Bug 67295 - SIGTRAP - Trace/Breakpoint - evince crashes opening pdf
Summary: SIGTRAP - Trace/Breakpoint - evince crashes opening pdf
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 10:33 UTC by hoffmeister.pierre
Modified: 2014-02-18 23:32 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
this pdf document crashes evince. (794 bytes, text/plain)
2013-07-25 10:33 UTC, hoffmeister.pierre 		Details
View All

Description hoffmeister.pierre 2013-07-25 10:33:58 UTC 
Created attachment 82988 [details]
this pdf document crashes evince.

evince crashes on attached pdf. 

the backtrace tells it is in evince. but ther is a function in poppler that does not read the page number properly.
 
poppler/poppler/Catalog.cc
int Catalog::getNumPages()

if the page number exeeds int range the type cast from double produces this error

#0  g_logv (log_domain=0x7ffff578728e "GLib", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7fffffffd3d8) at gmessages.c:981
#1  0x00007ffff57255d2 in g_log (log_domain=log_domain@entry=0x7ffff578728e "GLib", log_level=log_level@entry=G_LOG_LEVEL_ERROR, format=format@entry=0x7ffff5790618 "%s: overflow allocating %lu*%lu bytes") at gmessages.c:1010
#2  0x00007ffff57240a1 in g_malloc0_n (n_blocks=n_blocks@entry=18446744071562067969, n_block_bytes=n_block_bytes@entry=8) at gmem.c:365
#3  0x00007ffff755fa8e in ev_view_build_height_to_page_cache (view=view@entry=0x9e6160, cache=cache@entry=0xa72950) at ev-view.c:321
#4  0x00007ffff75688c0 in ev_view_get_height_to_page_cache (view=0x9e6160) at ev-view.c:417
#5  setup_caches (view=0x9e6160) at ev-view.c:5170
#6  ev_view_document_changed_cb (model=0x76d460, pspec=<optimized out>, view=0x9e6160) at ev-view.c:5340
#7  0x00007ffff5a0c2a0 in g_closure_invoke (closure=0x9e5420, return_value=0x0, n_param_values=2, param_values=0x7fffffffd760, invocation_hint=0x7fffffffd700) at gclosure.c:777
#8  0x00007ffff5a1f120 in signal_emit_unlocked_R (node=node@entry=0x67b0b0, detail=detail@entry=1029, instance=instance@entry=0x76d460, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd760) at gsignal.c:3584
#9  0x00007ffff5a2730d in g_signal_emit_valist (instance=0x76d460, signal_id=<optimized out>, detail=1029, var_args=var_args@entry=0x7fffffffd9b8) at gsignal.c:3328
#10 0x00007ffff5a27592 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3384
#11 0x00007ffff5a10d85 in g_object_dispatch_properties_changed (object=0x76d460, n_pspecs=1, pspecs=0x0) at gobject.c:1042
#12 0x00007ffff5a1344b in g_object_notify_by_spec_internal (pspec=0x758ed0, object=0x76d460) at gobject.c:1136
#13 g_object_notify (object=0x76d460, property_name=property_name@entry=0x7ffff756fc1c "document") at gobject.c:1178
#14 0x00007ffff754f9a5 in ev_document_model_set_document (model=<optimized out>, document=document@entry=0x756f00) at ev-document-model.c:381
#15 0x0000000000433a80 in ev_window_load_job_cb (job=0xa03320, data=<optimized out>) at ev-window.c:1607
#16 0x00007ffff5a0c567 in _g_closure_invoke_va (closure=0xa0b2f0, return_value=0x0, instance=0xa03320, args=0x7fffffffddf8, n_params=0, param_types=0x0) at gclosure.c:840
#17 0x00007ffff5a26d1b in g_signal_emit_valist (instance=0xa03320, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffddf8) at gsignal.c:3234
#18 0x00007ffff5a27592 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3384
#19 0x00007ffff7550da3 in emit_finished (job=<optimized out>) at ev-jobs.c:180
#20 emit_finished (job=<optimized out>) at ev-jobs.c:170
#21 0x00007ffff571e015 in g_main_dispatch (context=0x6ad190) at gmain.c:3058
#22 g_main_context_dispatch (context=context@entry=0x6ad190) at gmain.c:3634
#23 0x00007ffff571e358 in g_main_context_iterate (context=context@entry=0x6ad190, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3705
#24 0x00007ffff571e414 in g_main_context_iteration (context=0x6ad190, context@entry=0x0, may_block=may_block@entry=1) at gmain.c:3766
#25 0x00007ffff5cf34bc in g_application_run (application=0x6d14b0, argc=argc@entry=0, argv=argv@entry=0x0) at gapplication.c:1624
#26 0x000000000041c46b in main (argc=1, argv=0x7fffffffe198) at main.c:332
Comment 1 Albert Astals Cid 2013-07-25 20:05:56 UTC 
I don't see any of the demos, examples or commandline utils we ship in poppler crashes, yes we can return 0, but imho evince should also protect itself from bad values.

Returning 0 should be easy, want to contribute a patch?
Comment 2 Jason Crain 2013-08-06 08:21:16 UTC 
I think this was fixed in evince <https://bugzilla.gnome.org/show_bug.cgi?id=701302>.  I can't get it to crash after commit 6230a6fae0 from 2013-05-31.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.