Bug 11392

Summary: evince-thumbnailer crashed with SIGSEGV in CairoFont::create()
Product: poppler Reporter: Sebastien Bacher <seb128>
Component: cairo backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium Keywords: patch
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: perform full type-checking in Object

Description Sebastien Bacher 2007-06-27 05:45:29 UTC 
The bug has been opened on https://bugs.launchpad.net/bugs/122396

"Binary package hint: evince

No idea what the thumbnailer did.
...
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/bin/evince-thumbnailer
Package: evince 0.8.1-0ubuntu1
PackageArchitecture: amd64
ProcCmdline: evince-thumbnailer -s 128 file:///home/mh21/Desktop/vorlage_sada/da.pdf /tmp/.gnome_thumbnail.PIQQUT
...
.
Thread 1 (process 11291):
#0  0x00002b29d5ae3556 in CairoFont::create (gfxFont=0x74a570, xref=0x6b82f0, lib=0x70abd0, useCIDs=1) at Object.h:291
	refObj = {type = objNone, {booln = 405, intg = 405, real = 2.0009658656570485e-321, string = 0x195, name = 0x195 <Address 0x195 out of bounds>, array = 0x195, 
    dict = 0x195, stream = 0x195, ref = {num = 405, gen = 0}, cmd = 0x195 <Address 0x195 out of bounds>}}
	strObj = {type = objNull, {booln = 0, intg = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}
	tmpFileName = (GooString *) 0x77c4d0
	fileName = <value optimized out>
	tmpFileName2 = <value optimized out>
	dfp = <value optimized out>
	tmpFile = <value optimized out>
	c = <value optimized out>
	n = <value optimized out>
	code = <value optimized out>
	cmap = <value optimized out>
	fontType = fontType1
	name = <value optimized out>
	ff = <value optimized out>
	ff1c = <value optimized out>
	ctu = <value optimized out>
	uBuf = {7398256, 0, 0, 0, 7679824, 0, 3587969053, 11049}
	cairo_font_face = <value optimized out>
	face = <value optimized out>
	codeToGID = <value optimized out>
	codeToGIDLen = 0
	cairo_font_face_key = {unused = 0}
#1  0x00002b29d5ae3c39 in CairoFontEngine::getFont (this=0x709cc0, gfxFont=0x74a570, xref=0x6b82f0) at CairoFontEngine.cc:353
	i = <value optimized out>
	j = <value optimized out>
	ref = {num = 406, gen = 0}
	font = (CairoFont *) 0x0
#2  0x00002b29d5ae54ca in CairoOutputDev::updateFont (this=0x70aad0, state=0x74c0c0) at CairoOutputDev.cc:275
	font_face = <value optimized out>
	matrix = {xx = 3.3061371060132861e-317, yx = 2.344770403471977e-310, xy = 6.9533231071318657e-310, yy = 3.6549553570275397e-317, x0 = 6.9533231071500473e-310, 
  y0 = 4.9406564584124654e-324}
	fontSize = <value optimized out>
	m = <value optimized out>
#3  0x00002b29d5d7c1f1 in Gfx::opShowSpaceText (this=0x70e150, args=0x7fffd88cabe0, numArgs=-706679660) at Gfx.cc:2673
	a = <value optimized out>
	obj = {type = objNone, {booln = 2, intg = 2, real = 9.8813129168249309e-324, string = 0x2, name = 0x2 <Address 0x2 out of bounds>, array = 0x2, dict = 0x2, stream = 0x2, 
    ref = {num = 2, gen = 0}, cmd = 0x2 <Address 0x2 out of bounds>}}
	wMode = <value optimized out>
	i = <value optimized out>
#4  0x00002b29d5d77d95 in Gfx::go (this=0x70e150, topLevel=1) at Gfx.cc:580
	obj = {type = objCmd, {booln = 7849200, intg = 7849200, real = 3.8780200673371124e-317, string = 0x77c4f0, name = 0x77c4f0 "TJ", array = 0x77c4f0, dict = 0x77c4f0, 
    stream = 0x77c4f0, ref = {num = 7849200, gen = 0}, cmd = 0x77c4f0 "TJ"}}
	args = {{type = objArray, {booln = 7807136, intg = 7807136, real = 3.8572376900104462e-317, string = 0x7720a0, name = 0x7720a0 "ð\202k", array = 0x7720a0, 
      dict = 0x7720a0, stream = 0x7720a0, ref = {num = 7807136, gen = 0}, cmd = 0x7720a0 "ð\202k"}}, {type = objNone, {booln = -810889825, intg = -810889825, 
      real = -127.48180000000001, string = 0xc05fded5cfaacd9f, name = 0xc05fded5cfaacd9f <Address 0xc05fded5cfaacd9f out of bounds>, array = 0xc05fded5cfaacd9f, 
      dict = 0xc05fded5cfaacd9f, stream = 0xc05fded5cfaacd9f, ref = {num = -810889825, gen = -1067458859}, cmd = 0xc05fded5cfaacd9f <Address 0xc05fded5cfaacd9f out of bounds>}}, {
    type = objNone, {booln = 0, intg = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {
      booln = 1, intg = 1, real = 4.9406564584124654e-324, string = 0x1, name = 0x1 <Address 0x1 out of bounds>, array = 0x1, dict = 0x1, stream = 0x1, ref = {num = 1, gen = 0}, 
      cmd = 0x1 <Address 0x1 out of bounds>}}, {type = objNone, {booln = -872737354, intg = -872737354, real = -152.68540000000002, string = 0xc06315eecbfb15b6, 
      name = 0xc06315eecbfb15b6 <Address 0xc06315eecbfb15b6 out of bounds>, array = 0xc06315eecbfb15b6, dict = 0xc06315eecbfb15b6, stream = 0xc06315eecbfb15b6, ref = {
        num = -872737354, gen = -1067248146}, cmd = 0xc06315eecbfb15b6 <Address 0xc06315eecbfb15b6 out of bounds>}}, {type = objNone, {booln = -1669883285, intg = -1669883285, 
      real = -752.45439999999996, string = 0xc08783a29c779a6b, name = 0xc08783a29c779a6b <Address 0xc08783a29c779a6b out of bounds>, array = 0xc08783a29c779a6b, 
      dict = 0xc08783a29c779a6b, stream = 0xc08783a29c779a6b, ref = {num = -1669883285, gen = -1064860766}, cmd = 0xc08783a29c779a6b <Address 0xc08783a29c779a6b out of bounds>}}, 
  {type = objNone, {booln = 6691696, intg = 6691696, real = 3.3061371060132861e-317, string = 0x661b70, name = 0x661b70 "ð\202k", array = 0x661b70, dict = 0x661b70, 
      stream = 0x661b70, ref = {num = 6691696, gen = 0}, cmd = 0x661b70 "ð\202k"}}, {type = objNone, {booln = -769723790, intg = -769723790, real = 2.3447673196084833e-310, 
      string = 0x2b29d21ef272, name = 0x2b29d21ef272 <Address 0x2b29d21ef272 out of bounds>, array = 0x2b29d21ef272, dict = 0x2b29d21ef272, stream = 0x2b29d21ef272, ref = {
        num = -769723790, gen = 11049}, cmd = 0x2b29d21ef272 <Address 0x2b29d21ef272 out of bounds>}}}
	numArgs = 1
	i = 2
	lastAbortCheck = 0
	timer = (GooTimer *) 0xffffffff
#5  0x00002b29d5d781d0 in Gfx::display (this=0x70e150, obj=0x7fffd88cad50, topLevel=1) at Gfx.cc:543
	obj2 = {type = objNone, {booln = -661869232, intg = -661869232, real = 6.9533231071500473e-310, string = 0x7fffd88cad50, name = 0x7fffd88cad50 "\b", 
    array = 0x7fffd88cad50, dict = 0x7fffd88cad50, stream = 0x7fffd88cad50, ref = {num = -661869232, gen = 32767}, cmd = 0x7fffd88cad50 "\b"}}
	i = <value optimized out>
#6  0x00002b29d5dbd4c9 in Page::displaySlice (this=0x6d0af0, out=0x70aad0, hDPI=<value optimized out>, vDPI=<value optimized out>, rotate=<value optimized out>, 
    useMediaBox=<value optimized out>, crop=<value optimized out>, sliceX=<value optimized out>, sliceY=0, sliceW=128, sliceH=181, links=0x0, catalog=0x6b8380, abortCheckCbk=0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:375
	gfx = (Gfx *) 0x70e150
	obj = {type = objStream, {booln = 7679824, intg = 7679824, real = 3.7943372045071054e-317, string = 0x752f50, name = 0x752f50 "°È\005Ö)+", array = 0x752f50, 
    dict = 0x752f50, stream = 0x752f50, ref = {num = 7679824, gen = 0}, cmd = 0x752f50 "°È\005Ö)+"}}
	annotList = <value optimized out>
	i = <value optimized out>
#7  0x00002b29d5ae1fb3 in poppler_page_render_to_pixbuf (page=0x6572c0, src_x=0, src_y=0, src_width=128, src_height=181, scale=0.21502641549117488, rotation=0, pixbuf=0x6900f0)
    at poppler-page.cc:366
	data = {cairo_data = 0x72cc50 'ÿ' <repeats 200 times>..., surface = 0x70dc00, cairo = 0x70dd10}
	__PRETTY_FUNCTION__ = "void poppler_page_render_to_pixbuf(PopplerPage*, int, int, int, int, double, int, GdkPixbuf*)"
#8  0x0000000000414493 in pdf_document_thumbnails_get_thumbnail (document_thumbnails=<value optimized out>, rc=0x657280, border=0) at ev-poppler.cc:1193
	pdf_document = (PdfDocument *) 0x690000
	poppler_page = (PopplerPage *) 0x6572c0
	pixbuf = (GdkPixbuf *) 0x6900f0
	border_pixbuf = <value optimized out>
	__PRETTY_FUNCTION__ = "GdkPixbuf* pdf_document_thumbnails_get_thumbnail(EvDocumentThumbnails*, EvRenderContext*, gboolean)"
#9  0x0000000000410862 in evince_thumbnail_pngenc_get (document=0x690000, thumbnail=0x7fffd88cca10 "/tmp/.gnome_thumbnail.PIQQUT", size=<value optimized out>)
    at evince-thumbnailer.c:73
	rc = (EvRenderContext *) 0x657280
	width = 595.27570000000014
	height = 841.88980000000004
	pixbuf = <value optimized out>
#10 0x0000000000410b1a in main (argc=5, argv=0x7fffd88cb028) at evince-thumbnailer.c:197
	document = (EvDocument *) 0x690000
	input = <value optimized out>
	output = 0x7fffd88cca10 "/tmp/.gnome_thumbnail.PIQQUT"
	size = 128
	uri = 0x661b70 "ð\202k"
...
I'm sorry, this file was generated from Latex, I suspect the thumbnailer picked it up in the wrong moment while it was still generated? I can attach the complete file, but this is thumbnailed without any problems."
Comment 1 Kees Cook 2008-04-18 17:59:29 UTC 
This was fixed in recent poppler changes, but I'd like to see the attached patch committed as well for additional safety in the future.
Comment 2 Kees Cook 2008-04-18 18:00:26 UTC 
Created attachment 16030 [details] [review]
perform full type-checking in Object
Comment 3 Kees Cook 2008-04-18 18:02:21 UTC 
Fix for the crash (and security issue): http://gitweb.freedesktop.org/?p=poppler/poppler.git;a=commitdiff;h=1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8

This was CVE-2008-1693.
Comment 4 Albert Astals Cid 2008-04-19 04:13:36 UTC 
So the bug if fixed, nice :-)

Kees, about your patch i don't really see why we should use it. If there's a wrong usage of Object it has to be fixed, not skip the problem silentlty.

Anyway if you still want to argue about that please open a separate bug as it's not really related to this one.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.