Bug 15606

Summary: Reproducible segfault of Poppler when selecting text
Product: poppler Reporter: Carlos Garcia Campos <carlosgc>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: mkasik, robin, sam
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Pass the right y to TextLine::visitSelection when x are the same
proposed patch

Description Carlos Garcia Campos 2008-04-19 03:38:26 UTC
Bug forwarded from Evince: http://bugzilla.gnome.org/show_bug.cgi?id=528484

"Steps to reproduce:
1. Download the PDF version of the document at
http://research.sun.com/techrep/1996/abstract-52.html
2. Open it in Evince and navigate to page 66 of the PDF
3. Start a selection with the word "The" at the bottom of the page in the
sentence "The algorithm connects the send to all k templates" by
double-clicking on the "h" and then dragging the selection down to the next
line (mousedown-mouseup-mousedown-drag).
4. Witness crash :)

Stack trace:
Program received signal SIGSEGV, Segmentation fault.
0x00007f914bf41597 in TextLine::visitSelection () from /usr/lib/libpoppler.so.2
(gdb) backtrace
#0  0x00007f914bf41597 in TextLine::visitSelection () from
/usr/lib/libpoppler.so.2
#1  0x00007f914bf41782 in TextBlock::visitSelection () from
/usr/lib/libpoppler.so.2
#2  0x00007f914bf41a62 in TextPage::visitSelection () from
/usr/lib/libpoppler.so.2
#3  0x00007f914bf443fd in TextPage::getSelectionRegion () from
/usr/lib/libpoppler.so.2
#4  0x00007f91519cd1fe in poppler_page_get_selection_region () from
/usr/lib/libpoppler-glib.so.2
#5  0x0000000000427b2f in ev_pixbuf_cache_get_selection_surface
(pixbuf_cache=0xb19f20, page=<value optimized out>, scale=1.77777779,
region=0x7fff5d787c98)
    at /build/buildd/evince-2.22.1.1/./shell/ev-pixbuf-cache.c:1026
#6  0x000000000042c5f2 in merge_selection_region (view=0x94e140,
new_list=<value optimized out>) at
/build/buildd/evince-2.22.1.1/./shell/ev-view.c:5577
#7  0x0000000000430a77 in compute_selections (view=0x94e140,
style=EV_SELECTION_STYLE_WORD, start=0x94e358, stop=0x94e358)
    at /build/buildd/evince-2.22.1.1/./shell/ev-view.c:5652
#8  0x0000000000430c3d in selection_update_idle_cb (view=0xf7d710) at
/build/buildd/evince-2.22.1.1/./shell/ev-view.c:2885
#9  0x00007f915077b262 in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#10 0x00007f915077e516 in ?? () from /usr/lib/libglib-2.0.so.0
#11 0x00007f915077e7d7 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#12 0x00007f9152595ee3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#13 0x0000000000448c73 in main (argc=1, argv=<value optimized out>) at
/build/buildd/evince-2.22.1.1/./shell/main.c:412

Other information:
Evince 2.22.1.1
poppler 0.6.4 (cairo)"

Look at the original bug report in gnome bugzilla for a better stacktrace and further information.
Comment 1 Robin Stocker 2008-04-19 10:24:23 UTC
Created attachment 16045 [details] [review]
Pass the right y to TextLine::visitSelection when x are the same

I had a look at the code with the debugger and the problem why the segfault occurs is that in line 3778 of poppler/TextOutputDev.cc the TextWord *begin is NULL.

The code which searches the begin word seems to be correct, but the selection which was passed to TextLine::visitSelection doesn't actually "touch" a word in the line, because its y is bigger than yMax of any of the words. So the problem maybe lies somewhere in the calculation of the child_selections in the calling functions. Here are the selection parameters in the various functions:

TextPage::visitSelection: {x1 = 155.8125, y1 = 610.875, x2 = 155.8125, y2 = 616.5}
TextBlock::visitSelection: {x1 = 155.8125, y1 = 610.875, x2 = 155.8125, y2 = 616.5}
TextLine::visitSelection: {x1 = 155.8125, y1 = 616.5, x2 = 612, y2 = 792}

The two x are the same, but somehow the bigger y is passed to TextLine::visitSelection. The attached patch fixes this and makes my original test case work. There's another problem though.
Comment 2 Robin Stocker 2008-04-19 10:36:12 UTC
Here's another way to trigger the same segfault again, using the same document on the same page:

1. Download the PDF version of the document at http://research.sun.com/techrep/1996/abstract-52.html
2. Open it in Evince and navigate to page 66 of the PDF
3. Position the cursor between the word "connects" in the sentence "The algorithm connects the send to all k templates" and the rho letter (ρ) beneath its second "n".
4. Double-click
5. Crash

Here's the line of the segfault, the backtrace is the same as with the first test case:

Program received signal SIGSEGV, Segmentation fault.
TextLine::visitSelection (this=0xd06340, visitor=0x7fff24d3f910, selection=0x7fff24d3f800, style=selectionStyleWord) at TextOutputDev.cc:3778
3778	    child_selection.x1 = begin->xMin;

Here are the selection parameters:

TextPage::visitSelection: {x1 = 223.3125, y1 = 617.0625, x2 = 223.3125, y2 = 617.0625}
TextBlock::visitSelection: {x1 = 223.3125, y1 = 617.0625, x2 = 223.3125, y2 = 617.0625}
TextLine::visitSelection: {x1 = 223.3125, y1 = 617.0625, x2 = 612, y2 = 792}

This time, the y is too big from the start. I don't know the code, but there's something wrong in the calculation of the child_selections or the lines which should be visited...
Comment 3 Carlos Garcia Campos 2008-06-18 05:18:52 UTC
hmm, it still crashes for me after applying the patch . . . 
Comment 4 Robin Stocker 2008-09-20 14:38:24 UTC
I just did a rough count of the duplicates of this bug over at the gnome bug tracker. It has been reported about 33 times! Here are the two bug reports with the duplicates:

http://bugzilla.gnome.org/show_bug.cgi?id=501673
http://bugzilla.gnome.org/show_bug.cgi?id=528484

So, I think raising the severity of this bug to "major" is justified.

Can someone who knows the code a bit (or preferably the one who wrote it) go over the selection code and try to find the cause of this bug? It may be something simple like an "and" where an "or" should be or a one off error.
Comment 5 Marek Kasik 2008-11-18 07:08:34 UTC
Created attachment 20409 [details] [review]
proposed patch

Hi,
this is caused by different sizes of bounding boxes of words and bounding boxes
of lines.
This can happen for a special character in a line. Height of the bounding box
of such line is then higher than bounding boxes of normal words.
If user double clicks in the space inside bounding box of such a line, but
outside bounding box of the closest word, then the application crashes.
(it crashes after searching for the beginning of the selection, because
beginning word is not hit but it is supposed that it was hit)
The attached patch avoids crashing by simple cancellation of such a selection.

  Regards

    Marek


How to reproduce:
1) Open a document in Evince (zoom 400%).
2) Find a line with a special character (lower index, for example).
3) Double click to space between this line and the line below this one (not close to the word containing the special character). - try this several times with different vertical positions between those lines
Comment 6 Carlos Garcia Campos 2008-11-18 11:14:50 UTC
I've just applied a slightly different patch. Could you confirm the problem is actually fixed, please? If the problem is fixed I'll backport it to the stable branch. 

Thanks. 
Comment 7 Marek Kasik 2008-11-19 06:24:19 UTC
Hi Carlos,
the bug doesn't occur any more. So, it is fixed.
(I tested it with the line described in http://bugzilla.gnome.org/show_bug.cgi?id=528484)

    Marek
Comment 8 Carlos Garcia Campos 2008-11-20 00:34:39 UTC
The fix is in poppler-0.10 branch too. 

Thank you all for your help. 

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.