Bug#963813: evince: segmentation fault in evince opening rfc8798.pdf

smcv at debian.org smcv at debian.org
Tue Jun 30 14:38:56 BST 2020

Control: reassign -1 libpoppler-glib8 0.71.0-6
Control: affects -1 + evince
Control: notfound -1 0.85.0-1

On Sat, 27 Jun 2020 at 21:44:46 +0200, Erik Auerswald wrote:
>    I wanted to read the PDF version of the IETF RFC 8798 document using
>    evince, the GNOME Document Viewer.  This public standard document is
>    accessible at https://www.rfc-editor.org/rfc/rfc8798.pdf .
>    When trying to open the PDF file with evince using
>       evince rfc8708.pdf
>    the GNOME Document Viewer "evince" crashes with a segmentation fault.

I can reproduce this on unstable (note to poppler maintainers: the
original report was against buster). Here's a backtrace.

It looks as though a PopplerAttachment somehow has an invalid pointer
at attachment->checksum, so I'm guessing this is more likely to be a
bug in the poppler library than in evince.

This appears to have been fixed in libpoppler-glib8_0.85.0-1 in
experimental (or at least, I can't reproduce it in that version) so
perhaps there is a fix that can be backported.


Thread 6 "EvJobScheduler" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f491e4ec700 (LWP 139528)]
0x00007f4926f67c7c in g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:215
215	../../../glib/gstring.c: No such file or directory.
(gdb) bt full
#0  0x00007f4926f67c7c in g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:215
        _g_boolean_var_ = <optimized out>
        segment = <optimized out>
        __func__ = "g_string_free"
#1  0x00007f491dc22c53 in poppler_attachment_finalize(GObject*) (obj=0x55d1dde5d460 [PopplerAttachment])
    at ./glib/poppler-attachment.cc:88
        attachment = 0x55d1dde5d460 [PopplerAttachment]
#2  0x00007f492703509e in g_object_unref (_object=<optimized out>) at ../../../gobject/gobject.c:3499
        weak_locations = <optimized out>
        old_ref = <optimized out>
        __func__ = "g_object_unref"
        object = 0x55d1dde5d460 [PopplerAttachment]
        __func__ = "g_object_unref"
#3  g_object_unref (_object=0x55d1dde5d460) at ../../../gobject/gobject.c:3391
        object = 0x55d1dde5d460 [PopplerAttachment]
        __func__ = "g_object_unref"
#4  0x00007f491dc9817e in pdf_document_attachments_get_attachments(EvDocumentAttachments*) (document=<optimized out>)
    at ev-poppler.cc:4222
        ev_attachment = <optimized out>
        data = 0x55d1de094960 "<?xml version='1.0' encoding='utf-8'?>\n<rfc xmlns:xi=\"http://www.w3.org/2001/XInclude\" version=\"3\" category=\"std\" consensus=\"true\" docName=\"draft-ietf-core-senml-more-units-06\" indexInclude=\"true\" ipr"...
        attachment = 0x55d1dde5d460 [PopplerAttachment]
        size = 51880
        error = 0x0
        pdf_document = <optimized out>
        attachments = <optimized out>
        list = 0x55d1ddb16c20 = {0x55d1dde5d460}
        retval = 0x55d1ddb17180 = {0x55d1dde3b560}
#5  0x00007f4927d8b77a in ev_job_attachments_run (job=0x55d1dde5d630 [EvJobAttachments]) at ev-jobs.c:472
        job_attachments = 0x55d1dde5d630 [EvJobAttachments]
#6  0x00007f4927d8d7da in ev_job_thread (job=0x55d1dde5d630 [EvJobAttachments]) at ev-job-scheduler.c:184
        result = <optimized out>
        job = 0x55d1ddc582f0
#7  ev_job_thread_proxy (data=<optimized out>) at ev-job-scheduler.c:217
        job = 0x55d1ddc582f0
#8  0x00007f4926f6e52d in g_thread_proxy (data=0x55d1dde36580) at ../../../glib/gthread.c:807
        thread = 0x55d1dde36580
        __func__ = "g_thread_proxy"
#9  0x00007f4926d97f27 in start_thread (arg=<optimized out>) at pthread_create.c:479
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = 
              {cancel_jmp_buf = {{jmp_buf = {139952017819392, 4879852856656241710, 140730885663534, 140730885663535, 139952017816704, 139952017819392, -4815890835605576658, -4815766494322252754}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#10 0x00007f4926cc931f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

More information about the Pkg-freedesktop-maintainers mailing list