After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 701302 - Segfault on a corrupted PDF file
Segfault on a corrupted PDF file
Status: RESOLVED FIXED
Product: evince
Classification: Core
Component: PDF
git master
Other Linux
: High critical
: ---
Assigned To: Evince Maintainers
Evince Maintainers
Depends on:
Blocks:
 
 
Reported: 2013-05-30 18:40 UTC by jutaky
Modified: 2013-06-08 14:42 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Check the numbers of pages when there is a new document (876 bytes, patch)
2013-05-31 01:09 UTC, Germán Poo-Caamaño
committed Details | Review
libview: Fix warning on ev_view_document_changed_cb (1.55 KB, patch)
2013-06-07 20:22 UTC, Germán Poo-Caamaño
committed Details | Review

Description jutaky 2013-05-30 18:40:29 UTC
Version: git 20130530 (says version 3.9.2).

Configure:

export CFLAGS="-fsanitize=address"
export CXXFLAGS="-fsanitize=address"
./configure --enable-debug --disable-nautilus

Segfault backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff428e678 in ev_page_cache_set_page_range () from /usr/lib/libevview3.so.3
(gdb) bt
  • #0 ev_page_cache_set_page_range
    from /usr/lib/libevview3.so.3
  • #1 ??
    from /usr/lib/libevview3.so.3
  • #2 g_closure_invoke
    from /usr/lib/libgobject-2.0.so.0
  • #3 ??
    from /usr/lib/libgobject-2.0.so.0
  • #4 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #5 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #6 ??
    from /usr/lib/libgobject-2.0.so.0
  • #7 g_object_notify
    from /usr/lib/libgobject-2.0.so.0
  • #8 ev_window_load_job_cb
  • #9 ??
    from /usr/lib/libgobject-2.0.so.0
  • #10 g_signal_emit_valist
    from /usr/lib/libgobject-2.0.so.0
  • #11 g_signal_emit
    from /usr/lib/libgobject-2.0.so.0
  • #12 ??
    from /usr/lib/libevview3.so.3
  • #13 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #14 ??
    from /usr/lib/libglib-2.0.so.0
  • #15 g_main_context_iteration
    from /usr/lib/libglib-2.0.so.0
  • #16 g_application_run
    from /usr/lib/libgio-2.0.so.0
  • #17 main

The test case:

http://jutaky.com/fuzzing/evince_case_5580_002.pdf

Version 3.8.2 crashes too (from Arch Linux repository).
Comment 1 André Klapper 2013-05-30 19:09:33 UTC
Thanks for taking the time to report this bug.
Unfortunately, that stack trace is missing some elements that will help a lot to solve the problem, so it will be hard for the developers to fix that crash. Can you get us a stack trace with debugging symbols? Please see http://live.gnome.org/GettingTraces for more information on how to do so and reopen this bug or report a new one. Thanks in advance!
Comment 2 jutaky 2013-05-30 19:45:39 UTC
I would need more details how to get a better trace with evince. Evince has been compiled with debug symbols enabled and that is the backtrace.

gdb says "Reading symbols from /home/jutaky/<removed>/evince...done." and the trace is still missing those elements.

And "objdump --syms evince" seems to verify that the symbols are there.

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 3 Germán Poo-Caamaño 2013-05-30 23:47:39 UTC
The PDF is corrupted.  Neither acroread can open it.  Although, evince should not crash and should try to be more gentle to let the user know about it :-)

The issue seems to be in poppler.

Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry
Syntax Error: Invalid XRef entry
Syntax Error: Top-level pages object is wrong type (null)
[...]
(poppler-glib-demo:14252): Poppler-CRITICAL **: PopplerPage* poppler_document_get_page(PopplerDocument*, int): assertion `0 <= index && index < poppler_document_get_n_pages (document)' failed
Syntax Error: Top-level pages object is wrong type (null)
Syntax Error: Top-level pages object is wrong type (null)
Syntax Error: Top-level pages object is wrong type (null)
[...]

and then, when trying to scan the fonts with poppler-glib-demo:

Program received signal SIGFPE, Arithmetic exception.
0x08055231 in pgd_fonts_update_progress (n_pages=0, scanned=0, demo=<optimized out>) at fonts.c:118
118				       MIN (scanned * 100 / n_pages, 100));

If I try to render the pages, instead of I get:

(poppler-glib-demo:14450): Poppler-CRITICAL **: PopplerPage* poppler_document_get_page(PopplerDocument*, int): assertion `0 <= index && index < poppler_document_get_n_pages (document)' failed
Comment 4 Germán Poo-Caamaño 2013-05-30 23:53:13 UTC
Here is a better backtrace that I got with evince:

[New Thread 0xb565cb40 (LWP 14644)]
[New Thread 0xb4cffb40 (LWP 14645)]
[New Thread 0xa727db40 (LWP 14646)]
[New Thread 0xa68ffb40 (LWP 14647)]
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry
Syntax Error: Top-level pages object is wrong type (null)
Syntax Error: Invalid XRef entry
Entity: line 69: parser error : Extra content at the end of the document
<?xpacket end="w"?>B
                   ^

Program received signal SIGSEGV, Segmentation fault.
ev_page_cache_set_page_range (end=0, start=0, cache=0x8347ac8) at ev-page-cache.c:305
305			if (data->flags == cache->flags && !data->dirty && (data->done || data->job))
(gdb) bt
  • #0 ev_page_cache_set_page_range
    at ev-page-cache.c line 305
  • #1 ev_page_cache_set_page_range
    at ev-page-cache.c line 289
  • #2 ev_page_cache_set_flags
    at ev-page-cache.c line 341
  • #3 setup_caches
    at ev-view.c line 5201
  • #4 ev_view_document_changed_cb
    at ev-view.c line 5367
  • #5 g_cclosure_marshal_VOID__PARAM
    at gmarshal.c line 1042
  • #6 g_closure_invoke
    at gclosure.c line 777
  • #7 signal_emit_unlocked_R
    at gsignal.c line 3584
  • #8 g_signal_emit_valist
    at gsignal.c line 3328
  • #9 g_signal_emit
    at gsignal.c line 3384
  • #10 g_object_dispatch_properties_changed
    at gobject.c line 1042
  • #11 g_object_notify_by_spec_internal
    at gobject.c line 1136
  • #12 g_object_notify
    at gobject.c line 1178
  • #13 ev_document_model_set_document
    at ev-document-model.c line 381
  • #14 ev_window_load_job_cb
    at ev-window.c line 1572
  • #15 g_cclosure_marshal_VOID__VOIDv
  • #16 _g_closure_invoke_va
  • #17 g_signal_emit_valist
  • #18 g_signal_emit
    at gsignal.c line 3384
  • #19 emit_finished
    at ev-jobs.c line 180
  • #20 g_idle_dispatch
    at gmain.c line 5205
  • #21 g_main_dispatch
    at gmain.c line 3054
  • #22 g_main_context_dispatch
    at gmain.c line 3630
  • #23 g_main_context_iterate
    at gmain.c line 3701
  • #24 g_main_context_iterate
    at gmain.c line 3638
  • #25 g_main_context_iteration
    at gmain.c line 3762
  • #26 g_application_run
    at gapplication.c line 1623
  • #27 main
    at main.c line 332

Comment 5 José Aliste 2013-05-31 00:10:41 UTC
This is a regression. Normally, the ev_window checks whether the document has pages or not, If it has pages, then it sets the document to the view... This is not working for some reason. On the other hand, the EvView should be made more stable by checking that we have n_pages > 0 in some places (we are a library used in other apps :) )
Comment 6 Germán Poo-Caamaño 2013-05-31 01:09:32 UTC
Created attachment 245694 [details] [review]
Check the numbers of pages when there is a new document
Comment 7 jutaky 2013-05-31 05:11:59 UTC
> The PDF is corrupted.

True. That is the point of fuzzing / robustness testing.

This bug has been given CVE identification CVE-2013-3718.

I would greatly appreciate if our group and I got a credit as "Juha Kylmänen from OUSPG" to some documentation/changelog.

Thanks for checking out the report.
Comment 8 Carlos Garcia Campos 2013-05-31 08:44:35 UTC
Review of attachment 245694 [details] [review]:

Thanks, I wonder if we can now remove the check from view_update_range_and_current_page to avoid doing the check every time.
Comment 9 Germán Poo-Caamaño 2013-05-31 08:53:52 UTC
(In reply to comment #8)
> Review of attachment 245694 [details] [review]:
> 
> Thanks, I wonder if we can now remove the check from
> view_update_range_and_current_page to avoid doing the check every time.

I am unsure about this.  This bug does not exists neither in 3.4 nor 3.6.  According to José, it seems the order that events were triggered changed.

Is this check an expensive operation?
Comment 10 Germán Poo-Caamaño 2013-05-31 09:02:26 UTC
Review of attachment 245694 [details] [review]:

Committed in master.  Shall I commit it in 3.8?
Comment 11 Germán Poo-Caamaño 2013-05-31 09:03:26 UTC
(In reply to comment #7)
> > The PDF is corrupted.
> 
> True. That is the point of fuzzing / robustness testing.
> 
> This bug has been given CVE identification CVE-2013-3718.
> 
> I would greatly appreciate if our group and I got a credit as "Juha Kylmänen
> from OUSPG" to some documentation/changelog.

Since we use git, we do not use changelog anymore. However, I added
the thanks in the commit log.  See:
https://git.gnome.org/browse/evince/commit/?id=6230a6fae0c84696e2e52e7a1d720edfd54dd38d
Comment 12 jutaky 2013-05-31 14:11:37 UTC
Am I doing something wrong? I am still experiencing the crash. In an empty folder:

$ git clone git://git.gnome.org/evince
$ cd evince
$ ./autogen.sh --disable-nautilus
$ make
$ wget http://jutaky.com/fuzzing/evince_case_5580_002.pdf
$ shell/.libs/evince evince_case_5580_002.pdf 
--> segfault
$ grep -A 3 "ev_document_get_n_pages (document) <= 0" libview/ev-view.c 
	if (ev_document_get_n_pages (document) <= 0 ||
	    !ev_document_check_dimensions (document))
		return;
Comment 13 José Aliste 2013-05-31 16:21:05 UTC
I think that installed libraries are preferred to non-installed ones. As the fix is in libview, probably you are still using the old library, you can check easily by using ldd
Comment 14 jutaky 2013-05-31 16:36:50 UTC
Indeed. Setting LD_LIBRARY_PATH to the patched library helped.

Thanks for the fix and the credit.
Comment 15 Carlos Garcia Campos 2013-05-31 17:28:02 UTC
(In reply to comment #10)
> Review of attachment 245694 [details] [review]:
> 
> Committed in master.  Shall I commit it in 3.8?

Yes, please.
Comment 16 Germán Poo-Caamaño 2013-05-31 17:36:40 UTC
(In reply to comment #15)
> (In reply to comment #10)
> > Review of attachment 245694 [details] [review] [details]:
> > 
> > Committed in master.  Shall I commit it in 3.8?
> 
> Yes, please.

Done.
Comment 17 Evgeny Bobkin 2013-06-07 08:46:34 UTC
the version from git master has now 

(evince:14295): EvinceDocument-CRITICAL **: ev_document_get_n_pages: assertion 'EV_IS_DOCUMENT (document)' failed

on startup 

this is probably directly related to this commit

https://git.gnome.org/browse/evince/commit/?id=6230a6fae0c84696e2e52e7a1d720edfd54dd38d
Comment 18 Evgeny Bobkin 2013-06-07 08:50:03 UTC
since it does not show up in 3.9.2
Comment 19 Germán Poo-Caamaño 2013-06-07 20:22:54 UTC
Created attachment 246280 [details] [review]
libview: Fix warning on ev_view_document_changed_cb

The previous patch introduced a warning when there is not document set yet.  This patch fixes the issue.
Comment 20 Carlos Garcia Campos 2013-06-08 08:28:05 UTC
Review of attachment 246280 [details] [review]:

Looks good, thanks!
Comment 21 Germán Poo-Caamaño 2013-06-08 14:42:36 UTC
Review of attachment 246280 [details] [review]:

Thanks. Committed in both, master and gnome-3-8.