After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 331467 - evince crashs in gdk_region_union_with_rect
evince crashs in gdk_region_union_with_rect
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Backend: X11
2.8.x
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2006-02-16 21:30 UTC by Benjamin Berg
Modified: 2006-02-17 15:41 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Benjamin Berg 2006-02-16 21:30:12 UTC
My evince crashes every time I start it on some documents. I noticed that it only happens with newest gtk+. Reverting gdkregion-generic.c to a version from before the below changes, fixes the issue for me.

2005-12-24  Matthias Clasen  <mclasen@redhat.com>

	* gdk/gdkregion-generic.c:
	* gdk/gdkpolyreg-generic.c:
	* gdk/gdkregion.h:
	* gdk/gdkrectangle.c: Inline docs, use g_assert(), avoid
	extra allocation for rectangular regions.

GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "powerpc-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run
Starting program: /[...]/evince --sync brüssel-metro.pdf
[Thread debugging using libthread_db enabled]
[New Thread 805460224 (LWP 25172)]
[New Thread 816153824 (LWP 25175)]

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to Thread 816153824 (LWP 25175)]
0x0f8e704c in raise () from /lib/tls/libpthread.so.0
(gdb) thread apply all bt full

The program is running.  Exit anyway? (y or n)
Comment 1 Matthias Clasen 2006-02-17 06:22:37 UTC
This is probably an old bug in the region code, which only now surfaced, because
g_assert() is not compiled out by default like the assert() it replaced.

To know for sure, I would need to get the exact coordinates of the rectangles which poppler combines in a region in poppler_page_get_selection_region() when
this crash happens. Can you provide that ?
Comment 2 Benjamin Berg 2006-02-17 14:56:47 UTC
Hmm, ok. Looks like the only difference the added assert. The coordinates leading up the crash aren't nice, and containe rects with negative width.

So I guess this is really a poppler bug.

These are the rects unioned with the region (x, y, width, height)
101, 37,   5,  9
97,  39,  14, 13
92,  43,  15, 14
88,  49,   5, 10
85,  51,  17, 12
81,  54,  17, 13
77,  58,  17, 13
73,  62,  17, 14
67,  69,  14, 11
62,  73,  18, 12
58,  76,  18, 13
74,  70,  -2,  5
77,  62, -12, 17
71,  59,  -9, 15
66,  65,   0,  2
519, 71,  10, 19
Comment 3 Matthias Clasen 2006-02-17 15:12:47 UTC
thanks for investigating. Looks like a poppler bug then, indeed.

But the gdk_region code could easily be more robust, eg instead
of
 if (!rect->width || !rect->height)
    return;

do 

 if (rect->width <= 0 || rect->height <= 0)
     return;


If you file a poppler bug, I'll fix the gdkregion robustness...
Comment 4 Benjamin Berg 2006-02-17 15:20:48 UTC
I'll file a bug on fd.o.
Comment 5 Matthias Clasen 2006-02-17 15:41:36 UTC
2006-02-17  Matthias Clasen  <mclasen@redhat.com>

        * gdk/gdkregion-generic.c (gdk_region_union_with_rect):
        Be robust and reject rectangles with negative width or
        height.  (#331467, Benjamin Berg)