evince crashed with SIGSEGV in __memset_sse2() when opening a PDF

Binary package hint: evince

evince (2.29.92-0ubuntu1 on Lucid alpha 2, i386) segfaults when opening a PDF with some corrupted JBIG2 content. The PDF is attached. I have not investigated whether this can be exploited to run code or if it's just a crash.

The backtrace is as follows:

(gdb) bt
#0 0xb7312f03 in __memset_sse2 ()
    at ../sysdeps/i386/i686/multiarch/memset-sse2.S:267
#1 0xb4e11e03 in JBIG2Bitmap::clearToZero (this=0xb502c4a0)
    at /usr/include/bits/string3.h:86
#2 0xb4e13425 in JBIG2Bitmap::getSlice (this=0xb5012bd8, x=1730813931,
    y=1727642229, wA=2497357600, hA=1833388479) at JBIG2Stream.cc:745
#3 0xb4e17955 in JBIG2Stream::readGenericRefinementRegionSeg (
    this=0xb5013270, segNum=4009247418, imm=0, lossless=0, length=2430036862,
    refSegs=0x0, nRefSegs=0) at JBIG2Stream.cc:3209
#4 0xb4e1c726 in JBIG2Stream::readSegments (this=0xb5013270)
    at JBIG2Stream.cc:1403
#5 0xb4e1c8b3 in JBIG2Stream::reset (this=0xb5013270) at JBIG2Stream.cc:1215
#6 0xb4e30323 in ImageStream::reset (this=0xb50138a0) at Stream.cc:421
#7 0xb515e90a in CairoOutputDev::drawImage (this=0xb5ad2200,
    state=0xb502c200, ref=0xb597ece0, str=0xb5013270, width=2560, height=3300,
    colorMap=0xb502e460, interpolate=0, maskColors=0x0, inlineImg=0)
    at CairoOutputDev.cc:1970
#8 0xb4de5326 in Gfx::doImage (this=0xb5013e90, ref=0xb597ece0,
    str=0xb5013270, inlineImg=0) at Gfx.cc:4129
#9 0xb4debad3 in Gfx::opXObject (this=0xb5013e90, args=0xb597edd4, numArgs=1)
    at Gfx.cc:3736
#10 0xb4dda716 in Gfx::execOp (this=0xb5013e90, cmd=0xb597ef74,
    args=0xb597edd4, numArgs=1) at Gfx.cc:800
#11 0xb4ddad79 in Gfx::go (this=0xb5013e90, topLevel=1) at Gfx.cc:671
#12 0xb4ddb7a9 in Gfx::display (this=0xb5013e90, obj=0xb597f074, topLevel=1)
    at Gfx.cc:640
#13 0xb4e28c40 in Page::displaySlice (this=0xb5b5bd00, out=0xb5ad2200,
    hDPI=11.718750000000002, vDPI=11.718750000000002, rotate=0, useMediaBox=0,
    crop=1, sliceX=0, sliceY=0, sliceW=100, sliceH=129, printing=0,
    catalog=0xb5aaf308, abortCheckCbk=0, abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:474
#14 0xb5156b81 in _poppler_page_render_to_pixbuf (page=0xb5ad1e00,
    src_x=-329950692, src_y=0, src_width=100, src_height=129,
    scale=0.16276041666666669, rotation=0, printing=0, pixbuf=0xb59d5160)
    at poppler-page.cc:778
#15 0xb5179fcd in make_thumbnail_for_page (poppler_page=<value optimized out>,
    rc=<value optimized out>, width=100, height=129) at ev-poppler.cc:1435
#16 0xb517a0b3 in pdf_document_thumbnails_get_thumbnail (
    document_thumbnails=0xb5d0f2e8, rc=0xb5ad1e20, border=1)
    at ev-poppler.cc:1498
#17 0x00829743 in ev_document_thumbnails_get_thumbnail (document=0xb5d0f2e8,
    rc=0xb5ad1e20, border=1) at ev-document-thumbnails.c:44
#18 0x003e8dc5 in ev_job_thumbnail_run (job=0xb5b30350) at ev-jobs.c:688
#19 0x003e6341 in ev_job_run (job=0xb5b30350) at ev-jobs.c:210
#20 0x003e9ef8 in ev_job_thread (data=0x0) at ev-job-scheduler.c:183
#21 ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:213
#22 0x0072cf5f in ?? () from /lib/libglib-2.0.so.0
#23 0x002b996e in start_thread (arg=0xb597fb70) at pthread_create.c:300
#24 0xb72d292e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

ProblemType: Crash
Architecture: i386
Date: Thu Mar 11 14:48:15 2010
DistroRelease: Ubuntu 10.04
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
KernLog:

Package: evince 2.29.92-0ubuntu1
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.32-10-generic root=UUID=a0f9a5ba-8891-4f4a-ae71-20b4a3e95b4c ro quiet splash
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.32-10.14-generic
SegvAnalysis:
 Segfault happened at: 0x36a1f03 <__memset_sse2+275>: add (%ebx,%ecx,4),%ebx
 PC (0x036a1f03) ok
 source "(%ebx,%ecx,4)" (0xb4c1f040) not located in a known VMA region (needed readable region)!
 destination "%ebx" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 __memset_sse2 ()
 JBIG2Bitmap::clearToZero (this=0x2d8ec78)
 JBIG2Bitmap::getSlice (this=0x2d902e0, x=1730813931,
 JBIG2Stream::readGenericRefinementRegionSeg (
 JBIG2Stream::readSegments (this=0x2cce368)
Title: evince crashed with SIGSEGV in __memset_sse2()
Uname: Linux 2.6.32-10-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:1413): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:1606): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed