) wrote :

The particular .pdf file does not crash evince in Edgy any more. If at all this is needs fixing in dapper-updates. Can somebody on Dapper try the suggested fix: https://bugs.freedesktop.org/attachment.cgi?id=7091 ?

Revision history for this message
Erik Meitner (e.meitner) wrote :

I am unable to reproduce this crash with the document that first caused it. Seems fixed. Thanks.

Revision history for this message
Chris Wagner (chris-wagner) wrote :

Erik, under what Ubuntu release (dapper, edgy?) and libpoppler versions was this unreproducible for you?

I'm on dapper with the latest updates (evince 0.5.2-0ubuntu3, libpoppler1 0.5.1-0ubuntu7) and can still produce a crash - although it seemed to take a little more fiddling around than it did originally (if I remember correctly).

I will try to apply the patch, suggested by Daniel, to Dapper's libpoppler, when I get some time...

Daniel Holbach (dholbach)
Changed in poppler:
status: Confirmed → Needs Info
Revision history for this message
Chris Wagner (chris-wagner) wrote :

The patch at https://bugs.freedesktop.org/attachment.cgi?id=7091 seemed to do the trick. I've attached a patched package if others would like to confirm.

Revision history for this message
Chris Wagner (chris-wagner) wrote :

I'm going to close this, as the bug seems to be fixed in Edgy, and according to https://wiki.ubuntu.com/StableReleaseUpdates, this bug is probably not serious enough to merit an update to Dapper.

Changed in poppler:
status: Needs Info → Fix Released
Revision history for this message
istoyanov (istoyanov) wrote :

It would be very unfortunate if this bug has been considered as not serious enough to be fixed in Dapper :(

Revision history for this message
Chris Wagner (chris-wagner) wrote :

Hi Ivailo. If you'd like to see this bug fix get backported to Dapper, then you are welcome to follow the procedure described at https://wiki.ubuntu.com/StableReleaseUpdates

I don't have any authority in deciding that this bug should or should not be backported; I simply didn't think the bug report would do any good sitting around with no attention.

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 50697] Re: Evince crashes upon attempting to select text, for certain PDF(s)

Hi,

Chris Wagner [2006-12-20 23:58 -0000]:
> I'm going to close this, as the bug seems to be fixed in Edgy, and
> according to https://wiki.ubuntu.com/StableReleaseUpdates, this bug is
> probably not serious enough to merit an update to Dapper.

I fully agree on this.

Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Critical
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Critical → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.