evince crashed with SIGSEGV in ft_glyphslot_free_bitmap()

Bug #207341 reported by Matteo Settenvini
6
Affects Status Importance Assigned to Milestone
libcairo
Fix Released
Medium
poppler (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: evince

Crash trying to print attached PDF, two pages per sheet, 600dpi.
Btw, it takes quite a long time, CPU goes to 100%, and the crash happens after a couple of minutes on my machine.
Trying to print again, even at 300dpi, always results in another crash, so I believe it's always reproducible.

ProblemType: Crash
Architecture: i386
Date: Wed Mar 26 21:31:49 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/bin/evince
Package: evince 2.22.0-0ubuntu2 [modified: usr/lib/libevbackend.so.0.0.0 usr/bin/evince usr/bin/evince-thumbnailer]
PackageArchitecture: i386
ProcCmdline: evince file:///home/username/Desktop/inferenza-fol.pdf
ProcEnviron:
 PATH=/usr/lib/colorgcc/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=it_IT.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: evince
StacktraceTop:
 ft_glyphslot_free_bitmap () from /usr/lib/libfreetype.so.6
 FT_Load_Glyph () from /usr/lib/libfreetype.so.6
 ?? () from /usr/lib/libcairo.so.2
 ?? ()
 ?? ()
Title: evince crashed with SIGSEGV in ft_glyphslot_free_bitmap()
Uname: Linux 2.6.24-12-386 i686
UserGroups: adm admin audio cdrom dialout dip floppy kmem lpadmin netdev plugdev powerdev pulse-rt sambashare scanner video

Revision history for this message
Matteo Settenvini (tchernobog) wrote :

Binary package hint: evince

Crash trying to print attached PDF, two pages per sheet, 600dpi.
Btw, it takes quite a long time, CPU goes to 100%, and the crash happens after a couple of minutes on my machine.
Trying to print again, even at 300dpi, always results in another crash, so I believe it's always reproducible.

ProblemType: Crash
Architecture: i386
Date: Wed Mar 26 21:31:49 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/bin/evince
Package: evince 2.22.0-0ubuntu2 [modified: usr/lib/libevbackend.so.0.0.0 usr/bin/evince usr/bin/evince-thumbnailer]
PackageArchitecture: i386
ProcCmdline: evince file:///home/username/Desktop/inferenza-fol.pdf
ProcEnviron:
 PATH=/usr/lib/colorgcc/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=it_IT.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: evince
StacktraceTop:
 ft_glyphslot_free_bitmap () from /usr/lib/libfreetype.so.6
 FT_Load_Glyph () from /usr/lib/libfreetype.so.6
 ?? () from /usr/lib/libcairo.so.2
 ?? ()
 ?? ()
Title: evince crashed with SIGSEGV in ft_glyphslot_free_bitmap()
Uname: Linux 2.6.24-12-386 i686
UserGroups: adm admin audio cdrom dialout dip floppy kmem lpadmin netdev plugdev powerdev pulse-rt sambashare scanner video

Revision history for this message
Matteo Settenvini (tchernobog) wrote :
Revision history for this message
Apport retracing service (apport) wrote : Symbolic stack trace

StacktraceTop:FT_Load_Glyph (face=0x8f9bcd0, glyph_index=34, load_flags=522)
_cairo_ft_scaled_glyph_init (abstract_font=0x90a4938, scaled_glyph=0x900f180,
_cairo_scaled_glyph_lookup (scaled_font=0x90a4938, index=34,
_cairo_scaled_font_glyph_device_extents (scaled_font=0x90a4938, glyphs=0x8e3e528,
_cairo_analysis_surface_show_glyphs (abstract_surface=0x8d94590, op=CAIRO_OPERATOR_OVER,

Revision history for this message
Apport retracing service (apport) wrote : Symbolic threaded stack trace
Changed in evince:
importance: Undecided → Medium
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: https://bugs.freedesktop.org/show_bug.cgi?id=15216

Changed in evince:
status: New → Triaged
Revision history for this message
In , Chris Wilson (ickle) wrote :

valgrind reports:
==13745== Invalid read of size 4
==13745== at 0x51BE572: FT_Load_Glyph (ftobjs.c:549)
==13745== by 0x4A24921: _cairo_ft_scaled_glyph_init (cairo-ft-font.c:1922)
==13745== by 0x4A117AB: _cairo_scaled_glyph_lookup (cairo-scaled-font.c:1674)
==13745== by 0x4A12A5A: _cairo_scaled_font_glyph_device_extents (cairo-scaled-font.c:1124)
==13745== by 0x4A21ECD: _cairo_analysis_surface_show_glyphs (cairo-analysis-surface.c:516)
==13745== by 0x4A144DC: _cairo_surface_show_glyphs (cairo-surface.c:2086)
==13745== by 0x4A1FCC8: _cairo_meta_surface_replay_internal (cairo-meta-surface.c:816)
==13745== by 0x4A214B1: _paint_page (cairo-paginated-surface.c:299)
==13745== by 0x4A2171E: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:445)
==13745== by 0x4A14BDF: cairo_surface_show_page (cairo-surface.c:1702)
==13745== by 0x49FF661: cairo_show_page (cairo.c:2155)
==13745== by 0xA267D97: pdf_document_file_exporter_end_page(_EvFileExporter*) (ev-poppler.cc:1753)
==13745== Address 0x55c5630 is 88 bytes inside a block of size 552 free'd
==13745== at 0x402269C: free (vg_replace_malloc.c:326)
==13745== by 0x51B7ABC: ft_free (ftsystem.c:158)
==13745== by 0x51BB319: ft_mem_free (ftutil.c:171)
==13745== by 0x51BC318: destroy_face (ftobjs.c:856)
==13745== by 0x51BC3B2: FT_Done_Face (ftobjs.c:1972)
==13745== by 0x4363704: CairoFont::~CairoFont() (CairoFontEngine.cc:251)
==13745== by 0x436401D: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:335)
==13745== by 0x4366915: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:318)
==13745== by 0x5093BF1: Gfx::opShowText(Object*, int) (Gfx.cc:3073)
==13745== by 0x508F901: Gfx::execOp(Object*, Object*, int) (Gfx.cc:726)
==13745== by 0x50906FF: Gfx::go(int) (Gfx.cc:594)
==13745== by 0x5090C96: Gfx::display(Object*, int) (Gfx.cc:557)
==13745==

which looks like poppler has called FT_Done_Face on a live cairo_font_face_t.

Revision history for this message
In , Chris Wilson (ickle) wrote :

Created an attachment (id=15501)
Do not call FT_Done_Face on a live cairo_font_t.

Changed in libcairo:
status: Unknown → Confirmed
Revision history for this message
In , Carlos Garcia Campos (carlosgc) wrote :

Pushed to both master and poppler-0.8 branch. Thanks!

Changed in libcairo:
status: Confirmed → Fix Released
Revision history for this message
Pedro Villavicencio (pedro) wrote :

fixed upstream, thanks for reporting.

Changed in poppler:
status: Triaged → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

the new version is available in intrepid now

Changed in poppler:
status: Fix Committed → Fix Released
Changed in libcairo:
importance: Unknown → Medium
Changed in libcairo:
importance: Medium → Unknown
Changed in libcairo:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.