evince crashed with SIGSEGV in JPXStream::readTilePartData()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Poppler |
Unknown
|
Medium
|
|||
poppler (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
evince crashes with the following valgrind output when opening the attached file.
$ valgrind evince sample.pdf
==12903== Memcheck, a memory error detector.
==12903== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==12903== Using LibVEX rev 1884, a library for dynamic binary translation.
==12903== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==12903== Using valgrind-
==12903== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==12903== For more details, rerun with: -v
==12903==
Error: PDF file is damaged - attempting to reconstruct xref table...
==12903== Thread 2:
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E47F: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903==
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E48A: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903==
==12903== Conditional jump or move depends on uninitialised value(s)
==12903== at 0x4E1E509: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903==
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E515: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903==
==12903== Invalid read of size 4
==12903== at 0x4E1E515: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==12903==
==12903== Process terminating with default action of signal 11 (SIGSEGV)
==12903== Access not within mapped region at address 0x10
==12903== at 0x4E1E515: JPXStream:
==12903== by 0x4E1F5CD: JPXStream:
==12903== by 0x4E20766: JPXStream:
==12903== by 0x4E225C9: JPXStream:
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream:
==12903== by 0x4739923: CairoOutputDev:
==12903== by 0x4E5C9B5: Gfx::doImage(
==12903== by 0x4E60894: Gfx::opXObject(
==12903== by 0x4E52AB9: Gfx::execOp(
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(
==12903== If you believe this happened as a result of a stack overflow in your
==12903== program's main thread (unlikely but possible), you can try to increase
==12903== the size of the main thread stack using the --main-stacksize= flag.
==12903== The main thread stack size used in this run was 8388608.
==12903==
==12903== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 243 from 4)
==12903== malloc/free: in use at exit: 262,485,146 bytes in 86,891 blocks.
==12903== malloc/free: 263,012 allocs, 176,121 frees, 277,245,884 bytes allocated.
==12903== For counts of detected errors, rerun with: -v
==12903== Use --track-origins=yes to see where uninitialised values come from
==12903== searching for pointers to 86,891 not-freed blocks.
==12903== checked 212,587,460 bytes.
==12903==
==12903== LEAK SUMMARY:
==12903== definitely lost: 25,170 bytes in 994 blocks.
==12903== possibly lost: 202,348 bytes in 229 blocks.
==12903== still reachable: 262,257,628 bytes in 85,668 blocks.
==12903== suppressed: 0 bytes in 0 blocks.
==12903== Rerun with --leak-check=full to see details of leaked memory.
Killed
ProblemType: Crash
Architecture: i386
DistroRelease: Ubuntu 9.04
ExecutablePath: /usr/bin/evince
Package: evince 2.26.1-0ubuntu1
ProcCmdline: evince tehfu-113_2.pdf
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
Signal: 11
SourcePackage: evince
StacktraceTop:
JPXStream:
JPXStream:
JPXStream:
JPXStream:
JPXStream::reset (this=0x9264fd8) at JPXStream.cc:272
Title: evince crashed with SIGSEGV in JPXStream:
Uname: Linux 2.6.28-19-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
visibility: | private → public |
affects: | openjpeg (Ubuntu) → poppler (Ubuntu) |
Changed in poppler: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in poppler: | |
importance: | Medium → Unknown |
Changed in poppler: | |
importance: | Unknown → Medium |
Changed in poppler: | |
status: | Confirmed → Unknown |
this report has been filed here:
https:/ /bugs.edge. launchpad. net/ubuntu/ +source/ poppler/ +bug/599439
"evince crashes with the following stacktrace with the attached pdf"
pdf:
https:/ /bugs.edge. launchpad. net/ubuntu/ +source/ poppler/ +bug/599439/ +attachment/ 1438081/ +files/ sample. pdf.gz
" :readTilePartDa ta (this=0xb5b23f10, tileIdx=3, tilePartLen=164, OC=0) at JPXStream.cc:1951 :readTilePart (this=0xb5b23f10)
precinctSize = 258352550 :readCodestream (this=0xb5b23f10, len=0)
capabilities = 0
precinctSize = 17 :readBoxes (this=0xb5b23f10) at JPXStream.cc:735
unknownColorsp ace = 1 :drawSoftMasked Image (this=0x20803400, 0xb5b22600, ref=0xb2f26c40, str=0xb5b243e0, width=3601, height=4650, 0xb5b31f30, interpolate=0, maskStr=0xb5b23f10, maskWidth=3601, 4650, maskColorMap= 0xb5b23408, maskInterpolate=0) cc:2124 0212e-63, 524e-181, xy = -4.846115242726 7585e-50, ...
Hilo 5 (Thread 0xb2f27b70 (LWP 20834)):
#0 JPXStream:
tilePartToE
resLevel = 0xb5b37ac4
subband = 0xa4
ttVal = <value optimized out>
cbX = <value optimized out>
i = <value optimized out>
tileComp = 0xb5b22348
cbY = <value optimized out>
n = <value optimized out>
tile = 0xb5b24584
precinct = 0xf703064
bits = 258352228
nx = <value optimized out>
cb = <value optimized out>
sb = 258352483
level = <value optimized out>
#1 0x0f66516f in JPXStream:
at JPXStream.cc:1924
tileComp = <value optimized out>
subband = 0xb2f26748
tilePartLen = 164
tilePartIdx = 1
nSBs = 3
sb = 3
nTileParts = 5
n = <value optimized out>
r = <value optimized out>
style = 3002230648
sby0 = 12408932
segType = 147
cb = 0xf6624ec
tileIdx = 3
segLen = 0
i = <value optimized out>
cbX = 3048357648
tile = 0xb2f26740
comp = 3002230816
j = <value optimized out>
cbY = 3002230588
resLevel = 0xb5b57b14
sbx0 = 56
k = <value optimized out>
cbi = <value optimized out>
level = <value optimized out>
#2 0x0f665dd1 in JPXStream:
at JPXStream.cc:1366
style = 22
segLen = 10
i = <value optimized out>
haveQCD = 1
j = <value optimized out>
r = <value optimized out>
tile = 0xb5b220e8
segType = 144
haveSIZ = 1
haveCOD = 1
comp = 1
#3 0x0f667b11 in JPXStream:
boxType = 1785737827
boxLen = 0
dataLen = 0
bpc1 = 7
ipr = 0
i = 1
compression = 7
j = 1
#4 0x0f667c9d in JPXStream::reset (this=0xb5b23f10) at JPXStream.cc:272
No locales.
#5 0x0f6fa6d3 in ImageStream::reset (this=0xb5b31348) at Stream.cc:424
No locales.
#6 0x1fdfb610 in CairoOutputDev:
state=
colorMap=
maskHeight=
at CairoOutputDev.
maskBuffer = <value optimized out>
buffer = <value optimized out>
y = <value optimized out>
filter = 66
maskFilter = 3048210552
maskMatrix = {xx = -2.798644051183
yx = 8.4346675822179