Ubuntu
poppler package

evince crashed with SIGSEGV in GooString::hasUnicodeMarker()

Bug #599674 reported by smpahlman on 2010-06-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	poppler (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

evince crashes when opening the attached 123 byte reproducer.

==12758== Thread 2:
==12758== Invalid read of size 4
==12758== at 0xA458236: GooString::hasUnicodeMarker() (GooString.cc:767)
==12758== by 0xA20681E: _poppler_goo_string_to_utf8(GooString*) (poppler-document.cc:540)
==12758== by 0xA20F790: _poppler_layer_new(_PopplerDocument*, _Layer*, _GList*) (poppler-layer.cc:81)
==12758== by 0xA205FBA: poppler_layers_iter_get_layer (poppler-document.cc:1762)
==12758== by 0xA1DF4F2: ??? (ev-poppler.cc:2880)
==12758== by 0xA1DF687: ??? (ev-poppler.cc:2937)
==12758== by 0x4853AB2: ev_document_layers_get_layers (ev-document-layers.c:46)
==12758== by 0x4871E50: ev_job_layers_run (ev-jobs.c:1260)
==12758== by 0x48703E0: ev_job_run (ev-jobs.c:210)
==12758== by 0x4873FC7: ev_job_thread_proxy (ev-job-scheduler.c:183)
==12758== by 0x5331DEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==12758== by 0x521A96D: start_thread (pthread_create.c:300)
==12758== Address 0x1c is not stack'd, malloc'd or (recently) free'd
==12758==
==12758==
==12758== Process terminating with default action of signal 11 (SIGSEGV)
==12758== Access not within mapped region at address 0x1C
==12758== at 0xA458236: GooString::hasUnicodeMarker() (GooString.cc:767)
==12758== by 0xA20681E: _poppler_goo_string_to_utf8(GooString*) (poppler-document.cc:540)
==12758== by 0xA20F790: _poppler_layer_new(_PopplerDocument*, _Layer*, _GList*) (poppler-layer.cc:81)
==12758== by 0xA205FBA: poppler_layers_iter_get_layer (poppler-document.cc:1762)
==12758== by 0xA1DF4F2: ??? (ev-poppler.cc:2880)
==12758== by 0xA1DF687: ??? (ev-poppler.cc:2937)
==12758== by 0x4853AB2: ev_document_layers_get_layers (ev-document-layers.c:46)
==12758== by 0x4871E50: ev_job_layers_run (ev-jobs.c:1260)
==12758== by 0x48703E0: ev_job_run (ev-jobs.c:210)
==12758== by 0x4873FC7: ev_job_thread_proxy (ev-job-scheduler.c:183)
==12758== by 0x5331DEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==12758== by 0x521A96D: start_thread (pthread_create.c:300)
==12758== If you believe this happened as a result of a stack
==12758== overflow in your program's main thread (unlikely but
==12758== possible), you can try to increase the size of the
==12758== main thread stack using the --main-stacksize= flag.
==12758== The main thread stack size used in this run was 8388608.
==12758==
==12758== HEAP SUMMARY:
==12758== in use at exit: 4,740,522 bytes in 63,592 blocks
==12758== total heap usage: 441,137 allocs, 377,545 frees, 23,112,436 bytes allocated
==12758==
==12758== LEAK SUMMARY:
==12758== definitely lost: 5,695 bytes in 20 blocks
==12758== indirectly lost: 21,480 bytes in 1,068 blocks
==12758== possibly lost: 3,577,109 bytes in 47,775 blocks
==12758== still reachable: 1,136,238 bytes in 14,729 blocks
==12758== suppressed: 0 bytes in 0 blocks
==12758== Rerun with --leak-check=full to see details of leaked memory
==12758==
==12758== For counts of detected and suppressed errors, rerun with: -v
==12758== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 224 from 15)
Killed

(gdb) bt
#0 0x06774236 in GooString::hasUnicodeMarker (this=0x0) at GooString.cc:767
#1 0x1beab81f in _poppler_goo_string_to_utf8 (s=0x0)
    at poppler-document.cc:540
#2 0x1beb4791 in _poppler_layer_new (document=0xb5a0bb20, layer=0x2157c458,
    rbgroup=0x0) at poppler-layer.cc:81
#3 0x1beaafbb in poppler_layers_iter_get_layer (iter=0x2157c2c8)
    at poppler-document.cc:1762
#4 0x00bc84f3 in build_layers_tree (pdf_document=0x215a36d0,
    model=<value optimized out>, parent=0x0, iter=0x2157c2c8)
    at ev-poppler.cc:2880
#5 0x00bc8688 in pdf_document_layers_get_layers (document=0x215a36d0)
    at ev-poppler.cc:2937
#6 0x00986ab3 in ev_document_layers_get_layers (document_layers=0x215a36d0)
    at ev-document-layers.c:46
#7 0x00bfbe51 in ev_job_layers_run (job=0x21611c30) at ev-jobs.c:1260
#8 0x00bfa3e1 in ev_job_run (job=0x21611c30) at ev-jobs.c:210
#9 0x00bfdfc8 in ev_job_thread (data=0x0) at ev-job-scheduler.c:183
#10 ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:213
#11 0x0085fdef in ?? () from /lib/libglib-2.0.so.0
#12 0x001b796e in start_thread (arg=0xb63e0b70) at pthread_create.c:300
#13 0x16db5a4e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: evince 2.30.1-0ubuntu3
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
CrashCounter: 1
Date: Tue Jun 29 10:41:57 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.32-22-generic root=UUID=a0f9a5ba-8891-4f4a-ae71-20b4a3e95b4c ro quiet
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x1acbb236 <_ZN9GooString16hasUnicodeMarkerEv+6>: mov 0x1c(%eax),%edx
PC (0x1acbb236) ok
source "0x1c(%eax)" (0x0000001c) not located in a known VMA region (needed readable region)!
destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
GooString::hasUnicodeMarker (this=0x0) at GooString.cc:767
_poppler_goo_string_to_utf8 (s=0x0)
_poppler_layer_new (document=0xb5a0bb20, layer=0x22b0a458,
poppler_layers_iter_get_layer (iter=0x23149528)
build_layers_tree (pdf_document=0x22b316d0,
Title: evince crashed with SIGSEGV in GooString::hasUnicodeMarker()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-gnome-authentication-agent-1:1389): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
(gnome-terminal:1494): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

Tags: