evince crashed with SIGSEGV in GooString::hasUnicodeMarker()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
poppler (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
evince crashes when opening the attached 123 byte reproducer.
==12758== Thread 2:
==12758== Invalid read of size 4
==12758== at 0xA458236: GooString:
==12758== by 0xA20681E: _poppler_
==12758== by 0xA20F790: _poppler_
==12758== by 0xA205FBA: poppler_
==12758== by 0xA1DF4F2: ??? (ev-poppler.
==12758== by 0xA1DF687: ??? (ev-poppler.
==12758== by 0x4853AB2: ev_document_
==12758== by 0x4871E50: ev_job_layers_run (ev-jobs.c:1260)
==12758== by 0x48703E0: ev_job_run (ev-jobs.c:210)
==12758== by 0x4873FC7: ev_job_thread_proxy (ev-job-
==12758== by 0x5331DEE: ??? (in /lib/libglib-
==12758== by 0x521A96D: start_thread (pthread_
==12758== Address 0x1c is not stack'd, malloc'd or (recently) free'd
==12758==
==12758==
==12758== Process terminating with default action of signal 11 (SIGSEGV)
==12758== Access not within mapped region at address 0x1C
==12758== at 0xA458236: GooString:
==12758== by 0xA20681E: _poppler_
==12758== by 0xA20F790: _poppler_
==12758== by 0xA205FBA: poppler_
==12758== by 0xA1DF4F2: ??? (ev-poppler.
==12758== by 0xA1DF687: ??? (ev-poppler.
==12758== by 0x4853AB2: ev_document_
==12758== by 0x4871E50: ev_job_layers_run (ev-jobs.c:1260)
==12758== by 0x48703E0: ev_job_run (ev-jobs.c:210)
==12758== by 0x4873FC7: ev_job_thread_proxy (ev-job-
==12758== by 0x5331DEE: ??? (in /lib/libglib-
==12758== by 0x521A96D: start_thread (pthread_
==12758== If you believe this happened as a result of a stack
==12758== overflow in your program's main thread (unlikely but
==12758== possible), you can try to increase the size of the
==12758== main thread stack using the --main-stacksize= flag.
==12758== The main thread stack size used in this run was 8388608.
==12758==
==12758== HEAP SUMMARY:
==12758== in use at exit: 4,740,522 bytes in 63,592 blocks
==12758== total heap usage: 441,137 allocs, 377,545 frees, 23,112,436 bytes allocated
==12758==
==12758== LEAK SUMMARY:
==12758== definitely lost: 5,695 bytes in 20 blocks
==12758== indirectly lost: 21,480 bytes in 1,068 blocks
==12758== possibly lost: 3,577,109 bytes in 47,775 blocks
==12758== still reachable: 1,136,238 bytes in 14,729 blocks
==12758== suppressed: 0 bytes in 0 blocks
==12758== Rerun with --leak-check=full to see details of leaked memory
==12758==
==12758== For counts of detected and suppressed errors, rerun with: -v
==12758== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 224 from 15)
Killed
(gdb) bt
#0 0x06774236 in GooString:
#1 0x1beab81f in _poppler_
at poppler-
#2 0x1beb4791 in _poppler_layer_new (document=
rbgroup=0x0) at poppler-layer.cc:81
#3 0x1beaafbb in poppler_
at poppler-
#4 0x00bc84f3 in build_layers_tree (pdf_document=
model=<value optimized out>, parent=0x0, iter=0x2157c2c8)
at ev-poppler.cc:2880
#5 0x00bc8688 in pdf_document_
at ev-poppler.cc:2937
#6 0x00986ab3 in ev_document_
at ev-document-
#7 0x00bfbe51 in ev_job_layers_run (job=0x21611c30) at ev-jobs.c:1260
#8 0x00bfa3e1 in ev_job_run (job=0x21611c30) at ev-jobs.c:210
#9 0x00bfdfc8 in ev_job_thread (data=0x0) at ev-job-
#10 ev_job_thread_proxy (data=0x0) at ev-job-
#11 0x0085fdef in ?? () from /lib/libglib-
#12 0x001b796e in start_thread (arg=0xb63e0b70) at pthread_
#13 0x16db5a4e in clone () at ../sysdeps/
ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: evince 2.30.1-0ubuntu3
ProcVersionSign
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
CrashCounter: 1
Date: Tue Jun 29 10:41:57 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: BOOT_IMAGE=
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x1acbb236 <_ZN9GooString1
PC (0x1acbb236) ok
source "0x1c(%eax)" (0x0000001c) not located in a known VMA region (needed readable region)!
destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
GooString:
_poppler_
_poppler_layer_new (document=
poppler_
build_layers_tree (pdf_document=
Title: evince crashed with SIGSEGV in GooString:
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-
(gnome-
visibility: | private → public |
This is NULL pointer dereference issue, that probably should be fixed in glib frontend (which calls GooString: :hasUnicodeMark er on NULL pointer). Ok to report publicly in upstream bugzilla?