Bug 88990

Summary: Evince crashed with SIGABRT in __kernel_vsyscall()
Product: poppler Reporter: veysel <vhatas>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED WORKSFORME QA Contact:
Severity: critical    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: All   
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=743928
Whiteboard:
i915 platform: i915 features:
Attachments: Crasher
versions

Description veysel 2015-02-05 08:17:36 UTC
user@ubuntu:~$ evince --version
GNOME Document Viewer 3.10.3
user@ubuntu:~$ cat /proc/version
Linux version 3.13.0-45-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu
4.8.2-19ubuntu1) ) #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015
user@ubuntu:~$ gdb -q evince
Traceback (most recent call last):
  File "~/peda/peda.py", line 23, in <module>
Exception: Python3 is not supported at the moment, downgrade you GDB or
recompile with Python2!
Reading symbols from evince...(no debugging symbols found)...done.
(gdb) r '/home/user/Downloads/Crasher.pdf' 
Starting program: /usr/bin/evince '/home/user/Downloads/Crasher.pdf'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5effb40 (LWP 4148)]
[New Thread 0xb54ffb40 (LWP 4149)]
[New Thread 0xb4affb40 (LWP 4150)]
[New Thread 0xb42feb40 (LWP 4151)]
[New Thread 0xafe60b40 (LWP 4156)]
[New Thread 0xaf5efb40 (LWP 4157)]

** (evince:4144): WARNING **: Unimplemented action: POPPLER_ACTION_JAVASCRIPT,
please post a bug report in Evince bugzilla (http://bugzilla.gnome.org) with a
testcase.
Internal Error (0): Call to Object where the object was type 10, not the
expected type 1, 14 or 2

Program received signal SIGABRT, Aborted.
— Trace 234616
Thread 2951088960 (LWP 4156)

#0 __kernel_vsyscall
#1 __GI_raise
at ../nptl/sysdeps/unix/sysv/linux/raise.c line 56
#2 __GI_abort
at abort.c line 89
#3 Gfx::drawAnnot(Object*, AnnotBorder*, AnnotColor*, double, double, double, double, int)
from /usr/lib/i386-linux-gnu/libpoppler.so.44
#4 AnnotWidget::draw(Gfx*, bool)
from /usr/lib/i386-linux-gnu/libpoppler.so.44
#5 Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
from /usr/lib/i386-linux-gnu/libpoppler.so.44
#6 ??
from /usr/lib/i386-linux-gnu/libpoppler-glib.so.8
#7 ??
from /usr/lib/evince/4/backends/libpdfdocument.so
#8 ??
from /usr/lib/evince/4/backends/libpdfdocument.so
#9 ev_document_render
from /usr/lib/libevdocument3.so.4
#10 ??
from /usr/lib/libevview3.so.3
#11 ev_job_run
from /usr/lib/libevview3.so.3
#12 ??
from /usr/lib/libevview3.so.3
#13 ??
from /lib/i386-linux-gnu/libglib-2.0.so.0
#14 start_thread
at pthread_create.c line 312
#15 clone
at ../sysdeps/unix/sysv/linux/i386/clone.S line 129
Dump of assembler code for function __kernel_vsyscall:
   0xb76ba414 <+0>:    push   %ecx
   0xb76ba415 <+1>:    push   %edx
   0xb76ba416 <+2>:    push   %ebp
   0xb76ba417 <+3>:    mov    %esp,%ebp
   0xb76ba419 <+5>:    sysenter 
   0xb76ba41b <+7>:    nop
   0xb76ba41c <+8>:    nop
   0xb76ba41d <+9>:    nop
   0xb76ba41e <+10>:    nop
   0xb76ba41f <+11>:    nop
   0xb76ba420 <+12>:    nop
   0xb76ba421 <+13>:    nop
   0xb76ba422 <+14>:    int    $0x80
=> 0xb76ba424 <+16>:    pop    %ebp
   0xb76ba425 <+17>:    pop    %edx
   0xb76ba426 <+18>:    pop    %ecx
   0xb76ba427 <+19>:    ret    
End of asse
(gdb) 
(gdb) 
(gdb) info proc status
process 4726
Name:    evince
State:    t (tracing stop)
Tgid:    4726
Ngid:    0
Pid:    4726
PPid:    4717
TracerPid:    4717
Uid:    1000    1000    1000    1000
Gid:    1000    1000    1000    1000
FDSize:    32
Groups:    4 24 27 30 46 108 124 1000 
VmPeak:      162308 kB
VmSize:      161332 kB
VmLck:           0 kB
VmPin:           0 kB
VmHWM:       28668 kB
VmRSS:       28668 kB
VmData:       62800 kB
VmStk:         136 kB
VmExe:         416 kB
VmLib:       28424 kB
VmPTE:         172 kB
VmSwap:           0 kB
Threads:    7
SigQ:    0/15973
SigPnd:    0000000000000000
ShdPnd:    0000000000000000
SigBlk:    0000000000000000
SigIgn:    0000000001001000
SigCgt:    0000000180000000
CapInh:    0000000000000000
CapPrm:    0000000000000000
CapEff:    0000000000000000
CapBnd:    0000001fffffffff
Seccomp:    0
Cpus_allowed:    ff
Cpus_allowed_list:    0-7
Mems_allowed:    1
Mems_allowed_list:    0
voluntary_ctxt_switches:    124
nonvoluntary_ctxt_switches:    508
(gdb)
Comment 1 veysel 2015-02-05 08:17:56 UTC
Created attachment 113189 [details]
Crasher
Comment 2 Albert Astals Cid 2015-02-05 08:35:59 UTC
So you're reporting a bug against poppler, give us a lots of versions and not the poppler one?
Comment 3 veysel 2015-02-05 09:08:05 UTC
José Aliste [evince developer] said "the backtrace is enough to say that this is a poppler bug. Please open a new bug with the testcase in bugs.freedesktop.org"
https://bugzilla.gnome.org/show_bug.cgi?id=743928


user@ubuntu:~$ evince --version
GNOME Document Viewer 3.10.3
user@ubuntu:~$ cat /proc/version
Linux version 3.13.0-45-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu
4.8.2-19ubuntu1) ) #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015
Comment 4 Albert Astals Cid 2015-02-05 09:27:12 UTC
Correct the backtrace says it is a poppler bug, but we need to know which version of poppler you're using, is it that hard to understand?
Comment 5 veysel 2015-02-05 10:24:01 UTC
I was unable to determine exactly which the library. You can see versions.txt which I use lipoppler versions.

I use Evince 3.10.3 in Ubuntu 14.04.LTS. Also you can get the same crash with Crasher.pdf .
Comment 6 veysel 2015-02-05 10:25:09 UTC
Created attachment 113191 [details]
versions
Comment 7 Albert Astals Cid 2015-02-05 19:06:36 UTC
Your poppler is pretty old, I don't get any crash with a current one, update to a new one and reopen if it still happens.
Comment 8 Jose Aliste 2015-02-05 20:25:47 UTC
Indeed, sorry for the fuzz... It works for me in poppler 0.31 and it crashes with  0.26.
Comment 9 veysel 2015-02-06 11:39:26 UTC
I use Ubuntu last version & Evince last version. Also I get last update&upgrade today. When I look at the poppler library, version seems to be 0.24.5 . 

>user@ubuntu:~$ cat /etc/*rele*
>DISTRIB_ID=Ubuntu
>DISTRIB_RELEASE=14.04
>DISTRIB_CODENAME=trusty
>DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
>NAME="Ubuntu"
>VERSION="14.04.1 LTS, Trusty Tahr"
>ID=ubuntu
>ID_LIKE=debian
>PRETTY_NAME="Ubuntu 14.04.1 LTS"
>VERSION_ID="14.04"
>HOME_URL="http://www.ubuntu.com/"
>SUPPORT_URL="http://help.ubuntu.com/"
>BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
>user@ubuntu:~$ 

Could you tell me what should I do to be not affected by this vulnerability as a user of Ubuntu? Or what else should I do as a bug reporter?
Comment 10 Albert Astals Cid 2015-02-07 13:07:57 UTC
You can go and complain to the ubuntu packagers.
Comment 11 Jason Crain 2015-02-07 17:13:55 UTC
(In reply to veysel from comment #9)
> Could you tell me what should I do to be not affected by this vulnerability
> as a user of Ubuntu? Or what else should I do as a bug reporter?

It's not a vulnerability.  It's just a call to abort() because the annotation matrix is bad.  

This was fixed in bug 84990.  If you really want to, you can try compiling from source, or see if you can find an Ubuntu package for poppler 0.30.0 or later, or ask Ubuntu to provide a package through their stable release updates process or backports process.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.