evince assert failure: *** Error in `evince': free(): invalid pointer: 0x0000000002b5c6d0 ***

Bug #1376265 reported by Laurent Bonnaud on 2014-10-01
282
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Poppler
Fix Released
High
poppler (Ubuntu)
High
Unassigned

Bug Description

evince crashes while displaying the attached PDF file (around page #79).

To reproduce the crash you need to set the following environment variables:

MALLOC_CHECK_=3
MALLOC_PERTURB_=117

ProblemType: Crash
DistroRelease: Ubuntu 14.10
Package: evince 3.14.0-0ubuntu2
ProcVersionSignature: Ubuntu 3.16.0-18.25-generic 3.16.3
Uname: Linux 3.16.0-18-generic x86_64
ApportVersion: 2.14.7-0ubuntu2
Architecture: amd64
AssertionMessage: *** Error in `evince': free(): invalid pointer: 0x0000000002b5c6d0 ***
CurrentDesktop: KDE
Date: Wed Oct 1 15:33:51 2014
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/evince
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.16.0-18-generic root=UUID=749a9901-bdd3-4b5f-b80e-69414667e058 ro quiet splash vt.handoff=7
Signal: 6
SourcePackage: evince
StacktraceTop:
 __libc_message (do_abort=do_abort@entry=3, fmt=fmt@entry=0x7fc5a23b4a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
 malloc_printerr (ptr=<optimized out>, str=0x7fc5a23b0b19 "free(): invalid pointer", action=3) at malloc.c:4996
 free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:298
 TextPage::getSelectionText (this=<optimized out>, selection=selection@entry=0x7fc592ed1b80, style=style@entry=selectionStyleGlyph) at TextOutputDev.cc:4762
 poppler_page_get_selected_text (page=page@entry=0x20bbb80, style=style@entry=POPPLER_SELECTION_GLYPH, selection=selection@entry=0x7fc592ed1bd0) at poppler-page.cc:824
Title: evince assert failure: *** Error in `evince': free(): invalid pointer: 0x0000000002b5c6d0 ***
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm autopilot cdrom dip fuse libvirtd lpadmin plugdev sambashare staff sudo

information type: Private Security → Public Security
affects: evince (Ubuntu) → poppler (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in poppler (Ubuntu):
status: New → Confirmed
Changed in poppler (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged

StacktraceTop:
 __libc_message (do_abort=do_abort@entry=3, fmt=fmt@entry=0x7fc5a23b4a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
 malloc_printerr (ptr=<optimized out>, str=0x7fc5a23b0b19 "free(): invalid pointer", action=3) at malloc.c:4996
 free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:298
 TextPage::getSelectionText (this=<optimized out>, selection=selection@entry=0x7fc592ed1b80, style=style@entry=selectionStyleGlyph) at TextOutputDev.cc:4762
 poppler_page_get_selected_text (page=page@entry=0x20bbb80, style=style@entry=POPPLER_SELECTION_GLYPH, selection=selection@entry=0x7fc592ed1bd0) at poppler-page.cc:824

tags: removed: need-amd64-retrace

I have also reported this bug upstream:

https://bugs.freedesktop.org/show_bug.cgi?id=84555

Changed in poppler:
importance: Unknown → High
status: Unknown → New

This bug is fixed in Ubuntu 15.04 with evince 3.16 (from Gnome PPA) and poppler 0.30.0.

Changed in poppler (Ubuntu):
status: Triaged → Fix Released
Changed in poppler:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.