evince crashed with SIGSEGV in JPXStream::readTilePartData()

Bug #599439 reported by smpahlman on 2010-06-28
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Poppler
Unknown
Medium
poppler (Ubuntu)
Medium
Unassigned

Bug Description

evince crashes with the following valgrind output when opening the attached file.

$ valgrind evince sample.pdf
==12903== Memcheck, a memory error detector.
==12903== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==12903== Using LibVEX rev 1884, a library for dynamic binary translation.
==12903== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==12903== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==12903== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==12903== For more details, rerun with: -v
==12903==
Error: PDF file is damaged - attempting to reconstruct xref table...
==12903== Thread 2:
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E47F: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1951)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903==
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E48A: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1952)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903==
==12903== Conditional jump or move depends on uninitialised value(s)
==12903== at 0x4E1E509: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1977)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903==
==12903== Use of uninitialised value of size 4
==12903== at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903==
==12903== Invalid read of size 4
==12903== at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==12903==
==12903== Process terminating with default action of signal 11 (SIGSEGV)
==12903== Access not within mapped region at address 0x10
==12903== at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
==12903== by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
==12903== by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
==12903== by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
==12903== by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
==12903== by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
==12903== by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
==12903== by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
==12903== by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
==12903== by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
==12903== by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
==12903== by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
==12903== If you believe this happened as a result of a stack overflow in your
==12903== program's main thread (unlikely but possible), you can try to increase
==12903== the size of the main thread stack using the --main-stacksize= flag.
==12903== The main thread stack size used in this run was 8388608.
==12903==
==12903== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 243 from 4)
==12903== malloc/free: in use at exit: 262,485,146 bytes in 86,891 blocks.
==12903== malloc/free: 263,012 allocs, 176,121 frees, 277,245,884 bytes allocated.
==12903== For counts of detected errors, rerun with: -v
==12903== Use --track-origins=yes to see where uninitialised values come from
==12903== searching for pointers to 86,891 not-freed blocks.
==12903== checked 212,587,460 bytes.
==12903==
==12903== LEAK SUMMARY:
==12903== definitely lost: 25,170 bytes in 994 blocks.
==12903== possibly lost: 202,348 bytes in 229 blocks.
==12903== still reachable: 262,257,628 bytes in 85,668 blocks.
==12903== suppressed: 0 bytes in 0 blocks.
==12903== Rerun with --leak-check=full to see details of leaked memory.
Killed

ProblemType: Crash
Architecture: i386
DistroRelease: Ubuntu 9.04
ExecutablePath: /usr/bin/evince
Package: evince 2.26.1-0ubuntu1
ProcCmdline: evince tehfu-113_2.pdf
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
Signal: 11
SourcePackage: evince
StacktraceTop:
 JPXStream::readTilePartData (this=0x9264fd8, tileIdx=3,
 JPXStream::readTilePart (this=0x9264fd8)
 JPXStream::readCodestream (this=0x9264fd8, len=0)
 JPXStream::readBoxes (this=0x9264fd8) at JPXStream.cc:735
 JPXStream::reset (this=0x9264fd8) at JPXStream.cc:272
Title: evince crashed with SIGSEGV in JPXStream::readTilePartData()
Uname: Linux 2.6.28-19-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

smpahlman (sauli-pahlman) wrote :
visibility: private → public
Download full text (27.9 KiB)

this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/599439

"evince crashes with the following stacktrace with the attached pdf"

pdf:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/599439/+attachment/1438081/+files/sample.pdf.gz

"
Hilo 5 (Thread 0xb2f27b70 (LWP 20834)):
#0 JPXStream::readTilePartData (this=0xb5b23f10, tileIdx=3, tilePartLen=164,
    tilePartToEOC=0) at JPXStream.cc:1951
        resLevel = 0xb5b37ac4
        subband = 0xa4
        ttVal = <value optimized out>
        cbX = <value optimized out>
        i = <value optimized out>
        tileComp = 0xb5b22348
        cbY = <value optimized out>
        n = <value optimized out>
        tile = 0xb5b24584
        precinct = 0xf703064
        bits = 258352228
        nx = <value optimized out>
        cb = <value optimized out>
        sb = 258352483
        level = <value optimized out>
#1 0x0f66516f in JPXStream::readTilePart (this=0xb5b23f10)
    at JPXStream.cc:1924
        tileComp = <value optimized out>
        subband = 0xb2f26748
        tilePartLen = 164
        tilePartIdx = 1
        precinctSize = 258352550
        nSBs = 3
        sb = 3
        nTileParts = 5
        n = <value optimized out>
        r = <value optimized out>
        style = 3002230648
        sby0 = 12408932
        segType = 147
        cb = 0xf6624ec
        tileIdx = 3
        segLen = 0
        i = <value optimized out>
        cbX = 3048357648
        tile = 0xb2f26740
        comp = 3002230816
        j = <value optimized out>
        cbY = 3002230588
        resLevel = 0xb5b57b14
        sbx0 = 56
        k = <value optimized out>
        cbi = <value optimized out>
        level = <value optimized out>
#2 0x0f665dd1 in JPXStream::readCodestream (this=0xb5b23f10, len=0)
    at JPXStream.cc:1366
        style = 22
        segLen = 10
        i = <value optimized out>
        haveQCD = 1
        j = <value optimized out>
        r = <value optimized out>
        tile = 0xb5b220e8
        segType = 144
        capabilities = 0
        haveSIZ = 1
        haveCOD = 1
        precinctSize = 17
        comp = 1
#3 0x0f667b11 in JPXStream::readBoxes (this=0xb5b23f10) at JPXStream.cc:735
        boxType = 1785737827
        boxLen = 0
        dataLen = 0
        bpc1 = 7
        unknownColorspace = 1
        ipr = 0
        i = 1
        compression = 7
        j = 1
#4 0x0f667c9d in JPXStream::reset (this=0xb5b23f10) at JPXStream.cc:272
No locales.
#5 0x0f6fa6d3 in ImageStream::reset (this=0xb5b31348) at Stream.cc:424
No locales.
#6 0x1fdfb610 in CairoOutputDev::drawSoftMaskedImage (this=0x20803400,
    state=0xb5b22600, ref=0xb2f26c40, str=0xb5b243e0, width=3601, height=4650,
    colorMap=0xb5b31f30, interpolate=0, maskStr=0xb5b23f10, maskWidth=3601,
    maskHeight=4650, maskColorMap=0xb5b23408, maskInterpolate=0)
    at CairoOutputDev.cc:2124
        maskBuffer = <value optimized out>
        buffer = <value optimized out>
        y = <value optimized out>
        filter = 66
        maskFilter = 3048210552
        maskMatrix = {xx = -2.7986440511830212e-63,
          yx = 8.4346675822179524e-181, xy = -4.8461152427267585e-50, ...

The crash is not in poppler code but in openjpeg code. Poppler uses openjpeg for JPX decoding.

openjpeg 1.3 release crashes but the code from their svn does not crash so i can only understand that new openjpeg releases will fix the crash.

http://groups.google.com/group/openjpeg/browse_thread/thread/201b1dc1623857cc

Thus i am closing the bug.

Pedro Villavicencio (pedro) wrote :

reproducible on Maverick,

Changed in poppler (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Pedro Villavicencio (pedro) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
 https://bugs.freedesktop.org/show_bug.cgi?id=29615

Changed in poppler (Ubuntu):
status: Confirmed → Triaged

(In reply to comment #1)
> The crash is not in poppler code but in openjpeg code. Poppler uses openjpeg
> for JPX decoding.

The file does indeed trigger crash in openjpeg (two actually, see my comment in launchpad bug), but that should be a different crash to what was reported in Ubuntu bug, as Ubuntu poppler does not seem to be using openjpeg. Poppler built without openjpeg crashes on the file too, though I don't know whether it's poppler or libjpeg to blame for that crash.

Ah yes, Ubuntu refuses to use the better, faster and less memory intensive option. Basically i refuse to work on JPXStream given we have OpenJPEG that is much better.

Patches accepted as always.

Pedro Villavicencio (pedro) wrote :

upstream says this is a openjpeg crash, reassigning.

affects: poppler (Ubuntu) → openjpeg (Ubuntu)
Tomas Hoger (thoger) wrote :

Guessing from:
  http://packages.ubuntu.com/lucid/libpoppler5

Ubuntu poppler packages don't seem to use openjpeg (yet?, as it's in universe). Attached file triggers different crash in non-openjpeg poppler too.

openjpeg issues triggered by the file are detailed in:
  https://bugzilla.redhat.com/show_bug.cgi?id=579548#c5
  https://bugzilla.redhat.com/show_bug.cgi?id=609385

Tomas Hoger (thoger) on 2010-08-19
affects: openjpeg (Ubuntu) → poppler (Ubuntu)
Changed in poppler:
importance: Unknown → Medium
status: Unknown → Confirmed

Unsetting the need retracing tag, there is no retracer left running on that version of Ubuntu, the crash will need to be manually retraced

tags: removed: need-i386-retrace
Changed in poppler:
importance: Medium → Unknown
Changed in poppler:
importance: Unknown → Medium
madbiologist (me-again) wrote :

Still crashes evince on Ubuntu 14.04 "Trusty Tahr".

evince 3.10.3-0ubuntu10.2
poppler 0.24.5-2ubuntu4.2

tags: added: jaunty maverick
tags: added: trusty
madbiologist (me-again) wrote :

On Ubuntu 17.04 "Zesty Zapus", the attached file doesn't crash evince, but most of the page is not displayed. Firefox 56.0 doesn't display any of it. Possibly a broken document?

evince 3.24.0-0ubuntu1.1
poppler 0.48.0-2ubuntu2.4

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/336.

Changed in poppler:
status: Confirmed → Unknown
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.