Ubuntu
poppler package

evince crashed with SIGSEGV in get_optional_content_items_sorted()

Bug #726224 reported by smpahlman
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
poppler (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

evince crashes after an out of bounds write. Marking initially as a vuln because some memory is written.

#0 0x153d293e in get_optional_content_items_sorted (ocg=0x2186a4a8, parent=0x0, order=0x21875ea0)
    at poppler-document.cc:2095
#1 0x153d4014 in get_optional_content_items (document=0x21847460) at poppler-document.cc:2112
#2 _poppler_document_get_layers (document=0x21847460) at poppler-document.cc:2142
#3 0x153d4207 in poppler_layers_iter_new (document=0x21847460) at poppler-document.cc:2230
#4 0x1474d601 in ?? () from /usr/lib/evince/3/backends/libpdfdocument.so
#5 0x008b4673 in ev_document_layers_has_layers () from /usr/lib/libevdocument.so.3
#6 0x00d5d95c in ?? ()
#7 0x00d60092 in ?? ()
#8 0x00d594ee in ?? ()
#9 0x00155e48 in g_cclosure_marshal_VOID__PARAM () from /usr/lib/libgobject-2.0.so.0
#10 0x00139352 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#11 0x0014c048 in ?? () from /usr/lib/libgobject-2.0.so.0
#12 0x00154b29 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#13 0x00154cc2 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#14 0x0013b0c1 in ?? () from /usr/lib/libgobject-2.0.so.0
#15 0x0013a3cf in ?? () from /usr/lib/libgobject-2.0.so.0
#16 0x0013d371 in g_object_notify () from /usr/lib/libgobject-2.0.so.0
#17 0x003857e9 in ev_document_model_set_document () from /usr/lib/libevview.so.3
#18 0x00d547bd in ?? ()
#19 0x0015548c in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#20 0x00139352 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#21 0x0014c048 in ?? () from /usr/lib/libgobject-2.0.so.0
#22 0x00154b29 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#23 0x00154cc2 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#24 0x0038754c in ?? () from /usr/lib/libevview.so.3
#25 0x00608451 in ?? () from /lib/libglib-2.0.so.0
#26 0x0060cc08 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#27 0x0060d3d0 in ?? () from /lib/libglib-2.0.so.0
#28 0x0060da93 in g_main_loop_run () from /lib/libglib-2.0.so.0
#29 0x00eb2a49 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#30 0x00d62642 in main ()

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: evince 2.32.0-0ubuntu10
ProcVersionSignature: Ubuntu 2.6.38-1.28-generic 2.6.38-rc2
Uname: Linux 2.6.38-1-generic i686
Architecture: i386
Date: Sun Feb 27 22:54:50 2011
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha i386 (20110202)
ProcCmdline: evince sample2.pdf
ProcCmdline_: BOOT_IMAGE=/boot/vmlinuz-2.6.38-1-generic root=UUID=685c390c-d932-48a1-82ae-2f0b27682162 ro quiet splash vt.handoff=7
ProcEnviron:
 SHELL=/bin/bash
 LC_MESSAGES=en_US.utf8
 LANG=en_US.UTF-8
 LANGUAGE=en_US:en
ProcVersionSignature_: Ubuntu 2.6.38-1.28-generic 2.6.38-rc2
SegvAnalysis:
 Segfault happened at: 0x157ce93e <get_optional_content_items_sorted(OCGs*, Layer*, Array*)+302>: mov %eax,0x4(%edx)
 PC (0x157ce93e) ok
 source "%eax" ok
 destination "0x4(%edx)" (0x00000004) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 get_optional_content_items_sorted (ocg=0x2265ad30, parent=0x0, order=0x2264eb98) at poppler-document.cc:2095
 get_optional_content_items (document=0x22584200) at poppler-document.cc:2112
 _poppler_document_get_layers (document=0x22584200) at poppler-document.cc:2142
 poppler_layers_iter_new (document=0x22584200) at poppler-document.cc:2230
 ?? () from /usr/lib/evince/3/backends/libpdfdocument.so
Title: evince crashed with SIGSEGV in get_optional_content_items_sorted()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors: (nautilus:1366): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed

Revision history for this message
smpahlman (sauli-pahlman) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 get_optional_content_items_sorted (ocg=0x2265ad30, parent=0x0, order=0x2264eb98) at poppler-document.cc:2095
 get_optional_content_items (document=0x22584200) at poppler-document.cc:2112
 _poppler_document_get_layers (document=0x22584200) at poppler-document.cc:2142
 poppler_layers_iter_new (document=0x22584200) at poppler-document.cc:2230
 pdf_document_layers_has_layers (document=0x224d8e88) at /build/buildd/evince-2.32.0/./backend/pdf/ev-poppler.cc:3177

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in poppler (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Sebastien Bacher (seb128)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This seems to be the problematic bit of code (at line 2095 in glib/poppler-document.cc):
    } else if (orderItem.isString ()) {
      last_item->label = _poppler_goo_string_to_utf8 (orderItem.getString ());
    }

An extremely naive fix for this (from someone who hasn't looked at the code much) would be to do:
    } else if (last_item != NULL && orderItem.isString ()) {
      last_item->label = _poppler_goo_string_to_utf8 (orderItem.getString ());
    }

That may fix the crash, but may not render the text correctly. This appears to be just a crasher so am marking as non-security. Please re-mark this as security if this is a mistake.

security vulnerability: yes → no
Changed in poppler (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.