Bug#963813: evince: segmentation fault in evince opening rfc8798.pdf
Bernhard Übelacker
bernhardu at mailbox.org
Fri Sep 4 17:17:33 BST 2020
Dear Maintainer,
I tried to find out where this pointer 0xffffffff comes from
and came to this location [1]. (Details attached)
It seems there is the expectation that the time_t* has 4 bytes,
but really it has 8 bytes.
Searching upstream issues for checksum points to this one [2].
Building a package with mentioned patch makes evince no longer crash.
Kind regards,
Bernhard
[1]
47 *timet = t;
(rr) bt
#0 0x00007ff2407837a1 in poppler_date_parse(gchar const*, time_t*) (date=date at entry=0x7ff23010e280 "D:19691231160000-07'00'", timet=timet at entry=0x558edf4d3494) at ./glib/poppler-date.cc:47
#1 0x00007ff240786a11 in _poppler_convert_pdf_date_to_gtime(GooString const*, long*) (date=<optimized out>, gdate=gdate at entry=0x558edf4d3494) at ./glib/poppler-document.cc:3168
#2 0x00007ff24078ca06 in _poppler_attachment_new(FileSpec*) (emb_file=emb_file at entry=0x558edf721520) at ./poppler/FileSpec.h:31
#3 0x00007ff240784a03 in poppler_document_get_attachments(PopplerDocument*) (document=<optimized out>) at ./glib/poppler-document.cc:681
#4 0x00007ff2407dd0fa in () at /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#5 0x00007ff2474ae47a in () at /lib/x86_64-linux-gnu/libevview3.so.3
#6 0x00007ff2474b04c2 in () at /lib/x86_64-linux-gnu/libevview3.so.3
#7 0x00007ff246777415 in g_thread_proxy (data=0x558edf5240f0) at ../../../glib/gthread.c:784
#8 0x00007ff246564fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#9 0x00007ff2464954cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
[2]
https://gitlab.freedesktop.org/poppler/poppler/-/issues/599
https://gitlab.freedesktop.org/poppler/poppler/-/commit/6f5327114c824791dda72dc415b047d445e46d9d
-------------- next part --------------
# Buster/stable amd64 qemu VM 2020-09-04
apt update
apt dist-upgrade
apt install systemd-coredump lightdm xserver-xorg openbox xterm fakeroot quilt gdb rr evince evince-dbgsym libglib2.0-0-dbgsym libpoppler-glib8-dbgsym
apt build-dep libpoppler-glib8
reboot
echo 1 > /proc/sys/kernel/perf_event_paranoid
apt install ccache cmake make g++-multilib gdb pkg-config coreutils python3-pexpect manpages-dev git ninja-build capnproto libcapnp-dev
dpkg --purge rr
mkdir /home/benutzer/source/rr/git -p
cd /home/benutzer/source/rr/git
git clone https://github.com/mozilla/rr.git
cd
cd /home/benutzer/source/rr/git/
mkdir obj && cd obj
cmake ../rr
make -j4 rr rr_exec_stub rr_exec_stub_32
mkdir /home/benutzer/source/libpoppler-glib8/orig -p
cd /home/benutzer/source/libpoppler-glib8/orig
apt source libpoppler-glib8
cd
wget https://www.rfc-editor.org/rfc/rfc8798.pdf
export DISPLAY=:0
/home/benutzer/source/rr/git/obj/bin/rr evince rfc8798.pdf
/home/benutzer/source/rr/git/obj/bin/rr replay /home/benutzer/.local/share/rr/evince-1
set width 0
set pagination off
directory /home/benutzer/source/libpoppler-glib8/orig/poppler-0.71.0
cont
bt
benutzer at debian:~$ /home/benutzer/source/rr/git/obj/bin/rr evince rfc8798.pdf
rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/evince-1'.
! SyncTeX Error : No file?
Speicherzugriffsfehler
benutzer at debian:~$ /home/benutzer/source/rr/git/obj/bin/rr replay /home/benutzer/.local/share/rr/evince-1
...
(rr) cont
Continuing.
[New Thread 6869.6881]
! SyncTeX Error : No file?
[New Thread 6869.6874]
[New Thread 6869.6875]
[New Thread 6869.6876]
[New Thread 6869.6880]
Thread 2 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 6869.6881]
0x00007ff2467713ae in g_string_free () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(rr) bt
#0 0x00007ff2467713ae in g_string_free () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1 0x00007ff24078c7c3 in ?? () from /lib/x86_64-linux-gnu/libpoppler-glib.so.8
#2 0x00007ff246835e22 in g_object_unref () from /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#3 0x00007ff2407dd15e in ?? () from /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#4 0x00007ff2474ae47a in ?? () from /lib/x86_64-linux-gnu/libevview3.so.3
#5 0x00007ff2474b04c2 in ?? () from /lib/x86_64-linux-gnu/libevview3.so.3
#6 0x00007ff246777415 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ff246564fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#8 0x00007ff2464954cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
benutzer at debian:~$ /home/benutzer/source/rr/git/obj/bin/rr replay /home/benutzer/.local/share/rr/evince-1
...
(rr) set width 0
(rr) set pagination off
(rr) directory /home/benutzer/source/libpoppler-glib8/orig/poppler-0.71.0
Source directories searched: /home/benutzer/source/libpoppler-glib8/orig/poppler-0.71.0:$cdir:$cwd
(rr) cont
Continuing.
[ERROR /home/benutzer/source/rr/git/rr/src/TraceStream.cc:1118:read_mapped_region()] Metadata of /usr/share/glib-2.0/schemas/gschemas.compiled changed: replay divergence likely, but continuing anyway. inode: 550839/540552; mode: 33188/33188; uid: 0/0; gid: 0/0; size: 37274/37274; mtime: 1599231569/1599230559
[New Thread 6869.6881]
! SyncTeX Error : No file?
[New Thread 6869.6874]
[New Thread 6869.6875]
[New Thread 6869.6876]
[New Thread 6869.6880]
Thread 2 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 6869.6881]
g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:217
217 ../../../glib/gstring.c: Datei oder Verzeichnis nicht gefunden.
(rr) bt
#0 0x00007ff2467713ae in g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:217
#1 0x00007ff24078c7c3 in poppler_attachment_finalize(GObject*) (obj=0x558edf4d3460 [PopplerAttachment]) at ./glib/poppler-attachment.cc:88
#2 0x00007ff246835e22 in g_object_unref (_object=<optimized out>) at ../../../gobject/gobject.c:3346
#3 0x00007ff246835e22 in g_object_unref (_object=0x558edf4d3460) at ../../../gobject/gobject.c:3238
#4 0x00007ff2407dd15e in () at /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#5 0x00007ff2474ae47a in () at /lib/x86_64-linux-gnu/libevview3.so.3
#6 0x00007ff2474b04c2 in () at /lib/x86_64-linux-gnu/libevview3.so.3
#7 0x00007ff246777415 in g_thread_proxy (data=0x558edf5240f0) at ../../../glib/gthread.c:784
#8 0x00007ff246564fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#9 0x00007ff2464954cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(rr) reverse-finish
Run back to call of #0 g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:217
Thread 2 received signal SIGSEGV, Segmentation fault.
g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:217
217 in ../../../glib/gstring.c
(rr) reverse-finish
Run back to call of #0 g_string_free (string=0xffffffff, free_segment=free_segment at entry=1) at ../../../glib/gstring.c:217
0x00007ff24078c7be in poppler_attachment_finalize (obj=0x558edf4d3460 [PopplerAttachment]) at ./glib/poppler-attachment.cc:88
88 g_string_free (attachment->checksum, TRUE);
(rr) print attachment
$1 = 0x558edf4d3460 [PopplerAttachment]
(rr) ptype /o PopplerAttachment
type = struct _PopplerAttachment {
/* 0 | 24 */ GObject parent;
/* 24 | 8 */ gchar *name;
/* 32 | 8 */ gchar *description;
/* 40 | 8 */ gsize size;
/* 48 | 4 */ GTime mtime;
/* 52 | 4 */ GTime ctime;
/* 56 | 8 */ GString *checksum;
/* total size (bytes): 64 */
}
(rr) print attachment->checksum
$2 = (GString *) 0xffffffff
(rr) print &attachment->checksum
$3 = (GString **) 0x558edf4d3498
(rr) watch *0x558edf4d3498
Hardware watchpoint 1: *0x558edf4d3498
(rr) reverse-cont
Continuing.
Thread 2 hit Hardware watchpoint 1: *0x558edf4d3498
Old value = -1
New value = 0
poppler_date_parse (date=date at entry=0x7ff23010e280 "D:19691231160000-07'00'", timet=timet at entry=0x558edf4d3494) at ./glib/poppler-date.cc:47
47 *timet = t;
(rr) bt
#0 0x00007ff2407837a1 in poppler_date_parse(gchar const*, time_t*) (date=date at entry=0x7ff23010e280 "D:19691231160000-07'00'", timet=timet at entry=0x558edf4d3494) at ./glib/poppler-date.cc:47
#1 0x00007ff240786a11 in _poppler_convert_pdf_date_to_gtime(GooString const*, long*) (date=<optimized out>, gdate=gdate at entry=0x558edf4d3494) at ./glib/poppler-document.cc:3168
#2 0x00007ff24078ca06 in _poppler_attachment_new(FileSpec*) (emb_file=emb_file at entry=0x558edf721520) at ./poppler/FileSpec.h:31
#3 0x00007ff240784a03 in poppler_document_get_attachments(PopplerDocument*) (document=<optimized out>) at ./glib/poppler-document.cc:681
#4 0x00007ff2407dd0fa in () at /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#5 0x00007ff2474ae47a in () at /lib/x86_64-linux-gnu/libevview3.so.3
#6 0x00007ff2474b04c2 in () at /lib/x86_64-linux-gnu/libevview3.so.3
#7 0x00007ff246777415 in g_thread_proxy (data=0x558edf5240f0) at ../../../glib/gthread.c:784
#8 0x00007ff246564fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#9 0x00007ff2464954cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(rr) print timet
$4 = (time_t *) 0x558edf4d3494
(rr) print *timet
$5 = 0
(rr) print sizeof(*timet)
$6 = 8
(rr) print t
$7 = -3600
(rr) list poppler-date.cc:37,49
37 gboolean
38 poppler_date_parse (const gchar *date,
39 time_t *timet)
40 {
41 time_t t;
42 GooString dateString(date);
43 t = dateStringToTime(&dateString);
44 if (t == (time_t)-1)
45 return FALSE;
46
47 *timet = t;
48 return TRUE;
49 }
https://gitlab.freedesktop.org/poppler/poppler/-/issues/599
https://gitlab.freedesktop.org/poppler/poppler/-/commit/6f5327114c824791dda72dc415b047d445e46d9d
cd /home/benutzer/source/libpoppler-glib8
cp orig try1 -a
cd try1/poppler-0.71.0
dpkg-buildpackage
cd
cd /home/benutzer/source/libpoppler-glib8
cp orig try2 -a
cd try2/poppler-0.71.0
wget https://gitlab.freedesktop.org/poppler/poppler/-/commit/6f5327114c824791dda72dc415b047d445e46d9d.patch -O debian/patches/6f5327114c824791dda72dc415b047d445e46d9d.patch
echo 6f5327114c824791dda72dc415b047d445e46d9d.patch >> debian/patches/series
quilt push
quilt refresh
dpkg-buildpackage
cd
More information about the Pkg-freedesktop-maintainers
mailing list