GNOME Bugzilla – Bug 701302
Segfault on a corrupted PDF file
Last modified: 2013-06-08 14:42:36 UTC
Version: git 20130530 (says version 3.9.2). Configure: export CFLAGS="-fsanitize=address" export CXXFLAGS="-fsanitize=address" ./configure --enable-debug --disable-nautilus Segfault backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff428e678 in ev_page_cache_set_page_range () from /usr/lib/libevview3.so.3 (gdb) bt
+ Trace 232005
The test case: http://jutaky.com/fuzzing/evince_case_5580_002.pdf Version 3.8.2 crashes too (from Arch Linux repository).
Thanks for taking the time to report this bug. Unfortunately, that stack trace is missing some elements that will help a lot to solve the problem, so it will be hard for the developers to fix that crash. Can you get us a stack trace with debugging symbols? Please see http://live.gnome.org/GettingTraces for more information on how to do so and reopen this bug or report a new one. Thanks in advance!
I would need more details how to get a better trace with evince. Evince has been compiled with debug symbols enabled and that is the backtrace. gdb says "Reading symbols from /home/jutaky/<removed>/evince...done." and the trace is still missing those elements. And "objdump --syms evince" seems to verify that the symbols are there. -- Juha Kylmänen Research Assistant, OUSPG
The PDF is corrupted. Neither acroread can open it. Although, evince should not crash and should try to be more gentle to let the user know about it :-) The issue seems to be in poppler. Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Syntax Error: Invalid XRef entry Syntax Error: Top-level pages object is wrong type (null) [...] (poppler-glib-demo:14252): Poppler-CRITICAL **: PopplerPage* poppler_document_get_page(PopplerDocument*, int): assertion `0 <= index && index < poppler_document_get_n_pages (document)' failed Syntax Error: Top-level pages object is wrong type (null) Syntax Error: Top-level pages object is wrong type (null) Syntax Error: Top-level pages object is wrong type (null) [...] and then, when trying to scan the fonts with poppler-glib-demo: Program received signal SIGFPE, Arithmetic exception. 0x08055231 in pgd_fonts_update_progress (n_pages=0, scanned=0, demo=<optimized out>) at fonts.c:118 118 MIN (scanned * 100 / n_pages, 100)); If I try to render the pages, instead of I get: (poppler-glib-demo:14450): Poppler-CRITICAL **: PopplerPage* poppler_document_get_page(PopplerDocument*, int): assertion `0 <= index && index < poppler_document_get_n_pages (document)' failed
Here is a better backtrace that I got with evince: [New Thread 0xb565cb40 (LWP 14644)] [New Thread 0xb4cffb40 (LWP 14645)] [New Thread 0xa727db40 (LWP 14646)] [New Thread 0xa68ffb40 (LWP 14647)] Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Syntax Error: Top-level pages object is wrong type (null) Syntax Error: Invalid XRef entry Entity: line 69: parser error : Extra content at the end of the document <?xpacket end="w"?>B ^ Program received signal SIGSEGV, Segmentation fault. ev_page_cache_set_page_range (end=0, start=0, cache=0x8347ac8) at ev-page-cache.c:305 305 if (data->flags == cache->flags && !data->dirty && (data->done || data->job)) (gdb) bt
+ Trace 232006
This is a regression. Normally, the ev_window checks whether the document has pages or not, If it has pages, then it sets the document to the view... This is not working for some reason. On the other hand, the EvView should be made more stable by checking that we have n_pages > 0 in some places (we are a library used in other apps :) )
Created attachment 245694 [details] [review] Check the numbers of pages when there is a new document
> The PDF is corrupted. True. That is the point of fuzzing / robustness testing. This bug has been given CVE identification CVE-2013-3718. I would greatly appreciate if our group and I got a credit as "Juha Kylmänen from OUSPG" to some documentation/changelog. Thanks for checking out the report.
Review of attachment 245694 [details] [review]: Thanks, I wonder if we can now remove the check from view_update_range_and_current_page to avoid doing the check every time.
(In reply to comment #8) > Review of attachment 245694 [details] [review]: > > Thanks, I wonder if we can now remove the check from > view_update_range_and_current_page to avoid doing the check every time. I am unsure about this. This bug does not exists neither in 3.4 nor 3.6. According to José, it seems the order that events were triggered changed. Is this check an expensive operation?
Review of attachment 245694 [details] [review]: Committed in master. Shall I commit it in 3.8?
(In reply to comment #7) > > The PDF is corrupted. > > True. That is the point of fuzzing / robustness testing. > > This bug has been given CVE identification CVE-2013-3718. > > I would greatly appreciate if our group and I got a credit as "Juha Kylmänen > from OUSPG" to some documentation/changelog. Since we use git, we do not use changelog anymore. However, I added the thanks in the commit log. See: https://git.gnome.org/browse/evince/commit/?id=6230a6fae0c84696e2e52e7a1d720edfd54dd38d
Am I doing something wrong? I am still experiencing the crash. In an empty folder: $ git clone git://git.gnome.org/evince $ cd evince $ ./autogen.sh --disable-nautilus $ make $ wget http://jutaky.com/fuzzing/evince_case_5580_002.pdf $ shell/.libs/evince evince_case_5580_002.pdf --> segfault $ grep -A 3 "ev_document_get_n_pages (document) <= 0" libview/ev-view.c if (ev_document_get_n_pages (document) <= 0 || !ev_document_check_dimensions (document)) return;
I think that installed libraries are preferred to non-installed ones. As the fix is in libview, probably you are still using the old library, you can check easily by using ldd
Indeed. Setting LD_LIBRARY_PATH to the patched library helped. Thanks for the fix and the credit.
(In reply to comment #10) > Review of attachment 245694 [details] [review]: > > Committed in master. Shall I commit it in 3.8? Yes, please.
(In reply to comment #15) > (In reply to comment #10) > > Review of attachment 245694 [details] [review] [details]: > > > > Committed in master. Shall I commit it in 3.8? > > Yes, please. Done.
the version from git master has now (evince:14295): EvinceDocument-CRITICAL **: ev_document_get_n_pages: assertion 'EV_IS_DOCUMENT (document)' failed on startup this is probably directly related to this commit https://git.gnome.org/browse/evince/commit/?id=6230a6fae0c84696e2e52e7a1d720edfd54dd38d
since it does not show up in 3.9.2
Created attachment 246280 [details] [review] libview: Fix warning on ev_view_document_changed_cb The previous patch introduced a warning when there is not document set yet. This patch fixes the issue.
Review of attachment 246280 [details] [review]: Looks good, thanks!
Review of attachment 246280 [details] [review]: Thanks. Committed in both, master and gnome-3-8.