Bug 24332

Summary:	evince crashed with SIGSEGV in TextWord::TextWord()
Product:	poppler	Reporter:	Pedro Villavicencio <pvillavi>
Component:	cairo backend	Assignee:	poppler-bugs <poppler-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	medium
Version:	unspecified
Hardware:	x86 (IA32)
OS:	Linux (All)
URL:	https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/436197
Whiteboard:
i915 platform:		i915 features:
Attachments:	This fixes it, but may be a hack

Description Pedro Villavicencio 2009-10-05 12:18:17 UTC

this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/436197

"This document causes the crash. http://www.oreilly.de/catalog/linuxhaclusterger/chapter/ch05.pdf"

".
Thread 3 (process 12515):
#0  0xb7fa6430 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb79a728f in fsync () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb75a9ac4 in g_file_set_contents () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0xb759769c in g_bookmark_file_to_file () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7ca539b in gtk_recent_manager_real_changed (manager=0x8954390)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:409
	write_error = (GError *) 0x0
	priv = (GtkRecentManagerPrivate *) 0x89543a0
	__PRETTY_FUNCTION__ = "gtk_recent_manager_real_changed"
#5  0xb766394c in g_cclosure_marshal_VOID__VOID ()
   from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#6  0xb7654719 in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#7  0xb7656092 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#8  0xb766b000 in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#9  0xb766ca7d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#10 0xb766cf06 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#11 0xb7ca76e5 in IA__gtk_recent_manager_add_full (manager=0x8954390, 
    uri=0x8d8d400 "file:///tmp/ch05.pdf", data=0xbffa0c10)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:1377
	priv = (GtkRecentManagerPrivate *) 0x89543a0
	__PRETTY_FUNCTION__ = "IA__gtk_recent_manager_add_full"
#12 0xb7ca78ff in gtk_recent_manager_add_item_query_info (
    source_object=0x8d4d0a0, res=0x8e32818, user_data=0x8954390)
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkrecentmanager.c:792
	recent_data = {display_name = 0x0, description = 0x0, 
  mime_type = 0x8d8d420 "application/pdf", 
  app_name = 0x8d4ee88 "Document Viewer", app_exec = 0x8def858 "evince %u", 
  groups = 0x0, is_private = 0}
	file_info = <value optimized out>
	uri = (gchar *) 0x8d8d400 "file:///tmp/ch05.pdf"
	error = (GError *) 0x0
#13 0xb77ab77c in g_simple_async_result_complete ()
   from /usr/lib/libgio-2.0.so.0
No symbol table info available.
#14 0xb77aba3e in ?? () from /usr/lib/libgio-2.0.so.0
No symbol table info available.
#15 0xb75b80f1 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#16 0xb75b9e78 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#17 0xb75bd720 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#18 0xb75bdb8f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#19 0xb7c472d9 in IA__gtk_main ()
    at /build/buildd/gtk+2.0-2.18.0/gtk/gtkmain.c:1205
	tmp_list = (GList *) 0x88ca734
	functions = (GList *) 0x0
	init = (GtkInitFunction *) 0x0
	loop = (GMainLoop *) 0x88bf220
#20 0x08080ba2 in ?? ()
No symbol table info available.
#21 0xb72ffb56 in __libc_start_main (
    main=0x8080360 <gtk_icon_view_set_pixbuf_column@plt+142552>, argc=2, 
    ubp_av=0xbffa0fc4, init=0x8093050, fini=0x8093040, 
    rtld_fini=0xb7fb4d20 <_dl_fini>, stack_end=0xbffa0fbc) at libc-start.c:220
	result = <value optimized out>
	unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1220292620, 0, 0, 
        -1074131048, -2115363072, 704801041}, mask_was_saved = 0}}, priv = {
    pad = {0x0, 0x0, 0x2, 0x805d6a0}, data = {prev = 0x0, cleanup = 0x0, 
      canceltype = 2}}}
	not_first_call = <value optimized out>
#22 0x0805d6c1 in ?? ()
No symbol table info available.
.
Thread 2 (process 12518):
#0  0xb7fa6430 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb79a4142 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb7a190ee in ?? () from /usr/lib/libgthread-2.0.so.0
No symbol table info available.
#3  0xb7594c9c in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb75e5837 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#5  0xb75e436f in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xb799f80e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#7  0xb73b57ee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
.
Thread 1 (process 12516):
#0  TextWord (this=0x8cc44e8, state=0x8cf2718, rotA=3, x0=0, y0=0, 
    charPosA=0, fontA=0x0, fontSizeA=0) at TextOutputDev.cc:235
	gfxFont = <value optimized out>
	ascent = 0
	descent = 0
	rgb = {r = -1239507956, g = 0, b = -1215119372}
#1  0xb702e512 in TextPage::beginWord (this=0x8cc3e00, state=0x8cf2718, x0=0, 
    y0=0) at TextOutputDev.cc:1990
	gfxFont = <value optimized out>
	fontm = <value optimized out>
	m = {0, 0, 0, -0}
	rot = 147793688
#2  0xb702ff99 in TextPage::addChar (this=0x8cc3e00, state=0x8cf2718, x=0, 
    y=0, dx=0, dy=0, c=0, nBytes=1, u=0x8cc4ac8, uLen=1)
    at TextOutputDev.cc:2089
	y1 = 663.30700699999989
	w1 = 0
	overlap = <value optimized out>
	i = <value optimized out>
	x1 = 0
	h1 = 0
	base = 2.7400317276255428e-266
	sp = 0
#3  0xb703010d in ActualText::endMC (this=0x8cc3f40, state=0x8cf2718)
    at TextOutputDev.cc:4602
	uniString = 0x8cbbc60 "þÿ"
	length = 1
	i = <value optimized out>
#4  0xb791c1c4 in CairoOutputDev::endMarkedContent (this=0x8d0ec68, 
    state=0x8cf2718) at CairoOutputDev.cc:1008
No locals.
#5  0xb6faefd4 in Gfx::opEndMarkedContent (this=0x8cc40e8, args=0xb61e9dd4, 
    numArgs=0) at Gfx.cc:4512
No locals.
#6  0xb6faf576 in Gfx::execOp (this=0x8cc40e8, cmd=0xb61e9f74, 
    args=0xb61e9dd4, numArgs=0) at Gfx.cc:790
	op = <value optimized out>
	name = 0x8cc2658 "EMC"
	argPtr = (Object *) 0xb61e9dd4
	i = 0
#7  0xb6fafb99 in Gfx::go (this=0x8cc40e8, topLevel=1) at Gfx.cc:661
	timer = {start_time = {tv_sec = 1253823101, tv_usec = 310474}, 
  end_time = {tv_sec = -1224794563, tv_usec = -1223917580}, active = 1}
	obj = {type = objCmd, {booln = 147596888, intg = 147596888, 
    real = 663.30665740482345, string = 0x8cc2658, name = 0x8cc2658 "EMC", 
    array = 0x8cc2658, dict = 0x8cc2658, stream = 0x8cc2658, ref = {
      num = 147596888, gen = 1082440308}, cmd = 0x8cc2658 "EMC"}}
	numArgs = 0
	i = <value optimized out>
	lastAbortCheck = 0
	args = {{type = objNone, {booln = 147596904, intg = 147596904, 
      real = 663.30665740482527, string = 0x8cc2668, 
      name = 0x8cc2668 "@&Ì\b", array = 0x8cc2668, dict = 0x8cc2668, 
      stream = 0x8cc2668, ref = {num = 147596904, gen = 1082440308}, 
      cmd = 0x8cc2668 "@&Ì\b"}}, {type = objNone, {booln = 147605248, 
      intg = 147605248, real = 663.30665740577388, string = 0x8cc4700, 
      name = 0x8cc4700 "H*Ï\bxFÌ\b\b", array = 0x8cc4700, dict = 0x8cc4700, 
      stream = 0x8cc4700, ref = {num = 147605248, gen = 1082440308}, 
      cmd = 0x8cc4700 "H*Ï\bxFÌ\b\b"}}, {type = objNone, {booln = -575869214, 
      intg = -575869214, real = 511.65402000000006, string = 0xddaceee2, 
      name = 0xddaceee2 <Address 0xddaceee2 out of bounds>, 
      array = 0xddaceee2, dict = 0xddaceee2, stream = 0xddaceee2, ref = {
        num = -575869214, gen = 1082129014}, 
      cmd = 0xddaceee2 <Address 0xddaceee2 out of bounds>}}, {type = objNone, 
    {booln = -1045910437, intg = -1045910437, real = 663.30700999999988, 
      string = 0xc1a8ac5b, 
      name = 0xc1a8ac5b <Address 0xc1a8ac5b out of bounds>, 
      array = 0xc1a8ac5b, dict = 0xc1a8ac5b, stream = 0xc1a8ac5b, ref = {
        num = -1045910437, gen = 1082440308}, 
      cmd = 0xc1a8ac5b <Address 0xc1a8ac5b out of bounds>}}, {type = objNone, 
    {booln = 0, intg = 0, real = 1.2731974745791634e-313, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 6}, cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -5.2374703781943357e-48, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1239507384}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -9.5605093029645369e-43, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1221242346}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -1.5974699859138047e-43, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1223917580}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = 1.2731974745791634e-313, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 6}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, real = 7.0025861101853986e-313, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = 33}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = -1.4909706183973528e-42, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1220501512}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = 4.2439915819305446e-314, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 2}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = 4.2439915819305446e-314, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 2}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, real = -1.7837215733544617e-42, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = -1220287584}, cmd = 0x0}}, {type = objNone, {
      booln = 0, intg = 0, real = -1.7768300312974892e-42, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1220292620}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = -5.2377627118345021e-48, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1239507272}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = -9.3220559265889515e-44, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1224695408}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = -9.1149949201075179e-43, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1221307458}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = 2.4196197379748035e-266, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 147388252}, cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = 6.3659873728958169e-314, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 3}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, real = -9.3503145333158143e-44, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = -1224692104}, cmd = 0x0}}, {type = objNone, {
      booln = 0, intg = 0, real = -5.237971521577478e-48, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = -1239507192}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = 2.4196197379748035e-266, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 147388252}, cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = 2.4195783311482876e-266, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 147388224}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -1.5974699859138047e-43, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1223917580}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -5.2382638552176443e-48, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1239507080}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, real = 0, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, real = 1.0185579796633307e-312, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 48}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -1.7837872592199769e-42, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220287536}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -1.2828312689570442e-43, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1224285456}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -9.6556580160744046e-43, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1221228440}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = 2.4196256532357343e-266, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 147388256}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      real = -3.5294948484769161e-44, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1226231820}, 
      cmd = 0x0}}}
#8  0xb6fb2b99 in Gfx::display (this=0x8cc40e8, obj=0xb61ea074, topLevel=1)
    at Gfx.cc:630
	obj2 = {type = objNone, {booln = 0, intg = 0, 
    real = -7.5505089889280189e-44, string = 0x0, name = 0x0, array = 0x0, 
    dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1225068307}, cmd = 0x0}}
	i = <value optimized out>
#9  0xb6ffd930 in Page::displaySlice (this=0x8e1fb98, out=0x8d0ec68, hDPI=72, 
    vDPI=72, rotate=0, useMediaBox=0, crop=1, sliceX=-1, sliceY=-1, 
    sliceW=-1, sliceH=-1, printing=0, catalog=0x8de89c8, abortCheckCbk=0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0, 
    annotDisplayDecideCbkData=0x0) at Page.cc:474
	gfx = (Gfx *) 0x8cc40e8
	obj = {type = objStream, {booln = 147354112, intg = 147354112, 
    real = -9.3364851095127113e-42, string = 0x8c87200, 
    name = 0x8c87200 "\bo\f·\003", array = 0x8c87200, dict = 0x8c87200, 
    stream = 0x8c87200, ref = {num = 147354112, gen = -1217788227}, 
    cmd = 0x8c87200 "\bo\f·\003"}}
	i = <value optimized out>
#10 0xb7913901 in _poppler_page_render (page=0x8d0ee20, cairo=0x8cc3a70, 
    printing=0) at poppler-page.cc:560
	output_dev = (class CairoOutputDev *) 0x8d0ec68
	__PRETTY_FUNCTION__ = "void _poppler_page_render(PopplerPage*, cairo_t*, GBool)"
#11 0xb7913a96 in poppler_page_render (page=0x8d0ee20, cairo=0x8cc3a70)
    at poppler-page.cc:586
	__PRETTY_FUNCTION__ = "void poppler_page_render(PopplerPage*, cairo_t*)"
#12 0xb59e55b9 in ?? () from /usr/lib/evince/1/backends/libpdfdocument.so
No symbol table info available.
#13 0xb7f71a10 in ev_document_render () from /usr/lib/libevdocument.so.1
No symbol table info available.
#14 0xb7f44e21 in ?? () from /usr/lib/libevview.so.1
No symbol table info available.
#15 0xb7f420a1 in ev_job_run () from /usr/lib/libevview.so.1
No symbol table info available.
#16 0xb7f45be8 in ?? () from /usr/lib/libevview.so.1
No symbol table info available.
#17 0xb75e436f in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#18 0xb799f80e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#19 0xb73b57ee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals."

Comment 1 Albert Astals Cid 2009-10-05 12:50:45 UTC

Moving to cairo backend, i can't reproduce the crash using pdftotext or qt4 test tools but can reproduce it using the glib demo (crashes extracting text from page 2)

Comment 2 Dennis Sheil 2009-12-19 01:26:46 UTC

Created attachment 32188 [details] [review]
This fixes it, but may be a hack

I threw this patch together very quickly after looking at the problem.  It fixes the problem but I have not looked into this in-depth yet and it may be a hack.

Comment 3 Dennis Sheil 2009-12-19 01:28:40 UTC

I have been looking at this bug.  I wrote a little about it here - http://www.vartmp.com/blog/subjects/poppler/20091219.html

The segmentation fault happens when the TextWord constructor is called.  Specifically, when the constructor is called from the beginWord method. The reason the segmentation fault happens is because the curFont object has not been created prior to this, despite it being one of the parameters sent to the TextWord constructor.

On the basis of seeing this, I did a four-line hack in the beginWord method that checks for the existence of curFont, and if it does not exist, creates it and then calls "fonts->append(curFont)".  After this, evince stopped crashing on the pages of the PDFs that it has been crashing (segfaulting) on.

However, I have not really looked into this indepth, what I did was just a hack.  I am looking through the code of evince and poppler right now, and recreating the segfaults.  It is possible that there is a better way to solve this, perhaps creating the curFont object in a different method, or who knows.  If I come up with something better I'll give you an update.  Or if one of you see something better that's good too.

Comment 4 Carlos Garcia Campos 2009-12-19 01:44:12 UTC

Thank you very much for the patch, what poppler version are you using? I fixed this problem in poppler git recently, I didn't realize it was reported here too so I didn't close this bug, sorry. The commit that fixes this is:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=4e6af25a028d16608111634c5467420e31fa399b

Feel free to reopen if it still crahes with current git master. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.