Bug 30985

Summary: evince crashed with SIGSEGV in CairoType3Font::create()
Product: poppler Reporter: Pedro Villavicencio <pvillavi>
Component: cairo backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Pedro Villavicencio 2010-10-19 08:13:46 UTC
this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/657587

"evince crashes with segfault when opening the attached PDF. The problem itself is a null deref not it's not a critical one."

pdf :

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/657587/+attachment/1681202/+files/a.pdf.gz

backtrace:

"#0  CairoType3Font::create (gfxFont=0x21dc6d00, xref=0x2196ad90, 
    catalog=0x219ba8e0, fontEngine=0x21961c88, printing=0)
    at CairoFontEngine.cc:697
    font_face = (cairo_font_face_t *) 0x21b4ce48
    ref = {num = 93, gen = 0}
    i = 32
    charProcs = (Dict *) 0x0
    j = 565637176
    name = 0x7fd0b5b "space"
#1  0x06e629ab in CairoFontEngine::getFont (this=0x21961c88, 
    gfxFont=0x21dc6d00, xref=0x2196ad90, catalog=0x219ba8e0, printing=0)
    at CairoFontEngine.cc:781
    i = <value optimized out>
    j = <value optimized out>
    ref = {num = 93, gen = 0}
    font = (CairoFont *) 0x0
#2  0x06e68133 in CairoOutputDev::updateFont (this=0x219859b8, 
    state=0x21d1a4e0) at CairoOutputDev.cc:571
    font_face = <value optimized out>
    fontSize = 0
    m = <value optimized out>
    w = 0
    matrix = {xx = 2.8702809867985609e-146, yx = 1.9105964759831671e-313, 
  xy = 0, yy = 4.4955550949817957e-270, x0 = 3.4663850250348031e-270, 
  y0 = 2.5818931774188409e-270}
    invert_matrix = {xx = 0, yx = 0, xy = 0, 
  yy = 2.4957621706319076e-146, x0 = 9.999994290410541e-07, 
  y0 = 2.5333803837618225e-270}
#3  0x07f0ecb2 in Gfx::opShowText (this=0x2198fb58, args=0xb639fc84, 
    numArgs=1) at Gfx.cc:3466
No locals.
#4  0x07f0c716 in Gfx::execOp (this=0x2198fb58, cmd=0xb639fe24, 
    args=0xb639fc84, numArgs=1) at Gfx.cc:840
    op = <value optimized out>
    name = 0x21e6bdd8 "Tj"
    argPtr = (Object *) 0xb639fc84
    i = 1
#5  0x07f0d2dc in Gfx::go (this=0x2198fb58, topLevel=1) at Gfx.cc:700
    timer = {start_time = {tv_sec = 1286700176, tv_usec = 392115}, 
  end_time = {tv_sec = 133490189, tv_usec = 134414324}, active = 1}
    obj = {type = objCmd, {booln = 568770008, intg = 568770008, 
    uintg = 568770008, real = 0.0018151794862254402, string = 0x21e6bdd8, 
    name = 0x21e6bdd8 "Tj", array = 0x21e6bdd8, dict = 0x21e6bdd8, 
    stream = 0x21e6bdd8, ref = {num = 568770008, gen = 1063107946}, 
    cmd = 0x21e6bdd8 "Tj"}}
    numArgs = 1
    i = <value optimized out>
    lastAbortCheck = 0
    args = {{type = objString, {booln = 565920496, intg = 565920496, 
      uintg = 565920496, real = 0.0018151794856075508, string = 0x21bb42f0, 
      name = 0x21bb42f0 "Where", array = 0x21bb42f0, dict = 0x21bb42f0, 
      stream = 0x21bb42f0, ref = {num = 565920496, gen = 1063107946}, 
      cmd = 0x21bb42f0 "Where"}}, {type = objNone, {booln = 1247945698, 
      intg = 1247945698, uintg = 1247945698, real = 4.7042400000000004, 
      string = 0x4a6223e2, 
      name = 0x4a6223e2 <Address 0x4a6223e2 out of bounds>, 
      array = 0x4a6223e2, dict = 0x4a6223e2, stream = 0x4a6223e2, ref = {
        num = 1247945698, gen = 1074975012}, 
      cmd = 0x4a6223e2 <Address 0x4a6223e2 out of bounds>}}, {type = objNone, 
    {booln = -114074331, intg = -114074331, uintg = 4180892965, 
      real = -4.7142600000000003, string = 0xf9335d25, 
      name = 0xf9335d25 <Address 0xf9335d25 out of bounds>, 
      array = 0xf9335d25, dict = 0xf9335d25, stream = 0xf9335d25, ref = {
        num = -114074331, gen = -1072506010}, 
      cmd = 0xf9335d25 <Address 0xf9335d25 out of bounds>}}, {type = objNone, 
    {booln = 1, intg = 1, uintg = 1, real = -4.7142562866210946, 
      string = 0x1, name = 0x1 <Address 0x1 out of bounds>, array = 0x1, 
      dict = 0x1, stream = 0x1, ref = {num = 1, gen = -1072506010}, 
      cmd = 0x1 <Address 0x1 out of bounds>}}, {type = objNone, {
      booln = 1697371076, intg = 1697371076, uintg = 1697371076, 
      real = 73.407800000000009, string = 0x652bd3c4, 
      name = 0x652bd3c4 <Address 0x652bd3c4 out of bounds>, 
      array = 0x652bd3c4, dict = 0x652bd3c4, stream = 0x652bd3c4, ref = {
        num = 1697371076, gen = 1079138841}, 
      cmd = 0x652bd3c4 <Address 0x652bd3c4 out of bounds>}}, {type = objNone, 
    {booln = -206158430, intg = -206158430, uintg = 4088808866, 
      real = 413.68700000000001, string = 0xf3b645a2, 
      name = 0xf3b645a2 <Address 0xf3b645a2 out of bounds>, 
      array = 0xf3b645a2, dict = 0xf3b645a2, stream = 0xf3b645a2, ref = {
        num = -206158430, gen = 1081727741}, 
      cmd = 0xf3b645a2 <Address 0xf3b645a2 out of bounds>}}, {type = objNone, 
    {booln = 0, intg = 0, uintg = 0, real = 3.8253340343173894e-147, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = 562590952}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, uintg = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 2.66727758641971e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 133598133}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 2.6657576127552318e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 133597291}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 3.8253340343173894e-147, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 562590952}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 3.8253340343173894e-147, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 562590952}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 8.4879831638610893e-314, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 4}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 5.0669347139146951e-304, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 16137471}, cmd = 0x0}}, 
  {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 2.4957837235473633e-146, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 565441036}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 3.8253340343173894e-147, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 562590952}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 4.4955549827687231e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 134414324}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = -1.7783323522495614e-47, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1237713528}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 5.4323092248710971e-312, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 256}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 4.4955549827687231e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 134414324}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 4.4955549827687231e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 134414324}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = -1.7783657618084376e-47, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1237713496}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 2.1219957909652723e-314, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 1}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 4.4955549827687231e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 134414324}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 2.4736777103857105e-270, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 133490887}, 
      cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 1.2731974745791634e-313, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 6}, cmd = 0x0}}, {
    type = objNone, {booln = 0, intg = 0, uintg = 0, 
      real = 1.0032357386390807e-303, string = 0x0, name = 0x0, array = 0x0, 
      dict = 0x0, stream = 0x0, ref = {num = 0, gen = 17171448}, cmd = 0x0}}, 
  {type = objNone, {booln = 0, intg = 0, uintg = 0, real = 0, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 0}, cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      uintg = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, 
      stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {
      booln = 0, intg = 0, uintg = 0, real = 1.0032301759544344e-303, 
      string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {
        num = 0, gen = 17171440}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, uintg = 0, real = 0.0099999979138374329, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 1065646817}, cmd = 0x0}}, {type = objNone, {booln = 0, 
      intg = 0, uintg = 0, real = 3.8253340343173894e-147, string = 0x0, 
      name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, 
        gen = 562590952}, cmd = 0x0}}, {type = objNone, {booln = 0, intg = 0, 
      uintg = 0, real = 2.1219957909652723e-314, string = 0x0, name = 0x0, 
      array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 1}, 
      cmd = 0x0}}}
#6  0x07f0dd29 in Gfx::display (this=0x2198fb58, obj=0xb639ff24, topLevel=1)
    at Gfx.cc:667
    obj2 = {type = objNone, {booln = 0, intg = 0, uintg = 0, 
    real = 1.9821160610602139e-270, string = 0x0, name = 0x0, array = 0x0, 
    dict = 0x0, stream = 0x0, ref = {num = 0, gen = 133218583}, cmd = 0x0}}
    i = <value optimized out>
#7  0x07f5a8a0 in Page::displaySlice (this=0x2192cfd0, out=0x219859b8, 
    hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, sliceX=-1, sliceY=-1, 
    sliceW=-1, sliceH=-1, printing=0, catalog=0x219ba8e0, abortCheckCbk=0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0, 
    annotDisplayDecideCbkData=0x0) at Page.cc:474
    gfx = (Gfx *) 0x2198fb58
    obj = {type = objStream, {booln = 562590952, intg = 562590952, 
    uintg = 562590952, real = 1.0013647921235704e-305, string = 0x218874e8, 
    name = 0x218874e8 "h�\002\b\003", array = 0x218874e8, dict = 0x218874e8, 
    stream = 0x218874e8, ref = {num = 562590952, gen = 10231958}, 
    cmd = 0x218874e8 "h�\002\b\003"}}
    i = <value optimized out>
#8  0x06e5b101 in _poppler_page_render (page=0x2193ec80, cairo=0xa58460, 
    printing=0) at poppler-page.cc:336
    output_dev = (class CairoOutputDev *) 0x219859b8
    __PRETTY_FUNCTION__ = "void _poppler_page_render(PopplerPage*, cairo_t*, GBool)"
#9  0x06e5b3b8 in _poppler_page_render_to_pixbuf (page=<value optimized out>, 
    src_x=32, src_y=0, src_width=100, src_height=129, 
    scale=0.16339869281045752, rotation=0, printing=0, pixbuf=0x219a7ec0)
    at poppler-page.cc:568
    cr = (cairo_t *) 0xa58460
    surface = (cairo_surface_t *) 0x21cd4ea0
#10 0x0cd1239d in make_thumbnail_for_page (
    poppler_page=<value optimized out>, rc=<value optimized out>, width=100, 
    height=129)
    at /build/buildd/evince-2.32.0/./backend/pdf/ev-poppler.cc:1404
    pixbuf = (GdkPixbuf *) 0x7fd0b5b
#11 0x0cd12483 in pdf_document_thumbnails_get_thumbnail (
    document_thumbnails=0x2156fe68, rc=0x2193ec60, border=1)
    at /build/buildd/evince-2.32.0/./backend/pdf/ev-poppler.cc:1467
    poppler_page = (PopplerPage *) 0x2193ec80
    pixbuf = <value optimized out>
    border_pixbuf = <value optimized out>
    width = 100
    height = 129
#12 0x008e5ff3 in ev_document_thumbnails_get_thumbnail (document=0x2156fe68, 
    rc=0x2193ec60, border=1)
    at /build/buildd/evince-2.32.0/./libdocument/ev-document-thumbnails.c:44
    __PRETTY_FUNCTION__ = "ev_document_thumbnails_get_thumbnail"
#13 0x00124ed5 in ev_job_thumbnail_run (job=0xb4de9e90)
    at /build/buildd/evince-2.32.0/./libview/ev-jobs.c:779
    rc = (EvRenderContext *) 0x2193ec60
    page = <value optimized out>
#14 0x00122371 in ev_job_run (job=0xb4de9e90)
    at /build/buildd/evince-2.32.0/./libview/ev-jobs.c:214
No locals.
#15 0x00126368 in ev_job_thread_proxy (data=0x0)
    at /build/buildd/evince-2.32.0/./libview/ev-job-scheduler.c:183
    job = (EvSchedulerJob *) 0xb4d48470
#16 0x00cd648f in ?? () from /lib/libglib-2.0.so.0
No symbol table info available.
#17 0x00c08cc9 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#18 0x00fd56ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals."
Comment 1 Albert Astals Cid 2010-10-19 11:40:08 UTC
Carlos, dupe of the pdf i sent you in private?
Comment 2 Carlos Garcia Campos 2010-11-14 07:34:47 UTC
Yes, it's fixed already. Document doesn't work, but it doesn't crash. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.