Bug 24693

Summary: Attached PDF crashes evince with a Floating point exception
Product: pixman Reporter: Carlos Garcia Campos <carlosgc>
Component: pixmanAssignee: Søren Sandmann Pedersen <soren.sandmann>
Status: RESOLVED FIXED QA Contact: Søren Sandmann Pedersen <soren.sandmann>
Severity: normal    
Priority: medium CC: charles-debian-nospam, chris, joss, mariano.suarezalvarez, pablo
Version: 0.14.0   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Carlos Garcia Campos 2009-10-23 06:14:59 UTC 
Bug forwarded from Evince: https://bugzilla.gnome.org/show_bug.cgi?id=599216

"Evince 2.28.0-0ubuntu4 on Ubuntu karmic.

Open the PDF and scroll down a few pages to get a Floating point exception."

It's always reproducible for me with the PDF attached to the original bug report using evince or poppler-glib-demo

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xb6df2710 (LWP 16029)]
0xb757f229 in bits_image_fetch_transformed (pict=0x9930448, x=<value optimized out>, y=<value optimized out>, width=2, buffer=0xbfc258a8, mask=0xbfc258b0, 
    mask_bits=4294967295) at pixman-bits-image.c:198
198		*x = MOD (*x, width);
(gdb) bt
#0  0xb757f229 in bits_image_fetch_transformed (pict=0x9930448, x=<value optimized out>, y=<value optimized out>, width=2, buffer=0xbfc258a8, 
    mask=0xbfc258b0, mask_bits=4294967295) at pixman-bits-image.c:198
#1  0xb75543e9 in _pixman_image_get_scanline_32 (image=0x9930448, x=222, y=175, width=2, buffer=0xbfc258a8, mask=0xbfc258b0, mask_bits=4294967295)
    at pixman-image.c:150
#2  0xb7578603 in general_composite_rect (imp=0x98f79b8, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, mask_x=0, 
    mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-general.c:211
#3  0xb757fc4a in walk_region_internal (imp=0x98f79b8, op=PIXMAN_OP_OVER, src_image=0x9930448, mask_image=0x99143f0, dst_image=0x9902f80, src_x=222, 
    src_y=175, mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=2, height=3, src_repeat=0, mask_repeat=0, region=0xbfc2b9f8, 
    composite_rect=0xb75782c0 <general_composite_rect>) at pixman-utils.c:447
#4  0xb7580c78 in _pixman_walk_composite_region (imp=0x98f79b8, op=PIXMAN_OP_OVER, src_image=0x9930448, mask_image=0x99143f0, dst_image=0x9902f80, 
    src_x=222, src_y=175, mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=<value optimized out>, height=<value optimized out>, 
    composite_rect=0xb75782c0 <general_composite_rect>) at pixman-utils.c:493
#5  0xb75782b3 in general_composite (imp=0x98f79b8, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=<value optimized out>, 
    src_y=<value optimized out>, mask_x=<value optimized out>, mask_y=<value optimized out>, dest_x=<value optimized out>, dest_y=<value optimized out>, 
    width=<value optimized out>, height=<value optimized out>) at pixman-general.c:270
#6  0xb75550d3 in _pixman_implementation_composite (imp=0x98f79b8, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, 
    mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-implementation.c:229
#7  0xb757a402 in fast_path_composite (imp=0x98f7dc0, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, mask_x=0, 
    mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-fast-path.c:1253
#8  0xb75550d3 in _pixman_implementation_composite (imp=0x98f7dc0, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, 
    mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-implementation.c:229
#9  0xb7584ef3 in mmx_composite (imp=0x98f81c8, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, mask_x=0, mask_y=0, 
    dest_x=320, dest_y=327, width=2, height=3) at pixman-mmx.c:3334
#10 0xb75550d3 in _pixman_implementation_composite (imp=0x98f81c8, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, 
    mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-implementation.c:229
#11 0xb758c23b in sse2_composite (imp=0x98f85d0, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, mask_x=0, 
    mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-sse2.c:5573
#12 0xb75550d3 in _pixman_implementation_composite (imp=0x98f85d0, op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=222, src_y=175, 
    mask_x=0, mask_y=0, dest_x=320, dest_y=327, width=2, height=3) at pixman-implementation.c:229
#13 0xb757923c in pixman_image_composite (op=PIXMAN_OP_OVER, src=0x9930448, mask=0x99143f0, dest=0x9902f80, src_x=<value optimized out>, 
    src_y=<value optimized out>, mask_x=<value optimized out>, mask_y=<value optimized out>, dest_x=<value optimized out>, dest_y=<value optimized out>, 
    width=<value optimized out>, height=<value optimized out>) at pixman.c:199
#14 0xb75bae6a in _cairo_image_surface_composite (op=CAIRO_OPERATOR_OVER, src_pattern=0xbfc2cc9c, mask_pattern=0xbfc2c02c, abstract_dst=0x99041d8, 
    src_x=320, src_y=327, mask_x=0, mask_y=0, dst_x=<value optimized out>, dst_y=<value optimized out>, width=<value optimized out>, 
    height=<value optimized out>, clip_region=0x0) at cairo-image-surface.c:1113
#15 0xb75d828b in _cairo_surface_composite (op=CAIRO_OPERATOR_OVER, src=0xbfc2cc9c, mask=0xbfc2c02c, dst=0x99041d8, src_x=320, src_y=327, mask_x=0, 
    mask_y=0, dst_x=320, dst_y=327, width=2, height=3, clip_region=0x0) at cairo-surface.c:1755
#16 0xb75db3ad in _clip_and_composite (clip=0xbfc2cd78, op=CAIRO_OPERATOR_OVER, src=0xbfc2cc9c, draw_func=0xb75dcc90 <_composite_traps_draw_func>, 
    draw_closure=0xbfc2c20c, dst=0x99041d8, extents=0xbfc2cb10) at cairo-surface-fallback.c:197
#17 0xb75dc4e2 in _clip_and_composite_trapezoids (src=0xbfc2cc9c, op=CAIRO_OPERATOR_OVER, dst=0x99041d8, traps=0xbfc2c664, 
    antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xbfc2cd78, extents=0xbfc2cb10) at cairo-surface-fallback.c:859
---Type <return> to continue, or q <return> to quit---
#18 0xb75dca39 in _cairo_surface_fallback_fill (surface=0x99041d8, op=CAIRO_OPERATOR_OVER, source=0xbfc2cc9c, path=0xb762862c, 
    fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xbfc2cd78) at cairo-surface-fallback.c:1443
#19 0xb75d90f9 in _cairo_surface_fill (surface=0x99041d8, op=CAIRO_OPERATOR_OVER, source=0xbfc2cc9c, path=0xb762862c, fill_rule=CAIRO_FILL_RULE_WINDING, 
    tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xbfc2cd78) at cairo-surface.c:2141
#20 0xb75b67d0 in _cairo_gstate_fill (gstate=0x98f75d0, path=0xb762862c) at cairo-gstate.c:1153
#21 0xb75ad4b6 in *INT_cairo_fill_preserve (cr=0xb76283a0) at cairo.c:2272
#22 0xb75ad4e2 in cairo_fill (cr=0xb76283a0) at cairo.c:2248
#23 0xb7f00b36 in CairoOutputDev::tilingPatternFill (this=0x97e02c8, state=0x9914640, str=0x99300c4, paintType=1, resDict=0x99307f0, mat=0xbfc2d130, 
    bbox=0x9930058, x0=297, y0=-57, x1=299, y1=-52, xStep=0.70900000000000007, yStep=0.70900000000000007) at CairoOutputDev.cc:709
#24 0xb7db293b in Gfx::doTilingPatternFill (this=0x98fed08, tPat=0x9930048, stroke=0, eoFill=0) at Gfx.cc:1997
#25 0xb7db7163 in Gfx::doPatternFill (this=0x98fed08, eoFill=0) at Gfx.cc:1794
#26 0xb7db7600 in Gfx::opFill (this=0x98fed08, args=0xbfc2d290, numArgs=0) at Gfx.cc:1674
#27 0xb7dad9da in Gfx::execOp (this=0x98fed08, cmd=0xbfc2d430, args=0xbfc2d290, numArgs=0) at Gfx.cc:790
#28 0xb7dadfae in Gfx::go (this=0x98fed08, topLevel=1) at Gfx.cc:661
#29 0xb7dae9b2 in Gfx::display (this=0x98fed08, obj=0xbfc2d50c, topLevel=1) at Gfx.cc:630
#30 0xb7dfc2dd in Page::displaySlice (this=0x97c6560, out=0x97e02c8, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=0, catalog=0x97c3ef8, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:474
#31 0xb7ef620e in _poppler_page_render (page=0x99002e0, cairo=0xb76283a0, printing=0) at poppler-page.cc:560
#32 0xb7ef63a6 in poppler_page_render (page=0x99002e0, cairo=0xb76283a0) at poppler-page.cc:586
#33 0x08059203 in pgd_render_start (button=0x981a578, demo=0x9861b18) at render.c:195
#34 0xb723b7c4 in IA__g_cclosure_marshal_VOID__VOID (closure=0x987e1e0, return_value=0x0, n_param_values=1, param_values=0x985ce90, 
    invocation_hint=0xbfc2d7bc, marshal_data=0x8058ec0) at gmarshal.c:77
#35 0xb722df6b in IA__g_closure_invoke (closure=0x987e1e0, return_value=0x0, n_param_values=1, param_values=0x985ce90, invocation_hint=0xbfc2d7bc)
    at gclosure.c:767
#36 0xb7244239 in signal_emit_unlocked_R (node=0x9815600, detail=0, instance=0x981a578, emission_return=0x0, instance_and_params=0x985ce90)
    at gsignal.c:3247
#37 0xb7245889 in IA__g_signal_emit_valist (instance=0x981a578, signal_id=122, detail=0, 
    var_args=0xbfc2d95c "&#65533;\t%&#65533;&#65533;&#65533;%&#65533;x&#65533;\201\tx&#65533;¿&#65533;&#65533;y&#65533;x&#65533;\201\t`&#65533;y&#65533;\230&#65533;¿&#311;#&#65533;x&#65533;\201\tXl\201\t") at gsignal.c:2980
#38 0xb7245d06 in IA__g_signal_emit (instance=0x981a578, signal_id=122, detail=0) at gsignal.c:3037
#39 0xb779bc9a in IA__gtk_button_clicked (button=0x981a578) at gtkbutton.c:1111
#40 0xb779d7a8 in gtk_real_button_released (button=0x981a578) at gtkbutton.c:1707
#41 0xb723b7c4 in IA__g_cclosure_marshal_VOID__VOID (closure=0x97f8368, return_value=0x0, n_param_values=1, param_values=0x98c4130, 
    invocation_hint=0xbfc2db2c, marshal_data=0xb779d760) at gmarshal.c:77
#42 0xb722c6c9 in g_type_class_meta_marshal (closure=0x97f8368, return_value=0x0, n_param_values=1, param_values=0x98c4130, invocation_hint=0xbfc2db2c, 
    marshal_data=0x1a4) at gclosure.c:878
#43 0xb722df6b in IA__g_closure_invoke (closure=0x97f8368, return_value=0x0, n_param_values=1, param_values=0x98c4130, invocation_hint=0xbfc2db2c)
    at gclosure.c:767
#44 0xb7243ac0 in signal_emit_unlocked_R (node=0x97f83a8, detail=0, instance=0x981a578, emission_return=0x0, instance_and_params=0x98c4130)
    at gsignal.c:3177
#45 0xb7245889 in IA__g_signal_emit_valist (instance=0x981a578, signal_id=121, detail=0, 
    var_args=0xbfc2dccc "&#65533;&#1009;&#65533;&#65533;&#1009;&#65533; &#65533;y&#65533;&#65533;&#65533;¿d&#65533;y&#65533;x&#65533;\201\tXl\201\t8&#65533;x\tä$&#65533;&#65533;&#1009;&#65533;&#65533;&#1009;&#65533;(&#65533;¿r\b\207&#65533;x&#65533;\201\t") at gsignal.c:2980
---Type <return> to continue, or q <return> to quit---
#46 0xb7245d06 in IA__g_signal_emit (instance=0x981a578, signal_id=121, detail=0) at gsignal.c:3037
#47 0xb779bd3a in IA__gtk_button_released (button=0x981a578) at gtkbutton.c:1103
#48 0xb779bf64 in gtk_button_button_release (widget=0x981a578, event=0x98f4900) at gtkbutton.c:1599
#49 0xb7870872 in _gtk_marshal_BOOLEAN__BOXED (closure=0x97ab830, return_value=0xbfc2ded0, n_param_values=2, param_values=0x98e0c50, 
    invocation_hint=0xbfc2debc, marshal_data=0xb779bf20) at gtkmarshalers.c:84
#50 0xb722c6c9 in g_type_class_meta_marshal (closure=0x97ab830, return_value=0xbfc2ded0, n_param_values=2, param_values=0x98e0c50, 
    invocation_hint=0xbfc2debc, marshal_data=0xb4) at gclosure.c:878
#51 0xb722df6b in IA__g_closure_invoke (closure=0x97ab830, return_value=0xbfc2ded0, n_param_values=2, param_values=0x98e0c50, invocation_hint=0xbfc2debc)
    at gclosure.c:767
#52 0xb7243ee7 in signal_emit_unlocked_R (node=0x97ab908, detail=0, instance=0x981a578, emission_return=0xbfc2e008, instance_and_params=0x98e0c50)
    at gsignal.c:3285
#53 0xb724571f in IA__g_signal_emit_valist (instance=0x981a578, signal_id=34, detail=0, var_args=0xbfc2e060 "x&#65533;¿") at gsignal.c:2990
#54 0xb7245d06 in IA__g_signal_emit (instance=0x981a578, signal_id=34, detail=0) at gsignal.c:3037
#55 0xb79aa94e in gtk_widget_event_internal (widget=0x981a578, event=0x98f4900) at gtkwidget.c:4767
#56 0xb7867fca in IA__gtk_propagate_event (widget=0x981a578, event=0x98f4900) at gtkmain.c:2417
#57 0xb7869557 in IA__gtk_main_do_event (event=0x98f4900) at gtkmain.c:1622
#58 0xb76d63ea in gdk_event_dispatch (source=0x97a2b70, callback=0, user_data=0x0) at gdkevents-x11.c:2369
#59 0xb7154368 in IA__g_main_context_dispatch (context=0x97a2bb8) at gmain.c:1960
#60 0xb7157bc3 in g_main_context_iterate (context=0x97a2bb8, block=1, dispatch=1, self=0x9772190) at gmain.c:2591
#61 0xb715809a in IA__g_main_loop_run (loop=0x98f2ff0) at gmain.c:2799
#62 0xb7869a79 in IA__gtk_main () at gtkmain.c:1218
#63 0x0804ec1d in main (argc=Cannot access memory at address 0xffffffda
) at main.c:242
(gdb)
Comment 1 Chris Wilson 2009-10-23 06:35:47 UTC 
The issue is that the src is a 0x0R and so triggers the FPE due to a modulus 0. I can filter this out at cairo, and so cheaply skip the entire operation. Maybe pixman should defend itself as well?
Comment 2 Chris Wilson 2009-10-23 06:55:24 UTC 
commit 1c34249b7e874cceca29d76af224ee274b880907
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Oct 23 14:42:48 2009 +0100

    [pattern] Compute zero extents for empty patterns
    
    If the pattern is for example a repeating 0x0 image, then treat it as
    having zero extents.
    
    This should workaround the bug presented here:
    
      https://bugs.freedesktop.org/show_bug.cgi?id=24693
      Attached PDF crashes evince with a Floating point exception

Søren is there anything else you want to do here?
Comment 3 Søren Sandmann Pedersen 2009-10-24 09:20:17 UTC 
Pixman has so far taken the attitude that sanity checking is the users's responsibility and that incorrect input will lead to unpredictable behavior. 

I'd certainly want to avoid sprinkling checks for zero all over the place.

Does cairo generate zero sized images often, and how difficult would it be make it not do that? I notice this old commit

commit b4f0cc6eeaff8d5ea114734fcfa293fce1904ce4
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Sep 27 12:44:44 2007 +0100

    [pixman-image] Avoid a potential malloc(0).
    
    Do not attempt to allocate bits if either the image width or height is
    0 - Cairo has a habit of attempting to create such surfaces when
    generating glyphs. The malloc(0) may return a NULL pointer and be treated
    as an out-of-memory error.

which seems to indicate that cairo *does* generate them.
Comment 4 Søren Sandmann Pedersen 2009-11-20 00:51:05 UTC 
Chris, any comments on this?
Comment 5 Pablo Castellano (pablog) 2009-11-20 12:03:20 UTC 
Hi, 

For what it's worth, there is another file that crashes here:
http://www.cli.di.unipi.it/doku/lib/exe/fetch.php/lpr-a/06-tcp-streamsockets.pdf

Cheers, Pablo.
Comment 6 Chris Wilson 2009-12-01 12:09:49 UTC 
(In reply to comment #4)
> Chris, any comments on this?

My apologies Søren, it appears that I've convinced bugs.fd.o not to email me anymore. Hopefully addressed now.

Cairo does use 0x0 images as placeholders. In theory, Cairo detects the use of such surfaces and eliminates the operation - so I'm happy that the burden of this sanity checking lies with Cairo and to attempt to use such surface with pixman resulting in a bug.
Comment 7 Carlos Garcia Campos 2009-12-22 08:01:13 UTC 
*** Bug 25751 has been marked as a duplicate of this bug. ***
Comment 8 Carlos Garcia Campos 2010-03-01 02:30:08 UTC 
*** Bug 26784 has been marked as a duplicate of this bug. ***
Comment 9 Søren Sandmann Pedersen 2010-11-11 03:18:26 UTC 
*** Bug 31425 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.