Created attachment 19266 [details] Threaded Stacktrace from Apport Originally opened on Launchpad: https://launchpad.net/bugs/260904 ---------- When viewing http://www.mediaatlantic.com/Downloads/avermedia/A808_AVerTV_DVB-T_Volar.pdf , I find evince crashes: $ evince A808_AVerTV_DVB-T_Volar.pdf Error (288089): Illegal character <3f> in hex string Error (288090): Illegal character <78> in hex string Error (288091): Illegal character <70> in hex string Error (288094): Illegal character <6b> in hex string Error (288096): Illegal character <74> in hex string Error (288099): Illegal character <6e> in hex string Error (288101): Illegal character <3d> in hex string Error (288102): Illegal character <22> in hex string Error (288103): Illegal character <77> in hex string Error (288104): Illegal character <22> in hex string Error (288105): Illegal character <3f> in hex string Error: PDF file is damaged - attempting to reconstruct xref table... Error (239248): Unexpected end of file in flate stream Segmentation fault (core dumped) Installing debug packages and running with valgrind, we see memory violation via stack corruption (which happens to be caught by GCC this time), thus this has potential to be a security violation: $ valgrind --trace-children=yes evince A808_AVerTV_DVB-T_Volar.pdf ==6220== Memcheck, a memory error detector. ==6220== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==6220== Using LibVEX rev 1854, a library for dynamic binary translation. ==6220== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==6220== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==6220== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==6220== For more details, rerun with: -v ==6220== ==6220== Syscall param write(buf) points to uninitialised byte(s) ==6220== at 0xBA47E90: __write_nocancel (in /usr/lib/debug/libpthread-2.8.90.so) ==6220== by 0x60C8EFE: _IceTransSocketWrite (Xtranssock.c:2171) ==6220== by 0x60CC787: _IceWrite (misc.c:369) ==6220== by 0x60CC863: IceFlush (misc.c:82) ==6220== by 0x5C49DFB: client_set_string (gnome-client.c:264) ==6220== by 0x5C4BBC2: gnome_real_client_connect (gnome-client.c:2442) ==6220== by 0xB33628C: g_closure_invoke (gclosure.c:767) ==6220== by 0xB34C91D: signal_emit_unlocked_R (gsignal.c:3174) ==6220== by 0xB34E718: g_signal_emit_valist (gsignal.c:2977) ==6220== by 0xB34EC82: g_signal_emit (gsignal.c:3034) ==6220== by 0x5C4B92E: gnome_client_connect (gnome-client.c:1627) ==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210) ==6220== Address 0x10b2e3f4 is 12 bytes inside a block of size 1,024 alloc'd ==6220== at 0x4C24384: calloc (vg_replace_malloc.c:397) ==6220== by 0x60C5373: IceOpenConnection (connect.c:211) ==6220== by 0x5EB8CB0: SmcOpenConnection (sm_client.c:135) ==6220== by 0x5C4B8AC: gnome_client_connect (gnome-client.c:1595) ==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210) ==6220== by 0x69F6DBD: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2303.2) ==6220== by 0x69F718A: (within /usr/lib/libgnome-2.so.0.2303.2) ==6220== by 0x69F740C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2303.2) ==6220== by 0x69F7503: gnome_program_init (in /usr/lib/libgnome-2.so.0.2303.2) ==6220== by 0x44B5CC: main (main.c:346) Error (288089): Illegal character <3f> in hex string Error (288090): Illegal character <78> in hex string Error (288091): Illegal character <70> in hex string Error (288094): Illegal character <6b> in hex string Error (288096): Illegal character <74> in hex string Error (288099): Illegal character <6e> in hex string Error (288101): Illegal character <3d> in hex string Error (288102): Illegal character <22> in hex string Error (288103): Illegal character <77> in hex string Error (288104): Illegal character <22> in hex string Error (288105): Illegal character <3f> in hex string Error: PDF file is damaged - attempting to reconstruct xref table... Error (239248): Unexpected end of file in flate stream ==6220== ==6220== Thread 2: ==6220== Invalid read of size 8 ==6220== at 0x10627E25: read_markers (jdmarker.c:474) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== by 0x481432DA14440813: ??? ==6220== by 0x186C5D8113128544: ??? ==6220== by 0xBD985AC1307756F6: ??? ==6220== by 0x5108B342B70D594F: ??? ==6220== by 0x8E67ABC68C514A2C: ??? ==6220== by 0x47AA517AF7BB0638: ??? ==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd ==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207) ==6220== by 0xB7B75E2: g_malloc (gmem.c:131) ==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92) ==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053) ==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577) ==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049) ==6220== by 0x441889: ev_window_init (ev-window.c:5296) ==6220== by 0xB358777: g_type_create_instance (gtype.c:1674) ==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328) ==6220== ==6220== Invalid write of size 8 ==6220== at 0x106281A9: read_markers (jdmarker.c:475) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== by 0x481432DA14440813: ??? ==6220== by 0x186C5D8113128544: ??? ==6220== by 0xBD985AC1307756F6: ??? ==6220== by 0x5108B342B70D594F: ??? ==6220== by 0x8E67ABC68C514A2C: ??? ==6220== by 0x47AA517AF7BB0638: ??? ==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd ==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207) ==6220== by 0xB7B75E2: g_malloc (gmem.c:131) ==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92) ==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053) ==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577) ==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049) ==6220== by 0x441889: ev_window_init (ev-window.c:5296) ==6220== by 0xB358777: g_type_create_instance (gtype.c:1674) ==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328) ==6220== ==6220== Invalid read of size 8 ==6220== at 0x10627E2F: read_markers (jdmarker.c:477) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== by 0x481432DA14440813: ??? ==6220== by 0x186C5D8113128544: ??? ==6220== by 0xBD985AC1307756F6: ??? ==6220== by 0x5108B342B70D594F: ??? ==6220== by 0x8E67ABC68C514A2C: ??? ==6220== by 0x47AA517AF7BB0638: ??? ==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd ==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207) ==6220== by 0xB7B75E2: g_malloc (gmem.c:131) ==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92) ==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053) ==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577) ==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049) ==6220== by 0x441889: ev_window_init (ev-window.c:5296) ==6220== by 0xB358777: g_type_create_instance (gtype.c:1674) ==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328) ==6220== ==6220== Invalid read of size 8 ==6220== at 0x10627E54: read_markers (jdmarker.c:478) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== by 0x481432DA14440813: ??? ==6220== by 0x186C5D8113128544: ??? ==6220== by 0xBD985AC1307756F6: ??? ==6220== by 0x5108B342B70D594F: ??? ==6220== by 0x8E67ABC68C514A2C: ??? ==6220== by 0x47AA517AF7BB0638: ??? ==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd ==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207) ==6220== by 0xB7B75E2: g_malloc (gmem.c:131) ==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92) ==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005) ==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053) ==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577) ==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049) ==6220== by 0x441889: ev_window_init (ev-window.c:5296) ==6220== by 0xB358777: g_type_create_instance (gtype.c:1674) ==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328) Corrupt JPEG data: 53679 extraneous bytes before marker 0xd9 *** stack smashing detected ***: evince terminated ==6220== ==6220== Invalid read of size 1 ==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1) ==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1) ==6220== by 0xBD51B31: backtrace (backtrace.c:85) ==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150) ==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32) ==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29) ==6220== by 0x10628229: read_markers (jdmarker.c:1097) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== Address 0xd6aa80bd6be5d89c is not stack'd, malloc'd or (recently) free'd ==6220== ==6220== Process terminating with default action of signal 11 (SIGSEGV) ==6220== General Protection Fault ==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1) ==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1) ==6220== by 0xBD51B31: backtrace (backtrace.c:85) ==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150) ==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32) ==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29) ==6220== by 0x10628229: read_markers (jdmarker.c:1097) ==6220== by 0xD6AA80BD6BE5D89B: ??? ==6220== by 0x323CBB9363293CD0: ??? ==6220== by 0x4A8BCA16C5042DF3: ??? ==6220== by 0x991621B605B5318: ??? ==6220== by 0x52844021315714D2: ??? ==6220== ==6220== ERROR SUMMARY: 11 errors from 6 contexts (suppressed: 11 from 1) ==6220== malloc/free: in use at exit: 19,120,263 bytes in 52,977 blocks. ==6220== malloc/free: 286,383 allocs, 233,406 frees, 140,419,963 bytes allocated. ==6220== For counts of detected errors, rerun with: -v ==6220== searching for pointers to 52,977 not-freed blocks. ==6220== checked 26,922,880 bytes. ==6220== ==6220== LEAK SUMMARY: ==6220== definitely lost: 335,607 bytes in 4,569 blocks. ==6220== possibly lost: 9,442,898 bytes in 252 blocks. ==6220== still reachable: 9,341,758 bytes in 48,156 blocks. ==6220== suppressed: 0 bytes in 0 blocks. ==6220== Rerun with --leak-check=full to see details of leaked memory. Killed ======== ProblemType: Crash Architecture: amd64 DistroRelease: Ubuntu 8.10 ExecutablePath: /usr/bin/evince Package: evince 2.23.6-0ubuntu1 ProcCmdline: evince A808_AVerTV_DVB-T_Volar.pdf ProcEnviron: SHELL=/bin/bash PATH=/store/users/username/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games LANG=en_GB.UTF-8 Signal: 11 SourcePackage: evince StacktraceTop: read_markers (cinfo=0x7f19e8082660) ?? () ?? () ?? () ?? () Title: evince crashed with SIGSEGV in read_markers() Uname: Linux 2.6.27-rc4-224c x86_64 UserGroups: adm admin audio cdrom dialout dip floppy kvm lpadmin mythtv plugdev scanner video
Created attachment 19267 [details] gdb backtrace with evince-dbg and poppler-dbg
Should be fixed in next poppler release.
Any pointers to the change that fixes it?
Ah, nm, I assume this is it: http://cgit.freedesktop.org/poppler/poppler/diff/?id=aa7ef03af49f74ed558dcbab8ad4c594bb2b7d53
Depending of the poppler version you are going to patch up you're going to need http://cgit.freedesktop.org/poppler/poppler/commit/?id=3cb5b7fc5ae168ef58fd1905f61c1b9abe6cb86c and http://cgit.freedesktop.org/poppler/poppler/commit/?id=68658721583b05ebacb1165ac36e91d49735bbd9 also.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.