Ubuntu
poppler package

[apport] evince-thumbnailer crashed with SIGSEGV in CairoFont::create()

Bug #122396 reported by Michael Hofmann
2
Affects Status Importance Assigned to Milestone
Poppler
Fix Released
Medium
poppler (Ubuntu)
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: evince

No idea what the thumbnailer did.

ProblemType: Crash
Architecture: amd64
Date: Tue Jun 26 10:15:08 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/bin/evince-thumbnailer
Package: evince 0.8.1-0ubuntu1
PackageArchitecture: amd64
ProcCmdline: evince-thumbnailer -s 128 file:///home/mh21/Desktop/vorlage_sada/da.pdf /tmp/.gnome_thumbnail.PIQQUT
ProcCwd: /home/mh21
ProcEnviron:
 LC_MONETARY=de_DE.UTF-8
 PATH=/home/mh21/bin:/home/mh21/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=nl_NL.UTF-8
 SHELL=/bin/bash
 LC_NUMERIC=en_GB.UTF-8
Signal: 11
SourcePackage: evince
StacktraceTop:
 CairoFont::create () from /usr/lib/libpoppler-glib.so.1
 CairoFontEngine::getFont () from /usr/lib/libpoppler-glib.so.1
 CairoOutputDev::updateFont () from /usr/lib/libpoppler-glib.so.1
 Gfx::opShowSpaceText () from /usr/lib/libpoppler.so.1
 Gfx::go () from /usr/lib/libpoppler.so.1
Uname: Linux arcaid 2.6.20-16-generic #2 SMP Thu Jun 7 19:00:28 UTC 2007 x86_64 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev scanner video

CVE References

Revision history for this message
Michael Hofmann (mh21) wrote :
Sebastien Bacher (seb128)
Changed in evince:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
Revision history for this message
Apport retracing service (apport) wrote : Symbolic stack trace

StacktraceTop:CairoFont::create (gfxFont=0x74a570, xref=0x6b82f0, lib=0x70abd0, useCIDs=1) at Object.h:291
CairoFontEngine::getFont (this=0x709cc0, gfxFont=0x74a570, xref=0x6b82f0) at CairoFontEngine.cc:353
CairoOutputDev::updateFont (this=0x70aad0, state=0x74c0c0) at CairoOutputDev.cc:275
Gfx::opShowSpaceText (this=0x70e150, args=0x7fffd88cabe0, numArgs=-706679660) at Gfx.cc:2673
Gfx::go (this=0x70e150, topLevel=1) at Gfx.cc:580

Revision history for this message
Apport retracing service (apport) wrote : Symbolic threaded stack trace
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug. Could you attach the file triggering the crash?

Changed in evince:
status: New → Incomplete
Revision history for this message
In , Sebastien Bacher (seb128) wrote :
Download full text (8.2 KiB)

The bug has been opened on https://bugs.launchpad.net/bugs/122396

"Binary package hint: evince

No idea what the thumbnailer did.
...
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/bin/evince-thumbnailer
Package: evince 0.8.1-0ubuntu1
PackageArchitecture: amd64
ProcCmdline: evince-thumbnailer -s 128 file:///home/mh21/Desktop/vorlage_sada/da.pdf /tmp/.gnome_thumbnail.PIQQUT
...
.
Thread 1 (process 11291):
#0 0x00002b29d5ae3556 in CairoFont::create (gfxFont=0x74a570, xref=0x6b82f0, lib=0x70abd0, useCIDs=1) at Object.h:291
 refObj = {type = objNone, {booln = 405, intg = 405, real = 2.0009658656570485e-321, string = 0x195, name = 0x195 <Address 0x195 out of bounds>, array = 0x195,
    dict = 0x195, stream = 0x195, ref = {num = 405, gen = 0}, cmd = 0x195 <Address 0x195 out of bounds>}}
 strObj = {type = objNull, {booln = 0, intg = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}
 tmpFileName = (GooString *) 0x77c4d0
 fileName = <value optimized out>
 tmpFileName2 = <value optimized out>
 dfp = <value optimized out>
 tmpFile = <value optimized out>
 c = <value optimized out>
 n = <value optimized out>
 code = <value optimized out>
 cmap = <value optimized out>
 fontType = fontType1
 name = <value optimized out>
 ff = <value optimized out>
 ff1c = <value optimized out>
 ctu = <value optimized out>
 uBuf = {7398256, 0, 0, 0, 7679824, 0, 3587969053, 11049}
 cairo_font_face = <value optimized out>
 face = <value optimized out>
 codeToGID = <value optimized out>
 codeToGIDLen = 0
 cairo_font_face_key = {unused = 0}
#1 0x00002b29d5ae3c39 in CairoFontEngine::getFont (this=0x709cc0, gfxFont=0x74a570, xref=0x6b82f0) at CairoFontEngine.cc:353
 i = <value optimized out>
 j = <value optimized out>
 ref = {num = 406, gen = 0}
 font = (CairoFont *) 0x0
#2 0x00002b29d5ae54ca in CairoOutputDev::updateFont (this=0x70aad0, state=0x74c0c0) at CairoOutputDev.cc:275
 font_face = <value optimized out>
 matrix = {xx = 3.3061371060132861e-317, yx = 2.344770403471977e-310, xy = 6.9533231071318657e-310, yy = 3.6549553570275397e-317, x0 = 6.9533231071500473e-310,
  y0 = 4.9406564584124654e-324}
 fontSize = <value optimized out>
 m = <value optimized out>
#3 0x00002b29d5d7c1f1 in Gfx::opShowSpaceText (this=0x70e150, args=0x7fffd88cabe0, numArgs=-706679660) at Gfx.cc:2673
 a = <value optimized out>
 obj = {type = objNone, {booln = 2, intg = 2, real = 9.8813129168249309e-324, string = 0x2, name = 0x2 <Address 0x2 out of bounds>, array = 0x2, dict = 0x2, stream = 0x2,
    ref = {num = 2, gen = 0}, cmd = 0x2 <Address 0x2 out of bounds>}}
 wMode = <value optimized out>
 i = <value optimized out>
#4 0x00002b29d5d77d95 in Gfx::go (this=0x70e150, topLevel=1) at Gfx.cc:580
 obj = {type = objCmd, {booln = 7849200, intg = 7849200, real = 3.8780200673371124e-317, string = 0x77c4f0, name = 0x77c4f0 "TJ", array = 0x77c4f0, dict = 0x77c4f0,
    stream = 0x77c4f0, ref = {num = 7849200, gen = 0}, cmd = 0x77c4f0 "TJ"}}
 args = {{type = objArray, {booln = 7807136, intg = 7807136, real = 3.8572376900104462e-317, string = 0x7720a0, name = 0x7720a0 "ð\202k", array = 0x7720a0,
      dict = 0x7720a0, stream = 0x7720a0, re...

Read more...

Revision history for this message
Michael Hofmann (mh21) wrote :

I'm sorry, this file was generated from Latex, I suspect the thumbnailer picked it up in the wrong moment while it was still generated? I can attach the complete file, but this is thumbnailed without any problems.

Revision history for this message
Sebastien Bacher (seb128) wrote :

No need to attach the example if it doesn't trigger the bug. I've sent the crash details upstream on https://bugs.freedesktop.org/show_bug.cgi?id=11392

Changed in evince:
status: Incomplete → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
status: Unknown → Confirmed
Sebastien Bacher (seb128)
Changed in poppler:
status: Confirmed → Triaged
Revision history for this message
In , Kees Cook (kees) wrote :

This was fixed in recent poppler changes, but I'd like to see the attached patch committed as well for additional safety in the future.

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=16030)
perform full type-checking in Object

Revision history for this message
In , Kees Cook (kees) wrote :

Fix for the crash (and security issue): http://gitweb.freedesktop.org/?p=poppler/poppler.git;a=commitdiff;h=1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8

This was CVE-2008-1693.

Revision history for this message
Kees Cook (kees) wrote :

This has been fixed in USN-603-1: http://www.ubuntu.com/usn/usn-603-1

Changed in poppler:
assignee: desktop-bugs → keescook
status: Triaged → Fix Released
Revision history for this message
In , Albert Astals Cid (aacid) wrote :

So the bug if fixed, nice :-)

Kees, about your patch i don't really see why we should use it. If there's a wrong usage of Object it has to be fixed, not skip the problem silentlty.

Anyway if you still want to argue about that please open a separate bug as it's not really related to this one.

Bug Watch Updater (bug-watch-updater)
Changed in poppler:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Medium
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Medium → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in poppler:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.