Bug#596806: evince: non-deterministic (but reproducible) memory corruption with a DVI file using multiple EPS images
Timo Juhani Lindfors
timo.lindfors at iki.fi
Tue Sep 14 09:39:12 UTC 2010
Package: evince
Version: 2.30.3-1
Severity: important
[ This is tagged important since memory corruption could potentially
be a security problem. Imho it is a huge risk to have a web browser by
default support DVI files by opening them in evince. Hardly nobody
distributes DVI files to others so this unnecessarily increases the
attack surface. ]
Steps to reproduce:
1) evince testcase1.dvi
Expected results:
1) evince does not crash
Actual results:
1) evince crashes:
** (evince:19960): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name
** (evince:19960): WARNING **: Setting attribute metadata::evince::sidebar_visibility not supported
fatal internal error -100
** (evince:19960): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error
fatal internal error -100*** glibc detected *** evince: double free or corruption (out): 0x00007f2e181c8fc0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71b16)[0x7f2e25b83b16]
/lib/libc.so.6(cfree+0x6c)[0x7f2e25b8888c]
/usr/lib/libgs.so.8(+0x45b959)[0x7f2e17812959]
/usr/lib/libgs.so.8(gs_malloc_release+0x31)[0x7f2e17812a39]
/usr/lib/libgs.so.8(gsapi_delete_instance+0x88)[0x7f2e1751c58a]
/usr/lib/libspectre.so.1(spectre_gs_cleanup+0x4a)[0x7f2e1cd124aa]
/usr/lib/libspectre.so.1(spectre_gs_free+0x13)[0x7f2e1cd124c3]
/usr/lib/libspectre.so.1(spectre_device_render+0x36e)[0x7f2e1cd1332e]
/usr/lib/libspectre.so.1(spectre_page_render+0x7a)[0x7f2e1cd1396a]
/usr/lib/libspectre.so.1(spectre_document_render_full+0xa9)[0x7f2e1cd11fc9]
/usr/lib/evince/2/backends/libdvidocument.so(+0x9081)[0x7f2e1d147081]
/usr/lib/evince/2/backends/libdvidocument.so(+0x1713c)[0x7f2e1d15513c]
/usr/lib/evince/2/backends/libdvidocument.so(+0x16656)[0x7f2e1d154656]
/usr/lib/evince/2/backends/libdvidocument.so(+0xca2d)[0x7f2e1d14aa2d]
/usr/lib/evince/2/backends/libdvidocument.so(+0xddfe)[0x7f2e1d14bdfe]
/usr/lib/evince/2/backends/libdvidocument.so(+0x81e8)[0x7f2e1d1461e8]
/usr/lib/libevview.so.2(+0x18df3)[0x7f2e29d3bdf3]
/usr/lib/libevview.so.2(+0x19860)[0x7f2e29d3c860]
/lib/libglib-2.0.so.0(+0x676e4)[0x7f2e263736e4]
/lib/libpthread.so.0(+0x68ba)[0x7f2e2709e8ba]
/lib/libc.so.6(clone+0x6d)[0x7f2e25be101d]
======= Memory map: ========
00400000-0045b000 r-xp 00000000 ca:00 689801 /usr/bin/evince
0065a000-0065e000 rw-p 0005a000 ca:00 689801 /usr/bin/evince
01ad7000-0221c000 rw-p 00000000 00:00 0 [heap]
7f2e14aee000-7f2e14b4c000 r-xp 00000000 ca:00 909713 /usr/lib/libXt.so.6.0.0
7f2e14b4c000-7f2e14d4b000 ---p 0005e000 ca:00 909713 /usr/lib/libXt.so.6.0.0
7f2e14d4b000-7f2e14d51000 rw-p 0005d000 ca:00 909713 /usr/lib/libXt.so.6.0.0
7f2e14d51000-7f2e14d52000 rw-p 00000000 00:00 0
7f2e14d52000-7f2e14d68000 r-xp 00000000 ca:00 1245769 /usr/lib/ghostscript/8.71/X11.so
7f2e14d68000-7f2e14f68000 ---p 00016000 ca:00 1245769 /usr/lib/ghostscript/8.71/X11.so
7f2e14f68000-7f2e14f6f000 rw-p 00016000 ca:00 1245769 /usr/lib/ghostscript/8.71/X11.so
7f2e14f6f000-7f2e14ff0000 r--p 00000000 ca:00 1010331 /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Oblique.ttf
7f2e14ff0000-7f2e15006000 r-xp 00000000 ca:00 868370 /lib/libgcc_s.so.1
7f2e15006000-7f2e15205000 ---p 00016000 ca:00 868370 /lib/libgcc_s.so.1
7f2e15205000-7f2e15206000 rw-p 00015000 ca:00 868370 /lib/libgcc_s.so.1
7f2e15206000-7f2e15216000 r-xp 00000000 ca:00 910862 /usr/lib/libtasn1.so.3.1.9
7f2e15216000-7f2e15415000 ---p 00010000 ca:00 910862 /usr/lib/libtasn1.so.3.1.9
7f2e15415000-7f2e15416000 rw-p 0000f000 ca:00 910862 /usr/lib/libtasn1.so.3.1.9
7f2e15416000-7f2e15418000 r-xp 00000000 ca:00 868638 /lib/libkeyutils.so.1.3
7f2e15418000-7f2e15617000 ---p 00002000 ca:00 868638 /lib/libkeyutils.so.1.3
7f2e15617000-7f2e15618000 rw-p 00001000 ca:00 868638 /lib/libkeyutils.so.1.3
7f2e15618000-7f2e1561f000 r-xp 00000000 ca:00 1418501 /usr/lib/libkrb5support.so.0.1
7f2e1561f000-7f2e1581f000 ---p 00007000 ca:00 1418501 /usr/lib/libkrb5support.so.0.1
7f2e1581f000-7f2e15820000 rw-p 00007000 ca:00 1418501 /usr/lib/libkrb5support.so.0.1
7f2e15820000-7f2e15823000 r-xp 00000000 ca:00 871254 /lib/libcom_err.so.2.1
7f2e15823000-7f2e15a22000 ---p 00003000 ca:00 871254 /lib/libcom_err.so.2.1
7f2e15a22000-7f2e15a23000 rw-p 00002000 ca:00 871254 /lib/libcom_err.so.2.1
7f2e15a23000-7f2e15a48000 r-xp 00000000 ca:00 1418489 /usr/lib/libk5crypto.so.3.1
7f2e15a48000-7f2e15c47000 ---p 00025000 ca:00 1418489 /usr/lib/libk5crypto.so.3.1
7f2e15c47000-7f2e15c49000 rw-p 00024000 ca:00 1418489 /usr/lib/libk5crypto.so.3.1
7f2e15c49000-7f2e15d07000 r-xp 00000000 ca:00 1418497 /usr/lib/libkrb5.so.3.3
7f2e15d07000-7f2e15f06000 ---p 000be000 ca:00 1418497 /usr/lib/libkrb5.so.3.3
7f2e15f06000-7f2e15f11000 rw-p 000bd000 ca:00 1418497 /usr/lib/libkrb5.so.3.3
7f2e15f11000-7f2e15f21000 r-xp 00000000 ca:00 689049 /usr/lib/libavahi-client.so.3.2.7
7f2e15f21000-7f2e16120000 ---p 00010000 ca:00 689049 /usr/lib/libavahi-client.so.3.2.7
7f2e16120000-7f2e16121000 rw-p 0000f000 ca:00 689049 /usr/lib/libavahi-client.so.3.2.7
7f2e16121000-7f2e1612d000 r-xp 00000000 ca:00 688963 /usr/lib/libavahi-common.so.3.5.2
7f2e1612d000-7f2e1632c000 ---p 0000c000 ca:00 688963 /usr/lib/libavahi-common.so.3.5.2
7f2e1632c000-7f2e1632d000 rw-p 0000b000 ca:00 688963 /usr/lib/libavahi-common.so.3.5.2
7f2e1632d000-7f2e16423000 r-xp 00000000 ca:00 689330 /usr/lib/libstdc++.so.6.0.13
7f2e16423000-7f2e16623000 ---p 000f6000 ca:00 689330 /usr/lib/libstdc++.so.6.0.13
7f2e16623000-7f2e1662a000 r--p 000f6000 ca:00 689330 /usr/lib/libstdc++.so.6.0.13
7f2e1662a000-7f2e1662c000 rw-p 000fd000 ca:00 689330 /usr/lib/libstdc++.so.6.0.13
7f2e1662c000-7f2e16641000 rw-p 00000000 00:00 0
7f2e16641000-7f2e16643000 r-xp 00000000 ca:00 910658 /usr/lib/libpaper.so.1.1.2
7f2e16643000-7f2e16843000 ---p 00002000 ca:00 910658 /usr/lib/libpaper.so.1.1.2
7f2e16843000-7f2e16844000 rw-p 00002000 ca:00 910658 /usr/lib/libpaper.so.1.1.2
7f2e16844000-7f2e16857000 r-xp 00000000 ca:00 910315 /usr/lib/libjbig2dec.so.0.0.0
7f2e16857000-7f2e16a56000 ---p 00013000 ca:00 910315 /usr/lib/libjbig2dec.so.0.0.0
7f2e16a56000-7f2e16a57000 rw-p 00012000 ca:00 910315 /usr/lib/libjbig2dec.so.0.0.0
7f2e16a57000-7f2e16a5f000 r-xp 00000000 ca:00 491539 /lib/libcrypt-2.11.2.so
7f2e16a5f000-7f2e16c5e000 ---p 00008000 ca:00 491539 /lib/libcrypt-2.11.2.so
7f2e16c5e000-7f2e16c5f000 r--p 00007000 ca:00 491539 /lib/libcrypt-2.11.2.so
More info:
1) Since this crash is non-deterministic I used
for i in $(seq 1 30); do
timeout 5s evince testcase1.dvi
ret=$?
echo ret $ret
if [ "$ret" = "134" ]; then
echo BROKEN
exit 1
fi
done
echo WORKING
to run evince multiple times until it crashes.
2) Sometimes evince also crashes with
evince: malloc.c:4471: _int_malloc: Assertion `(bck->bk->size & 0x4) == 0' failed.
or
fatal internal error -100Segmentation fault (core dumped)
or
GPL Ghostscript 8.71: Initialization file gs_init.ps does not begin with an integer.
fatal internal error -100
3) valgrind shows
==20127== Memcheck, a memory error detector
==20127== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20127== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==20127== Command: evince testcase1.dvi
==20127==
** (evince:20127): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name
==20127== Conditional jump or move depends on uninitialised value(s)
==20127== at 0x8EAF290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4)
==20127== by 0x8EAF37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4)
==20127== by 0x8EA8C86: ??? (in /usr/lib/libz.so.1.2.3.4)
==20127== by 0x54EF635: ??? (in /usr/lib/libxml2.so.2.7.7)
==20127== by 0x54EF027: __xmlParserInputBufferCreateFilename (in /usr/lib/libxml2.so.2.7.7)
==20127== by 0x54C43FC: xmlNewInputFromFile (in /usr/lib/libxml2.so.2.7.7)
==20127== by 0x54C8785: xmlCreateURLParserCtxt (in /usr/lib/libxml2.so.2.7.7)
==20127== by 0x54DF4DD: xmlSAXParseFileWithData (in /usr/lib/libxml2.so.2.7.7)
==20127== by 0x43E3D7: ??? (in /usr/bin/evince)
==20127== by 0x42F90F: ??? (in /usr/bin/evince)
==20127== by 0x8147867: g_type_create_instance (in /usr/lib/libgobject-2.0.so.0.2400.1)
==20127== by 0x812B6DB: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==20127==
** (evince:20127): WARNING **: Setting attribute metadata::evince::sidebar_visibility not supported
==20127== Thread 3:
==20127== Invalid write of size 1
==20127== at 0x130BCF88: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x17797608 is 37,032 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BCFD2: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x17797609 is 37,033 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD026: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760a is 37,034 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD068: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760b is 37,035 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD0BC: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760c is 37,036 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD0FE: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760d is 37,037 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
§==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD152: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760e is 37,038 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
==20127== Invalid write of size 1
==20127== at 0x130BD17C: ??? (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x13463105: swproc (imainarg.c:597)
==20127== by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127== by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127== by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127== by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== Address 0x1779760f is 37,039 bytes inside a block of size 262,140 free'd
==20127== at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127== by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127== by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127== by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127== by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127== by 0x7F038B9: start_thread (pthread_create.c:300)
==20127== by 0x940D01C: clone (clone.S:112)
==20127==
fatal internal error -100==20127== Conditional jump or move depends on uninitialised value(s)
==20127== at 0x1346C684: interp (interp.c:953)
==20127== by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127== by 0x1346B8BE: gs_interpret (interp.c:466)
==20127== by 0x1346023C: gs_main_interpret (imain.c:214)
==20127== by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127== by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127== by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127== by 0x13461568: gs_main_finit (imain.c:765)
==20127== by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127== by 0x134618A5: gs_to_exit (imain.c:834)
==20127== by 0x134659A6: gsapi_exit (iapi.c:262)
==20127== by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127==
==20127== Use of uninitialised value of size 8
==20127== at 0x1346C69B: interp (interp.c:953)
==20127== by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127== by 0x1346B8BE: gs_interpret (interp.c:466)
==20127== by 0x1346023C: gs_main_interpret (imain.c:214)
==20127== by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127== by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127== by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127== by 0x13461568: gs_main_finit (imain.c:765)
==20127== by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127== by 0x134618A5: gs_to_exit (imain.c:834)
==20127== by 0x134659A6: gsapi_exit (iapi.c:262)
==20127== by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127==
==20127== Conditional jump or move depends on uninitialised value(s)
==20127== at 0x1346E6E3: interp (interp.c:1721)
==20127== by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127== by 0x1346B8BE: gs_interpret (interp.c:466)
==20127== by 0x1346023C: gs_main_interpret (imain.c:214)
==20127== by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127== by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127== by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127== by 0x13461568: gs_main_finit (imain.c:765)
==20127== by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127== by 0x134618A5: gs_to_exit (imain.c:834)
==20127== by 0x134659A6: gsapi_exit (iapi.c:262)
==20127== by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127==
** (evince:20127): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error
fatal internal error -100
** (evince:20127): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error
==20127==
==20127== HEAP SUMMARY:
==20127== in use at exit: 2,943,870 bytes in 51,332 blocks
==20127== total heap usage: 145,721 allocs, 94,389 frees, 28,119,601 bytes allocated
==20127==
==20127== LEAK SUMMARY:
==20127== definitely lost: 79,580 bytes in 563 blocks
==20127== indirectly lost: 59,984 bytes in 2,548 blocks
==20127== possibly lost: 2,054,918 bytes in 42,521 blocks
==20127== still reachable: 749,388 bytes in 5,700 blocks
==20127== suppressed: 0 bytes in 0 blocks
==20127== Rerun with --leak-check=full to see details of leaked memory
==20127==
==20127== For counts of detected and suppressed errors, rerun with: -v
==20127== Use --track-origins=yes to see where uninitialised values come from
==20127== ERROR SUMMARY: 30 errors from 12 contexts (suppressed: 109 from 8)
4) This does not seem to occur under gdb.
5) evince does not seem to produce a core file even when it prints
"core dumped" (ulimit -c shows unlimited and a simple C program with
assert(0) does however produce a core file).
6) dmesg shows
evince[7358]: segfault at 7f45894868f4 ip 00007f4558ae45ec sp 00007f455a386090 error 6 in libgs.so.8.71[7f4558689000+595000]
evince[8098]: segfault at e80 ip 00007f38c19ef2d8 sp 00007f38c357d810 error 4 in libgs.so.8.71[7f38c1881000+595000]
evince[8304]: segfault at e80 ip 00007f70eb5252d8 sp 00007f70f19ed810 error 4 in libgs.so.8.71[7f70eb3b7000+595000]
evince[8824]: segfault at e80 ip 00007f369a04f2d8 sp 00007f369bbdd810 error 4 in libgs.so.8.71[7f3699ee1000+595000]
evince[9843]: segfault at 7fc248493338 ip 00007fc257d3de2e sp 00007fff71994210 error 6 in libc-2.11.2.so[7fc257cc9000+158000]
evince[9853]: segfault at 894868ec ip 00007fb727812666 sp 00007fb72d2db7d0 error 4 in libgs.so.8.71[7fb7273b7000+595000]
evince[9855]: segfault at 7f862849c3a8 ip 00007f8635406e2e sp 00007fff541e95c0 error 6 in libc-2.11.2.so[7f8635392000+158000]
evince[9867]: segfault at 7f1f2c4929d8 ip 00007f1f388cbe2e sp 00007fff6ac39590 error 6 in libc-2.11.2.so[7f1f38857000+158000]
evince[10440]: segfault at 7fb51c214cd8 ip 00007fb528efae2e sp 00007fb520ed9ba0 error 6 in libc-2.11.2.so[7fb528e86000+158000]
evince[10531]: segfault at 7f7195657480 ip 00007f7119774f42 sp 00007fff2dbe2080 error 4 in libc-2.11.2.so[7f7119702000+158000]
evince[10553]: segfault at 7f7024215208 ip 00007f7032c19e2e sp 00007f702abf8ba0 error 6 in libc-2.11.2.so[7f7032ba5000+158000]
evince[10698]: segfault at 7ffa40211178 ip 00007ffa4ffe6e2e sp 00007ffa47fc5ba0 error 6 in libc-2.11.2.so[7ffa4ff72000+158000]
evince[10972]: segfault at 7f2ba5652c10 ip 00007f2b29185f42 sp 00007f2b21166010 error 4 in libc-2.11.2.so[7f2b29113000+158000]
evince[11001]: segfault at 7f94482562c8 ip 00007f9457ce3e2e sp 00007fff076c2610 error 6 in libc-2.11.2.so[7f9457c6f000+158000]
evince[12623] general protection ip:7f3011d039e2 sp:7f3009ce2960 error:0 in libc-2.11.2.so[7f3011c8f000+158000]
evince[12643]: segfault at 7f55b197c0e0 ip 00007f5537825f42 sp 00007f552f8067f0 error 4 in libc-2.11.2.so[7f55377b3000+158000]
evince[12772]: segfault at 7f7fbd65b4d0 ip 00007f7f43eaef42 sp 00007fffdbe33980 error 4 in libc-2.11.2.so[7f7f43e3c000+158000]
evince[12792]: segfault at 7f25ed975eb0 ip 00007f2573758f42 sp 00007f256b7397f0 error 4 in libc-2.11.2.so[7f25736e6000+158000]
evince[17538]: segfault at 7fedf5651630 ip 00007fed78f24f42 sp 00007fff74d41640 error 4 in libc-2.11.2.so[7fed78eb2000+158000]
evince[17560]: segfault at 110018 ip 00007fa84f63ad8d sp 00007fa84761cb50 error 4 in libc-2.11.2.so[7fa84f5c9000+158000]
evince[18051]: segfault at 7f5470214198 ip 00007f547d7c8e2e sp 00007f54757a7ba0 error 6 in libc-2.11.2.so[7f547d754000+158000]
evince[18071]: segfault at 7f900421a998 ip 00007f9010a19e2e sp 00007f90089f8ba0 error 6 in libc-2.11.2.so[7f90109a5000+158000]
evince[18089]: segfault at 7f1f9d97c930 ip 00007f1f23ef1f42 sp 00007f1f1bed2010 error 4 in libc-2.11.2.so[7f1f23e7f000+158000]
evince[18104]: segfault at 7f29c197f9c0 ip 00007f29487a2f42 sp 00007f2940783c80 error 4 in libc-2.11.2.so[7f2948730000+158000]
evince[18238]: segfault at 7ffd6c215198 ip 00007ffd7891be2e sp 00007ffd708faba0 error 6 in libc-2.11.2.so[7ffd788a7000+158000]
evince[19119]: segfault at 7f2dc9669150 ip 00007f2d4e76af42 sp 00007f2d4674b7f0 error 4 in libc-2.11.2.so[7f2d4e6f8000+158000]
evince[19884]: segfault at 7f579d657a50 ip 00007f5721b9ff42 sp 00007f5719b807f0 error 4 in libc-2.11.2.so[7f5721b2d000+158000]
evince[19917]: segfault at e80 ip 00007fbcf75252d8 sp 00007fbcfd30d810 error 4 in libgs.so.8.71[7fbcf73b7000+595000]
evince[19946]: segfault at 7fe51020f688 ip 00007fe51e1bfe2e sp 00007fe51619eba0 error 6 in libc-2.11.2.so[7fe51e14b000+158000]
evince[20442]: segfault at 7f53cd653930 ip 00007f5352a0cf42 sp 00007f534a9ed7f0 error 4 in libc-2.11.2.so[7f535299a000+158000]
evince[20894]: segfault at 7fdb402176c8 ip 00007fdb4d069e2e sp 00007fdb45048ba0 error 6 in libc-2.11.2.so[7fdb4cff5000+158000]
evince[21005]: segfault at 7fd605980fd0 ip 00007fd589504f42 sp 00007fd5814e59d0 error 4 in libc-2.11.2.so[7fd589492000+158000]
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages evince depends on:
ii evince-common 2.30.3-1 Document (postscript, pdf) viewer
ii gconf2 2.28.1-3 GNOME configuration database syste
ii gnome-icon-theme 2.30.3-1 GNOME Desktop icon theme
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-5 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-3 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2 simple interprocess messaging syst
ii libevince2 2.30.3-1 Document (postscript, pdf) renderi
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.28.1-3 GNOME configuration database syste
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgnome-keyring0 2.30.1-1 GNOME keyring services library
ii libgtk2.0-0 2.20.1-1+b1 The GTK+ graphical user interface
ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library
ii libnautilus-extension1 2.30.1-1 libraries for nautilus components
ii libpango1.0-0 1.28.1-1 Layout and rendering of internatio
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libx11-6 2:1.3.3-3 X11 client-side library
ii libxml2 2.7.7.dfsg-4 GNOME XML library
ii shared-mime-info 0.71-3 FreeDesktop.org shared MIME databa
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages evince recommends:
ii dbus-x11 1.2.24-3 simple interprocess messaging syst
ii gvfs 1.6.3-1 userspace virtual filesystem - ser
Versions of packages evince suggests:
ii nautilus 2.30.1-1 file manager and graphical shell f
pn poppler-data <none> (no description available)
pn unrar <none> (no description available)
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1.dvi
Type: application/x-dvi
Size: 7068 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.dvi>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1img.eps
Type: application/postscript
Size: 345714 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.eps>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1.tex
Type: text/x-tex
Size: 4356 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.tex>
More information about the pkg-gnome-maintainers
mailing list