GNOME Bugzilla – Bug 331467
evince crashs in gdk_region_union_with_rect
Last modified: 2006-02-17 15:41:36 UTC
My evince crashes every time I start it on some documents. I noticed that it only happens with newest gtk+. Reverting gdkregion-generic.c to a version from before the below changes, fixes the issue for me. 2005-12-24 Matthias Clasen <mclasen@redhat.com> * gdk/gdkregion-generic.c: * gdk/gdkpolyreg-generic.c: * gdk/gdkregion.h: * gdk/gdkrectangle.c: Inline docs, use g_assert(), avoid extra allocation for rectangular regions. GNU gdb 6.4-debian Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run Starting program: /[...]/evince --sync brüssel-metro.pdf [Thread debugging using libthread_db enabled] [New Thread 805460224 (LWP 25172)] [New Thread 816153824 (LWP 25175)] Program received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 816153824 (LWP 25175)] 0x0f8e704c in raise () from /lib/tls/libpthread.so.0 (gdb) thread apply all bt full
+ Trace 66247
The program is running. Exit anyway? (y or n)
This is probably an old bug in the region code, which only now surfaced, because g_assert() is not compiled out by default like the assert() it replaced. To know for sure, I would need to get the exact coordinates of the rectangles which poppler combines in a region in poppler_page_get_selection_region() when this crash happens. Can you provide that ?
Hmm, ok. Looks like the only difference the added assert. The coordinates leading up the crash aren't nice, and containe rects with negative width. So I guess this is really a poppler bug. These are the rects unioned with the region (x, y, width, height) 101, 37, 5, 9 97, 39, 14, 13 92, 43, 15, 14 88, 49, 5, 10 85, 51, 17, 12 81, 54, 17, 13 77, 58, 17, 13 73, 62, 17, 14 67, 69, 14, 11 62, 73, 18, 12 58, 76, 18, 13 74, 70, -2, 5 77, 62, -12, 17 71, 59, -9, 15 66, 65, 0, 2 519, 71, 10, 19
thanks for investigating. Looks like a poppler bug then, indeed. But the gdk_region code could easily be more robust, eg instead of if (!rect->width || !rect->height) return; do if (rect->width <= 0 || rect->height <= 0) return; If you file a poppler bug, I'll fix the gdkregion robustness...
I'll file a bug on fd.o.
2006-02-17 Matthias Clasen <mclasen@redhat.com> * gdk/gdkregion-generic.c (gdk_region_union_with_rect): Be robust and reject rectangles with negative width or height. (#331467, Benjamin Berg)