After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 769700 - Segfault on a corrupted PDF file (revisiting CVE-2013-3718)
Segfault on a corrupted PDF file (revisiting CVE-2013-3718)
Status: RESOLVED FIXED
Product: evince
Classification: Core
Component: PDF
git master
Other Linux
: Normal normal
: ---
Assigned To: Evince Maintainers
Evince Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-08-10 09:45 UTC by Dhiru Kholia
Modified: 2016-09-03 06:36 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Check number of pages when processing button events (881 bytes, patch)
2016-08-10 13:17 UTC, Marek Kašík
committed Details | Review

Description Dhiru Kholia 2016-08-10 09:45:23 UTC
This bug is related to https://bugzilla.gnome.org/show_bug.cgi?id=701302.

Test case: http://jutaky.com/fuzzing/evince_case_5580_002.pdf

After opening the above file, Evince crash can be triggered reliably by clicking on the document view pane (the area where the document is normally displayed) after Evince displays the "The document contains no pages" message.

I can reproduce the crash on Ubuntu 16.04 LTS (Evince 3.18.2), Fedora 24 (3.20.1), and git sources (commit bd9ca13). However, the stack trace of this crash is very different from https://bugzilla.gnome.org/show_bug.cgi?id=701302 (CVE-2013-3718).

$ gdb --args evince evince_case_5580_002.pdf
...
Thread 1 "evince" received signal SIGSEGV, Segmentation fault.
ev_view_accessible_selection_changed (view=0x555555d1e110 [EvView], view_accessible=<optimized out>)
    at ev-view-accessible.c:358
358		g_signal_emit_by_name (page_accessible, "text-selection-changed");
(gdb) bt
  • #0 ev_view_accessible_selection_changed
    at ev-view-accessible.c line 358
  • #4 <emit signal ??? on instance 0x555555d1e110 [EvView]>
    at gsignal.c line 3441
  • #5 merge_selection_region
    at ev-view.c line 8970
  • #6 start_selection_for_event
    at ev-view.c line 9109
  • #7 ev_view_button_press_event
    at ev-view.c line 5072
  • #8 _gtk_marshal_BOOLEAN__BOXEDv
    at gtkmarshalers.c line 131
  • #9 _g_closure_invoke_va
    at gclosure.c line 867
  • #10 g_signal_emit_valist
    at gsignal.c line 3294
  • #11 g_signal_emit
    at gsignal.c line 3441
  • #12 gtk_widget_event_internal
    at gtkwidget.c line 7705
  • #13 propagate_event
    at gtkmain.c line 2545
  • #14 propagate_event
    at gtkmain.c line 2647
  • #15 gtk_main_do_event
    at gtkmain.c line 1878

(gdb) list
353	{
354		AtkObject *page_accessible;
355	
356		page_accessible = g_ptr_array_index (view_accessible->priv->children,
357						     get_relevant_page (view));
358		g_signal_emit_by_name (page_accessible, "text-selection-changed");
359	}
360	
361	static void
362	page_changed_cb (EvDocumentModel  *model,
(gdb) print page_accessible 
Cannot access memory at address 0x0


The security impact of this particular crash seems to be none / minimal. Also, the user can exit Evince by pressing Ctrl+w without triggering this crash.
Comment 1 Marek Kašík 2016-08-10 13:17:35 UTC
Created attachment 333062 [details] [review]
Check number of pages when processing button events

Simple fix could look like this. It checks whether there are some pages in the opened document when processing button events to avoid the crash.
Comment 2 Carlos Garcia Campos 2016-09-03 06:36:08 UTC
Comment on attachment 333062 [details] [review]
Check number of pages when processing button events

Pushed, thanks!