17811 – evince crashed with SIGSEGV in read_markers()

Bug 17811 - evince crashed with SIGSEGV in read_markers()

Summary: evince crashed with SIGSEGV in read_markers()

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other Linux (All)

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-27 21:24 UTC by Greg Grossmeier
Modified:	2008-09-30 00:28 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Threaded Stacktrace from Apport (18.03 KB, text/plain) 2008-09-27 21:24 UTC, Greg Grossmeier	Details
gdb backtrace with evince-dbg and poppler-dbg (36.26 KB, text/plain) 2008-09-27 21:26 UTC, Greg Grossmeier	Details
View All

Description Greg Grossmeier 2008-09-27 21:24:21 UTC

Created attachment 19266 [details]
Threaded Stacktrace from Apport

Originally opened on Launchpad: https://launchpad.net/bugs/260904
----------

When viewing http://www.mediaatlantic.com/Downloads/avermedia/A808_AVerTV_DVB-T_Volar.pdf , I find evince crashes:

$ evince A808_AVerTV_DVB-T_Volar.pdf
Error (288089): Illegal character <3f> in hex string
Error (288090): Illegal character <78> in hex string
Error (288091): Illegal character <70> in hex string
Error (288094): Illegal character <6b> in hex string
Error (288096): Illegal character <74> in hex string
Error (288099): Illegal character <6e> in hex string
Error (288101): Illegal character <3d> in hex string
Error (288102): Illegal character <22> in hex string
Error (288103): Illegal character <77> in hex string
Error (288104): Illegal character <22> in hex string
Error (288105): Illegal character <3f> in hex string
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (239248): Unexpected end of file in flate stream
Segmentation fault (core dumped)

Installing debug packages and running with valgrind, we see memory violation via stack corruption (which happens to be caught by GCC this time), thus this has potential to be a security violation:

$ valgrind --trace-children=yes evince A808_AVerTV_DVB-T_Volar.pdf
==6220== Memcheck, a memory error detector.
==6220== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6220== Using LibVEX rev 1854, a library for dynamic binary translation.
==6220== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==6220== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==6220== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6220== For more details, rerun with: -v
==6220==
==6220== Syscall param write(buf) points to uninitialised byte(s)
==6220== at 0xBA47E90: __write_nocancel (in /usr/lib/debug/libpthread-2.8.90.so)
==6220== by 0x60C8EFE: _IceTransSocketWrite (Xtranssock.c:2171)
==6220== by 0x60CC787: _IceWrite (misc.c:369)
==6220== by 0x60CC863: IceFlush (misc.c:82)
==6220== by 0x5C49DFB: client_set_string (gnome-client.c:264)
==6220== by 0x5C4BBC2: gnome_real_client_connect (gnome-client.c:2442)
==6220== by 0xB33628C: g_closure_invoke (gclosure.c:767)
==6220== by 0xB34C91D: signal_emit_unlocked_R (gsignal.c:3174)
==6220== by 0xB34E718: g_signal_emit_valist (gsignal.c:2977)
==6220== by 0xB34EC82: g_signal_emit (gsignal.c:3034)
==6220== by 0x5C4B92E: gnome_client_connect (gnome-client.c:1627)
==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==6220== Address 0x10b2e3f4 is 12 bytes inside a block of size 1,024 alloc'd
==6220== at 0x4C24384: calloc (vg_replace_malloc.c:397)
==6220== by 0x60C5373: IceOpenConnection (connect.c:211)
==6220== by 0x5EB8CB0: SmcOpenConnection (sm_client.c:135)
==6220== by 0x5C4B8AC: gnome_client_connect (gnome-client.c:1595)
==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==6220== by 0x69F6DBD: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F718A: (within /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F740C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F7503: gnome_program_init (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x44B5CC: main (main.c:346)
Error (288089): Illegal character <3f> in hex string
Error (288090): Illegal character <78> in hex string
Error (288091): Illegal character <70> in hex string
Error (288094): Illegal character <6b> in hex string
Error (288096): Illegal character <74> in hex string
Error (288099): Illegal character <6e> in hex string
Error (288101): Illegal character <3d> in hex string
Error (288102): Illegal character <22> in hex string
Error (288103): Illegal character <77> in hex string
Error (288104): Illegal character <22> in hex string
Error (288105): Illegal character <3f> in hex string
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (239248): Unexpected end of file in flate stream
==6220==
==6220== Thread 2:
==6220== Invalid read of size 8
==6220== at 0x10627E25: read_markers (jdmarker.c:474)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid write of size 8
==6220== at 0x106281A9: read_markers (jdmarker.c:475)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid read of size 8
==6220== at 0x10627E2F: read_markers (jdmarker.c:477)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid read of size 8
==6220== at 0x10627E54: read_markers (jdmarker.c:478)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
Corrupt JPEG data: 53679 extraneous bytes before marker 0xd9
*** stack smashing detected ***: evince terminated
==6220==
==6220== Invalid read of size 1
==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1)
==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1)
==6220== by 0xBD51B31: backtrace (backtrace.c:85)
==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150)
==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32)
==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29)
==6220== by 0x10628229: read_markers (jdmarker.c:1097)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== Address 0xd6aa80bd6be5d89c is not stack'd, malloc'd or (recently) free'd
==6220==
==6220== Process terminating with default action of signal 11 (SIGSEGV)
==6220== General Protection Fault
==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1)
==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1)
==6220== by 0xBD51B31: backtrace (backtrace.c:85)
==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150)
==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32)
==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29)
==6220== by 0x10628229: read_markers (jdmarker.c:1097)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220==
==6220== ERROR SUMMARY: 11 errors from 6 contexts (suppressed: 11 from 1)
==6220== malloc/free: in use at exit: 19,120,263 bytes in 52,977 blocks.
==6220== malloc/free: 286,383 allocs, 233,406 frees, 140,419,963 bytes allocated.
==6220== For counts of detected errors, rerun with: -v
==6220== searching for pointers to 52,977 not-freed blocks.
==6220== checked 26,922,880 bytes.
==6220==
==6220== LEAK SUMMARY:
==6220== definitely lost: 335,607 bytes in 4,569 blocks.
==6220== possibly lost: 9,442,898 bytes in 252 blocks.
==6220== still reachable: 9,341,758 bytes in 48,156 blocks.
==6220== suppressed: 0 bytes in 0 blocks.
==6220== Rerun with --leak-check=full to see details of leaked memory.
Killed

========

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/evince
Package: evince 2.23.6-0ubuntu1
ProcCmdline: evince A808_AVerTV_DVB-T_Volar.pdf
ProcEnviron:
 SHELL=/bin/bash
 PATH=/store/users/username/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_GB.UTF-8
Signal: 11
SourcePackage: evince
StacktraceTop:
 read_markers (cinfo=0x7f19e8082660)
 ?? ()
 ?? ()
 ?? ()
 ?? ()
Title: evince crashed with SIGSEGV in read_markers()
Uname: Linux 2.6.27-rc4-224c x86_64
UserGroups: adm admin audio cdrom dialout dip floppy kvm lpadmin mythtv plugdev scanner video

Comment 1 Greg Grossmeier 2008-09-27 21:26:29 UTC

Created attachment 19267 [details]
gdb backtrace with evince-dbg and poppler-dbg

Comment 2 Albert Astals Cid 2008-09-29 11:31:47 UTC

Should be fixed in next poppler release.

Comment 3 Kees Cook 2008-09-29 21:29:23 UTC

Any pointers to the change that fixes it?

Comment 4 Kees Cook 2008-09-29 21:30:33 UTC

Ah, nm, I assume this is it:
http://cgit.freedesktop.org/poppler/poppler/diff/?id=aa7ef03af49f74ed558dcbab8ad4c594bb2b7d53

Comment 5 Albert Astals Cid 2008-09-30 00:28:32 UTC

Depending of the poppler version you are going to patch up you're going to need
http://cgit.freedesktop.org/poppler/poppler/commit/?id=3cb5b7fc5ae168ef58fd1905f61c1b9abe6cb86c
and
http://cgit.freedesktop.org/poppler/poppler/commit/?id=68658721583b05ebacb1165ac36e91d49735bbd9
also.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.