evince crashed with SIGSEGV in TextWord::TextWord()

Bug #436197 reported by sseitz on 2009-09-24
62
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Evince
Unknown
Medium
Poppler
Fix Released
Medium
poppler (Ubuntu)
Medium
Ubuntu Desktop Bugs

Bug Description

Binary package hint: evince

This document causes the crash. http://www.oreilly.de/catalog/linuxhaclusterger/chapter/ch05.pdf

ProblemType: Crash
Architecture: i386
Date: Thu Sep 24 22:11:42 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/evince
NonfreeKernelModules: nvidia
Package: evince 2.28.0-0ubuntu1
ProcCmdline: root=UUID=8f0b89b2-44dc-4361-87f9-a442b5719b40 ro quiet splash
ProcEnviron:
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-10.35-generic-pae
SegvAnalysis:
 Segfault happened at: 0xb70261ec <_ZN8TextWordC1EP8GfxStateiddiP12TextFontInfod+44>: mov (%ecx),%ecx
 PC (0xb70261ec) ok
 source "(%ecx)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 TextWord::TextWord(GfxState*, int, double, double, int, TextFontInfo*, double) () from /usr/lib/libpoppler.so.5
 TextPage::beginWord(GfxState*, double, double) ()
 TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) () from /usr/lib/libpoppler.so.5
 ActualText::endMC(GfxState*) ()
 CairoOutputDev::endMarkedContent(GfxState*) ()
Title: evince crashed with SIGSEGV in TextWord::TextWord()
Uname: Linux 2.6.31-10-generic-pae i686
UserGroups: adm admin audio avahi avahi-autoipd bin cdrom debian-xfs dialout dip disk fax floppy fuse gdm gnats haldaemon kmem lp lpadmin mail messagebus mysql netdev plugdev polkituser pulse pulse-access sambashare saned sasl ssh staff sudo sys tape tty users vboxusers vde2-net video winbindd_priv

Related branches

sseitz (s-seitz) wrote :

StacktraceTop:TextWord (this=0x8cc44e8, state=0x8cf2718, rotA=3, x0=0, y0=0,
TextPage::beginWord (this=0x8cc3e00, state=0x8cf2718, x0=0,
TextPage::addChar (this=0x8cc3e00, state=0x8cf2718, x=0,
ActualText::endMC (this=0x8cc3f40, state=0x8cf2718)
CairoOutputDev::endMarkedContent (this=0x8d0ec68,

Changed in evince (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Download full text (15.4 KiB)

this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/436197

"This document causes the crash. http://www.oreilly.de/catalog/linuxhaclusterger/chapter/ch05.pdf"

".
Thread 3 (process 12515):
#0 0xb7fa6430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb79a728f in fsync () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb75a9ac4 in g_file_set_contents () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3 0xb759769c in g_bookmark_file_to_file () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4 0xb7ca539b in gtk_recent_manager_real_changed (manager=0x8954390)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:409
 write_error = (GError *) 0x0
 priv = (GtkRecentManagerPrivate *) 0x89543a0
 __PRETTY_FUNCTION__ = "gtk_recent_manager_real_changed"
#5 0xb766394c in g_cclosure_marshal_VOID__VOID ()
   from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#6 0xb7654719 in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#7 0xb7656092 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#8 0xb766b000 in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#9 0xb766ca7d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#10 0xb766cf06 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#11 0xb7ca76e5 in IA__gtk_recent_manager_add_full (manager=0x8954390,
    uri=0x8d8d400 "file:///tmp/ch05.pdf", data=0xbffa0c10)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:1377
 priv = (GtkRecentManagerPrivate *) 0x89543a0
 __PRETTY_FUNCTION__ = "IA__gtk_recent_manager_add_full"
#12 0xb7ca78ff in gtk_recent_manager_add_item_query_info (
    source_object=0x8d4d0a0, res=0x8e32818, user_data=0x8954390)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:792
 recent_data = {display_name = 0x0, description = 0x0,
  mime_type = 0x8d8d420 "application/pdf",
  app_name = 0x8d4ee88 "Document Viewer", app_exec = 0x8def858 "evince %u",
  groups = 0x0, is_private = 0}
 file_info = <value optimized out>
 uri = (gchar *) 0x8d8d400 "file:///tmp/ch05.pdf"
 error = (GError *) 0x0
#13 0xb77ab77c in g_simple_async_result_complete ()
   from /usr/lib/libgio-2.0.so.0
No symbol table info available.
#14 0xb77aba3e in ?? () from /usr/lib/libgio-2.0.so.0
No symbol table info available.
#15 0xb75b80f1 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#16 0xb75b9e78 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#17 0xb75bd720 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#18 0xb75bdb8f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#19 0xb7c472d9 in IA__gtk_main ()
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkmain.c:1205
 tmp_list = (GList *) 0x88ca734
 functions = (GList *) 0x0
 init = (GtkInitFunction *) 0x0
 loop = (GMainLoop *) 0x88bf220
#20 0x08080ba2 in ?? ()
No symbol table info available.
#21 0xb72ffb56 in __libc_start_main (
    main=0x8080...

Moving to cairo backend, i can't reproduce the crash using pdftotext or qt4 test tools but can reproduce it using the glib demo (crashes extracting text from page 2)

Pedro Villavicencio (pedro) wrote :

I can still reproduce this with Karmic, will send it upstream, thanks.

affects: evince (Ubuntu) → poppler (Ubuntu)
Changed in poppler (Ubuntu):
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
status: New → Confirmed
Pedro Villavicencio (pedro) wrote :

This bug has been reported to the developers of the software. You can track it and make comments at: https://bugs.freedesktop.org/show_bug.cgi?id=24332

visibility: private → public
Changed in poppler (Ubuntu):
status: Confirmed → Triaged
Changed in poppler:
status: Unknown → Confirmed

Created an attachment (id=32188)
This fixes it, but may be a hack

I threw this patch together very quickly after looking at the problem. It fixes the problem but I have not looked into this in-depth yet and it may be a hack.

I have been looking at this bug. I wrote a little about it here - http://www.vartmp.com/blog/subjects/poppler/20091219.html

The segmentation fault happens when the TextWord constructor is called. Specifically, when the constructor is called from the beginWord method. The reason the segmentation fault happens is because the curFont object has not been created prior to this, despite it being one of the parameters sent to the TextWord constructor.

On the basis of seeing this, I did a four-line hack in the beginWord method that checks for the existence of curFont, and if it does not exist, creates it and then calls "fonts->append(curFont)". After this, evince stopped crashing on the pages of the PDFs that it has been crashing (segfaulting) on.

However, I have not really looked into this indepth, what I did was just a hack. I am looking through the code of evince and poppler right now, and recreating the segfaults. It is possible that there is a better way to solve this, perhaps creating the curFont object in a different method, or who knows. If I come up with something better I'll give you an update. Or if one of you see something better that's good too.

Thank you very much for the patch, what poppler version are you using? I fixed this problem in poppler git recently, I didn't realize it was reported here too so I didn't close this bug, sorry. The commit that fixes this is:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=4e6af25a028d16608111634c5467420e31fa399b

Feel free to reopen if it still crahes with current git master. Thanks.

Changed in poppler (Ubuntu):
status: Triaged → Fix Committed
Dennis Sheil (dennis-sheil) wrote :

As stated in the gnome-bugs thread that is linked to in the remote bug watch panel, a fix was committed to the code base earlier this month. I downloaded the current poppler code via git and ran evince against that library for the problem files mentioned. With the new poppler library, there is no more segfault, the bug has been successfully fixed upstream.

Dennis Sheil (dennis-sheil) wrote :

The fix is out of the source tree and into a release - poppler-0.12.3. It is referred to in that release by its gnome bug # that is being watched here, gnome-bugs #603934.

Changed in poppler (Ubuntu):
status: Fix Committed → Fix Released
Changed in poppler:
status: Confirmed → Fix Released
madbiologist (me-again) on 2010-01-17
Changed in poppler (Ubuntu):
status: Fix Released → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.12.3-0ubuntu1

---------------
poppler (0.12.3-0ubuntu1) lucid; urgency=low

  * New upstream version:
    - [Cairo backend] Do not crash on malformed files. Bug #24575 (lp: #430887)
    - [Cairo backend] Fix crash in some documents. GNOME bug #603934 (
      lp: #436197)
  * debian/patches/01_git_change_fix_matrix_use.patch:
    - git change to fix a wrong matrix use leading to rendering issues
      (lp: #252552)
 -- Sebastien Bacher <email address hidden> Fri, 29 Jan 2010 12:17:57 +0100

Changed in poppler (Ubuntu):
status: Fix Committed → Fix Released
madbiologist (me-again) wrote :

I've just updated Ubuntu 10.04 "Lucid Lynx" alpha 2 to poppler - 0.12.3-0ubuntu1

I can confirm that the PDF file linked to from this bug now opens correctly.

Changed in poppler:
importance: Unknown → Medium
Changed in evince:
importance: Unknown → Medium
Changed in poppler:
importance: Medium → Unknown
Changed in poppler:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.