GNOME Bugzilla – Bug 769700
Segfault on a corrupted PDF file (revisiting CVE-2013-3718)
Last modified: 2016-09-03 06:36:17 UTC
This bug is related to https://bugzilla.gnome.org/show_bug.cgi?id=701302. Test case: http://jutaky.com/fuzzing/evince_case_5580_002.pdf After opening the above file, Evince crash can be triggered reliably by clicking on the document view pane (the area where the document is normally displayed) after Evince displays the "The document contains no pages" message. I can reproduce the crash on Ubuntu 16.04 LTS (Evince 3.18.2), Fedora 24 (3.20.1), and git sources (commit bd9ca13). However, the stack trace of this crash is very different from https://bugzilla.gnome.org/show_bug.cgi?id=701302 (CVE-2013-3718). $ gdb --args evince evince_case_5580_002.pdf ... Thread 1 "evince" received signal SIGSEGV, Segmentation fault. ev_view_accessible_selection_changed (view=0x555555d1e110 [EvView], view_accessible=<optimized out>) at ev-view-accessible.c:358 358 g_signal_emit_by_name (page_accessible, "text-selection-changed"); (gdb) bt
+ Trace 236516
(gdb) list 353 { 354 AtkObject *page_accessible; 355 356 page_accessible = g_ptr_array_index (view_accessible->priv->children, 357 get_relevant_page (view)); 358 g_signal_emit_by_name (page_accessible, "text-selection-changed"); 359 } 360 361 static void 362 page_changed_cb (EvDocumentModel *model, (gdb) print page_accessible Cannot access memory at address 0x0 The security impact of this particular crash seems to be none / minimal. Also, the user can exit Evince by pressing Ctrl+w without triggering this crash.
Created attachment 333062 [details] [review] Check number of pages when processing button events Simple fix could look like this. It checks whether there are some pages in the opened document when processing button events to avoid the crash.
Comment on attachment 333062 [details] [review] Check number of pages when processing button events Pushed, thanks!