Bug#596806: evince: non-deterministic (but reproducible) memory corruption with a DVI file using multiple EPS images

Timo Juhani Lindfors timo.lindfors at iki.fi
Tue Sep 14 09:39:12 UTC 2010


Package: evince
Version: 2.30.3-1
Severity: important

[ This is tagged important since memory corruption could potentially
be a security problem. Imho it is a huge risk to have a web browser by
default support DVI files by opening them in evince. Hardly nobody
distributes DVI files to others so this unnecessarily increases the
attack surface. ]

Steps to reproduce:
1) evince testcase1.dvi

Expected results:
1) evince does not crash

Actual results:
1) evince crashes:

** (evince:19960): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name

** (evince:19960): WARNING **: Setting attribute metadata::evince::sidebar_visibility not supported
fatal internal error -100
** (evince:19960): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error

fatal internal error -100*** glibc detected *** evince: double free or corruption (out): 0x00007f2e181c8fc0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71b16)[0x7f2e25b83b16]
/lib/libc.so.6(cfree+0x6c)[0x7f2e25b8888c]
/usr/lib/libgs.so.8(+0x45b959)[0x7f2e17812959]
/usr/lib/libgs.so.8(gs_malloc_release+0x31)[0x7f2e17812a39]
/usr/lib/libgs.so.8(gsapi_delete_instance+0x88)[0x7f2e1751c58a]
/usr/lib/libspectre.so.1(spectre_gs_cleanup+0x4a)[0x7f2e1cd124aa]
/usr/lib/libspectre.so.1(spectre_gs_free+0x13)[0x7f2e1cd124c3]
/usr/lib/libspectre.so.1(spectre_device_render+0x36e)[0x7f2e1cd1332e]
/usr/lib/libspectre.so.1(spectre_page_render+0x7a)[0x7f2e1cd1396a]
/usr/lib/libspectre.so.1(spectre_document_render_full+0xa9)[0x7f2e1cd11fc9]
/usr/lib/evince/2/backends/libdvidocument.so(+0x9081)[0x7f2e1d147081]
/usr/lib/evince/2/backends/libdvidocument.so(+0x1713c)[0x7f2e1d15513c]
/usr/lib/evince/2/backends/libdvidocument.so(+0x16656)[0x7f2e1d154656]
/usr/lib/evince/2/backends/libdvidocument.so(+0xca2d)[0x7f2e1d14aa2d]
/usr/lib/evince/2/backends/libdvidocument.so(+0xddfe)[0x7f2e1d14bdfe]
/usr/lib/evince/2/backends/libdvidocument.so(+0x81e8)[0x7f2e1d1461e8]
/usr/lib/libevview.so.2(+0x18df3)[0x7f2e29d3bdf3]
/usr/lib/libevview.so.2(+0x19860)[0x7f2e29d3c860]
/lib/libglib-2.0.so.0(+0x676e4)[0x7f2e263736e4]
/lib/libpthread.so.0(+0x68ba)[0x7f2e2709e8ba]
/lib/libc.so.6(clone+0x6d)[0x7f2e25be101d]
======= Memory map: ========
00400000-0045b000 r-xp 00000000 ca:00 689801                             /usr/bin/evince
0065a000-0065e000 rw-p 0005a000 ca:00 689801                             /usr/bin/evince
01ad7000-0221c000 rw-p 00000000 00:00 0                                  [heap]
7f2e14aee000-7f2e14b4c000 r-xp 00000000 ca:00 909713                     /usr/lib/libXt.so.6.0.0
7f2e14b4c000-7f2e14d4b000 ---p 0005e000 ca:00 909713                     /usr/lib/libXt.so.6.0.0
7f2e14d4b000-7f2e14d51000 rw-p 0005d000 ca:00 909713                     /usr/lib/libXt.so.6.0.0
7f2e14d51000-7f2e14d52000 rw-p 00000000 00:00 0 
7f2e14d52000-7f2e14d68000 r-xp 00000000 ca:00 1245769                    /usr/lib/ghostscript/8.71/X11.so
7f2e14d68000-7f2e14f68000 ---p 00016000 ca:00 1245769                    /usr/lib/ghostscript/8.71/X11.so
7f2e14f68000-7f2e14f6f000 rw-p 00016000 ca:00 1245769                    /usr/lib/ghostscript/8.71/X11.so
7f2e14f6f000-7f2e14ff0000 r--p 00000000 ca:00 1010331                    /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Oblique.ttf
7f2e14ff0000-7f2e15006000 r-xp 00000000 ca:00 868370                     /lib/libgcc_s.so.1
7f2e15006000-7f2e15205000 ---p 00016000 ca:00 868370                     /lib/libgcc_s.so.1
7f2e15205000-7f2e15206000 rw-p 00015000 ca:00 868370                     /lib/libgcc_s.so.1
7f2e15206000-7f2e15216000 r-xp 00000000 ca:00 910862                     /usr/lib/libtasn1.so.3.1.9
7f2e15216000-7f2e15415000 ---p 00010000 ca:00 910862                     /usr/lib/libtasn1.so.3.1.9
7f2e15415000-7f2e15416000 rw-p 0000f000 ca:00 910862                     /usr/lib/libtasn1.so.3.1.9
7f2e15416000-7f2e15418000 r-xp 00000000 ca:00 868638                     /lib/libkeyutils.so.1.3
7f2e15418000-7f2e15617000 ---p 00002000 ca:00 868638                     /lib/libkeyutils.so.1.3
7f2e15617000-7f2e15618000 rw-p 00001000 ca:00 868638                     /lib/libkeyutils.so.1.3
7f2e15618000-7f2e1561f000 r-xp 00000000 ca:00 1418501                    /usr/lib/libkrb5support.so.0.1
7f2e1561f000-7f2e1581f000 ---p 00007000 ca:00 1418501                    /usr/lib/libkrb5support.so.0.1
7f2e1581f000-7f2e15820000 rw-p 00007000 ca:00 1418501                    /usr/lib/libkrb5support.so.0.1
7f2e15820000-7f2e15823000 r-xp 00000000 ca:00 871254                     /lib/libcom_err.so.2.1
7f2e15823000-7f2e15a22000 ---p 00003000 ca:00 871254                     /lib/libcom_err.so.2.1
7f2e15a22000-7f2e15a23000 rw-p 00002000 ca:00 871254                     /lib/libcom_err.so.2.1
7f2e15a23000-7f2e15a48000 r-xp 00000000 ca:00 1418489                    /usr/lib/libk5crypto.so.3.1
7f2e15a48000-7f2e15c47000 ---p 00025000 ca:00 1418489                    /usr/lib/libk5crypto.so.3.1
7f2e15c47000-7f2e15c49000 rw-p 00024000 ca:00 1418489                    /usr/lib/libk5crypto.so.3.1
7f2e15c49000-7f2e15d07000 r-xp 00000000 ca:00 1418497                    /usr/lib/libkrb5.so.3.3
7f2e15d07000-7f2e15f06000 ---p 000be000 ca:00 1418497                    /usr/lib/libkrb5.so.3.3
7f2e15f06000-7f2e15f11000 rw-p 000bd000 ca:00 1418497                    /usr/lib/libkrb5.so.3.3
7f2e15f11000-7f2e15f21000 r-xp 00000000 ca:00 689049                     /usr/lib/libavahi-client.so.3.2.7
7f2e15f21000-7f2e16120000 ---p 00010000 ca:00 689049                     /usr/lib/libavahi-client.so.3.2.7
7f2e16120000-7f2e16121000 rw-p 0000f000 ca:00 689049                     /usr/lib/libavahi-client.so.3.2.7
7f2e16121000-7f2e1612d000 r-xp 00000000 ca:00 688963                     /usr/lib/libavahi-common.so.3.5.2
7f2e1612d000-7f2e1632c000 ---p 0000c000 ca:00 688963                     /usr/lib/libavahi-common.so.3.5.2
7f2e1632c000-7f2e1632d000 rw-p 0000b000 ca:00 688963                     /usr/lib/libavahi-common.so.3.5.2
7f2e1632d000-7f2e16423000 r-xp 00000000 ca:00 689330                     /usr/lib/libstdc++.so.6.0.13
7f2e16423000-7f2e16623000 ---p 000f6000 ca:00 689330                     /usr/lib/libstdc++.so.6.0.13
7f2e16623000-7f2e1662a000 r--p 000f6000 ca:00 689330                     /usr/lib/libstdc++.so.6.0.13
7f2e1662a000-7f2e1662c000 rw-p 000fd000 ca:00 689330                     /usr/lib/libstdc++.so.6.0.13
7f2e1662c000-7f2e16641000 rw-p 00000000 00:00 0 
7f2e16641000-7f2e16643000 r-xp 00000000 ca:00 910658                     /usr/lib/libpaper.so.1.1.2
7f2e16643000-7f2e16843000 ---p 00002000 ca:00 910658                     /usr/lib/libpaper.so.1.1.2
7f2e16843000-7f2e16844000 rw-p 00002000 ca:00 910658                     /usr/lib/libpaper.so.1.1.2
7f2e16844000-7f2e16857000 r-xp 00000000 ca:00 910315                     /usr/lib/libjbig2dec.so.0.0.0
7f2e16857000-7f2e16a56000 ---p 00013000 ca:00 910315                     /usr/lib/libjbig2dec.so.0.0.0
7f2e16a56000-7f2e16a57000 rw-p 00012000 ca:00 910315                     /usr/lib/libjbig2dec.so.0.0.0
7f2e16a57000-7f2e16a5f000 r-xp 00000000 ca:00 491539                     /lib/libcrypt-2.11.2.so
7f2e16a5f000-7f2e16c5e000 ---p 00008000 ca:00 491539                     /lib/libcrypt-2.11.2.so
7f2e16c5e000-7f2e16c5f000 r--p 00007000 ca:00 491539                     /lib/libcrypt-2.11.2.so

More info:
1) Since this crash is non-deterministic I used

for i in $(seq 1 30); do
    timeout 5s evince testcase1.dvi
    ret=$?
    echo ret $ret
    if [ "$ret" = "134" ]; then
        echo BROKEN
        exit 1
    fi
done
echo WORKING

to run evince multiple times until it crashes.

2) Sometimes evince also crashes with

evince: malloc.c:4471: _int_malloc: Assertion `(bck->bk->size & 0x4) == 0' failed.

or

fatal internal error -100Segmentation fault (core dumped)

or

GPL Ghostscript 8.71: Initialization file gs_init.ps does not begin with an integer.
fatal internal error -100

3) valgrind shows

==20127== Memcheck, a memory error detector
==20127== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20127== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==20127== Command: evince testcase1.dvi
==20127== 

** (evince:20127): WARNING **: Failed to create dbus proxy for org.gnome.SettingsDaemon: Could not get owner of name 'org.gnome.SettingsDaemon': no such name
==20127== Conditional jump or move depends on uninitialised value(s)
==20127==    at 0x8EAF290: inflateReset2 (in /usr/lib/libz.so.1.2.3.4)
==20127==    by 0x8EAF37F: inflateInit2_ (in /usr/lib/libz.so.1.2.3.4)
==20127==    by 0x8EA8C86: ??? (in /usr/lib/libz.so.1.2.3.4)
==20127==    by 0x54EF635: ??? (in /usr/lib/libxml2.so.2.7.7)
==20127==    by 0x54EF027: __xmlParserInputBufferCreateFilename (in /usr/lib/libxml2.so.2.7.7)
==20127==    by 0x54C43FC: xmlNewInputFromFile (in /usr/lib/libxml2.so.2.7.7)
==20127==    by 0x54C8785: xmlCreateURLParserCtxt (in /usr/lib/libxml2.so.2.7.7)
==20127==    by 0x54DF4DD: xmlSAXParseFileWithData (in /usr/lib/libxml2.so.2.7.7)
==20127==    by 0x43E3D7: ??? (in /usr/bin/evince)
==20127==    by 0x42F90F: ??? (in /usr/bin/evince)
==20127==    by 0x8147867: g_type_create_instance (in /usr/lib/libgobject-2.0.so.0.2400.1)
==20127==    by 0x812B6DB: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==20127== 

** (evince:20127): WARNING **: Setting attribute metadata::evince::sidebar_visibility not supported
==20127== Thread 3:
==20127== Invalid write of size 1
==20127==    at 0x130BCF88: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x17797608 is 37,032 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BCFD2: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x17797609 is 37,033 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD026: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760a is 37,034 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD068: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760b is 37,035 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD0BC: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760c is 37,036 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD0FE: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760d is 37,037 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
§==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD152: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760e is 37,038 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
==20127== Invalid write of size 1
==20127==    at 0x130BD17C: ??? (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x130BA9F7: scan_token (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x13463105: swproc (imainarg.c:597)
==20127==    by 0x13461F02: gs_main_init_with_args (imainarg.c:200)
==20127==    by 0x134656B4: gsapi_init_with_args (iapi.c:167)
==20127==    by 0x12E905FB: spectre_gs_run (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E912BE: spectre_device_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E91969: spectre_page_render (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12E8FFC8: spectre_document_render_full (in /usr/lib/libspectre.so.1.1.6)
==20127==    by 0x12A54080: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A6213B: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A61655: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==  Address 0x1779760f is 37,039 bytes inside a block of size 262,140 free'd
==20127==    at 0x4C245E2: realloc (vg_replace_malloc.c:525)
==20127==    by 0x130CCA05: T1_LoadFont (in /usr/lib/libt1.so.5.1.2)
==20127==    by 0x12A62A85: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A5B289: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A599E8: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A58DFD: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x12A531E7: ??? (in /usr/lib/evince/2/backends/libdvidocument.so)
==20127==    by 0x526ADF2: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x526B85F: ??? (in /usr/lib/libevview.so.2.0.0)
==20127==    by 0x8C306E3: ??? (in /lib/libglib-2.0.so.0.2400.1)
==20127==    by 0x7F038B9: start_thread (pthread_create.c:300)
==20127==    by 0x940D01C: clone (clone.S:112)
==20127== 
fatal internal error -100==20127== Conditional jump or move depends on uninitialised value(s)
==20127==    at 0x1346C684: interp (interp.c:953)
==20127==    by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127==    by 0x1346B8BE: gs_interpret (interp.c:466)
==20127==    by 0x1346023C: gs_main_interpret (imain.c:214)
==20127==    by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127==    by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127==    by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127==    by 0x13461568: gs_main_finit (imain.c:765)
==20127==    by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127==    by 0x134618A5: gs_to_exit (imain.c:834)
==20127==    by 0x134659A6: gsapi_exit (iapi.c:262)
==20127==    by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127== 
==20127== Use of uninitialised value of size 8
==20127==    at 0x1346C69B: interp (interp.c:953)
==20127==    by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127==    by 0x1346B8BE: gs_interpret (interp.c:466)
==20127==    by 0x1346023C: gs_main_interpret (imain.c:214)
==20127==    by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127==    by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127==    by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127==    by 0x13461568: gs_main_finit (imain.c:765)
==20127==    by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127==    by 0x134618A5: gs_to_exit (imain.c:834)
==20127==    by 0x134659A6: gsapi_exit (iapi.c:262)
==20127==    by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127== 
==20127== Conditional jump or move depends on uninitialised value(s)
==20127==    at 0x1346E6E3: interp (interp.c:1721)
==20127==    by 0x1346BA8B: gs_call_interp (interp.c:508)
==20127==    by 0x1346B8BE: gs_interpret (interp.c:466)
==20127==    by 0x1346023C: gs_main_interpret (imain.c:214)
==20127==    by 0x13460D0D: gs_main_run_string_begin (imain.c:500)
==20127==    by 0x13460C3C: gs_main_run_string_with_length (imain.c:476)
==20127==    by 0x13460BFD: gs_main_run_string (imain.c:466)
==20127==    by 0x13461568: gs_main_finit (imain.c:765)
==20127==    by 0x1346187E: gs_to_exit_with_code (imain.c:829)
==20127==    by 0x134618A5: gs_to_exit (imain.c:834)
==20127==    by 0x134659A6: gsapi_exit (iapi.c:262)
==20127==    by 0x12E90498: spectre_gs_cleanup (in /usr/lib/libspectre.so.1.1.6)
==20127== 

** (evince:20127): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error

fatal internal error -100
** (evince:20127): WARNING **: Error rendering PS document /home/lindi/tmp/evince1/testcase1img.eps: render error

==20127== 
==20127== HEAP SUMMARY:
==20127==     in use at exit: 2,943,870 bytes in 51,332 blocks
==20127==   total heap usage: 145,721 allocs, 94,389 frees, 28,119,601 bytes allocated
==20127== 
==20127== LEAK SUMMARY:
==20127==    definitely lost: 79,580 bytes in 563 blocks
==20127==    indirectly lost: 59,984 bytes in 2,548 blocks
==20127==      possibly lost: 2,054,918 bytes in 42,521 blocks
==20127==    still reachable: 749,388 bytes in 5,700 blocks
==20127==         suppressed: 0 bytes in 0 blocks
==20127== Rerun with --leak-check=full to see details of leaked memory
==20127== 
==20127== For counts of detected and suppressed errors, rerun with: -v
==20127== Use --track-origins=yes to see where uninitialised values come from
==20127== ERROR SUMMARY: 30 errors from 12 contexts (suppressed: 109 from 8)

4) This does not seem to occur under gdb.

5) evince does not seem to produce a core file even when it prints
"core dumped" (ulimit -c shows unlimited and a simple C program with
assert(0) does however produce a core file).

6) dmesg shows

evince[7358]: segfault at 7f45894868f4 ip 00007f4558ae45ec sp 00007f455a386090 error 6 in libgs.so.8.71[7f4558689000+595000]
evince[8098]: segfault at e80 ip 00007f38c19ef2d8 sp 00007f38c357d810 error 4 in libgs.so.8.71[7f38c1881000+595000]
evince[8304]: segfault at e80 ip 00007f70eb5252d8 sp 00007f70f19ed810 error 4 in libgs.so.8.71[7f70eb3b7000+595000]
evince[8824]: segfault at e80 ip 00007f369a04f2d8 sp 00007f369bbdd810 error 4 in libgs.so.8.71[7f3699ee1000+595000]
evince[9843]: segfault at 7fc248493338 ip 00007fc257d3de2e sp 00007fff71994210 error 6 in libc-2.11.2.so[7fc257cc9000+158000]
evince[9853]: segfault at 894868ec ip 00007fb727812666 sp 00007fb72d2db7d0 error 4 in libgs.so.8.71[7fb7273b7000+595000]
evince[9855]: segfault at 7f862849c3a8 ip 00007f8635406e2e sp 00007fff541e95c0 error 6 in libc-2.11.2.so[7f8635392000+158000]
evince[9867]: segfault at 7f1f2c4929d8 ip 00007f1f388cbe2e sp 00007fff6ac39590 error 6 in libc-2.11.2.so[7f1f38857000+158000]
evince[10440]: segfault at 7fb51c214cd8 ip 00007fb528efae2e sp 00007fb520ed9ba0 error 6 in libc-2.11.2.so[7fb528e86000+158000]
evince[10531]: segfault at 7f7195657480 ip 00007f7119774f42 sp 00007fff2dbe2080 error 4 in libc-2.11.2.so[7f7119702000+158000]
evince[10553]: segfault at 7f7024215208 ip 00007f7032c19e2e sp 00007f702abf8ba0 error 6 in libc-2.11.2.so[7f7032ba5000+158000]
evince[10698]: segfault at 7ffa40211178 ip 00007ffa4ffe6e2e sp 00007ffa47fc5ba0 error 6 in libc-2.11.2.so[7ffa4ff72000+158000]
evince[10972]: segfault at 7f2ba5652c10 ip 00007f2b29185f42 sp 00007f2b21166010 error 4 in libc-2.11.2.so[7f2b29113000+158000]
evince[11001]: segfault at 7f94482562c8 ip 00007f9457ce3e2e sp 00007fff076c2610 error 6 in libc-2.11.2.so[7f9457c6f000+158000]
evince[12623] general protection ip:7f3011d039e2 sp:7f3009ce2960 error:0 in libc-2.11.2.so[7f3011c8f000+158000]
evince[12643]: segfault at 7f55b197c0e0 ip 00007f5537825f42 sp 00007f552f8067f0 error 4 in libc-2.11.2.so[7f55377b3000+158000]
evince[12772]: segfault at 7f7fbd65b4d0 ip 00007f7f43eaef42 sp 00007fffdbe33980 error 4 in libc-2.11.2.so[7f7f43e3c000+158000]
evince[12792]: segfault at 7f25ed975eb0 ip 00007f2573758f42 sp 00007f256b7397f0 error 4 in libc-2.11.2.so[7f25736e6000+158000]
evince[17538]: segfault at 7fedf5651630 ip 00007fed78f24f42 sp 00007fff74d41640 error 4 in libc-2.11.2.so[7fed78eb2000+158000]
evince[17560]: segfault at 110018 ip 00007fa84f63ad8d sp 00007fa84761cb50 error 4 in libc-2.11.2.so[7fa84f5c9000+158000]
evince[18051]: segfault at 7f5470214198 ip 00007f547d7c8e2e sp 00007f54757a7ba0 error 6 in libc-2.11.2.so[7f547d754000+158000]
evince[18071]: segfault at 7f900421a998 ip 00007f9010a19e2e sp 00007f90089f8ba0 error 6 in libc-2.11.2.so[7f90109a5000+158000]
evince[18089]: segfault at 7f1f9d97c930 ip 00007f1f23ef1f42 sp 00007f1f1bed2010 error 4 in libc-2.11.2.so[7f1f23e7f000+158000]
evince[18104]: segfault at 7f29c197f9c0 ip 00007f29487a2f42 sp 00007f2940783c80 error 4 in libc-2.11.2.so[7f2948730000+158000]
evince[18238]: segfault at 7ffd6c215198 ip 00007ffd7891be2e sp 00007ffd708faba0 error 6 in libc-2.11.2.so[7ffd788a7000+158000]
evince[19119]: segfault at 7f2dc9669150 ip 00007f2d4e76af42 sp 00007f2d4674b7f0 error 4 in libc-2.11.2.so[7f2d4e6f8000+158000]
evince[19884]: segfault at 7f579d657a50 ip 00007f5721b9ff42 sp 00007f5719b807f0 error 4 in libc-2.11.2.so[7f5721b2d000+158000]
evince[19917]: segfault at e80 ip 00007fbcf75252d8 sp 00007fbcfd30d810 error 4 in libgs.so.8.71[7fbcf73b7000+595000]
evince[19946]: segfault at 7fe51020f688 ip 00007fe51e1bfe2e sp 00007fe51619eba0 error 6 in libc-2.11.2.so[7fe51e14b000+158000]
evince[20442]: segfault at 7f53cd653930 ip 00007f5352a0cf42 sp 00007f534a9ed7f0 error 4 in libc-2.11.2.so[7f535299a000+158000]
evince[20894]: segfault at 7fdb402176c8 ip 00007fdb4d069e2e sp 00007fdb45048ba0 error 6 in libc-2.11.2.so[7fdb4cff5000+158000]
evince[21005]: segfault at 7fd605980fd0 ip 00007fd589504f42 sp 00007fd5814e59d0 error 4 in libc-2.11.2.so[7fd589492000+158000]



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages evince depends on:
ii  evince-common           2.30.3-1         Document (postscript, pdf) viewer 
ii  gconf2                  2.28.1-3         GNOME configuration database syste
ii  gnome-icon-theme        2.30.3-1         GNOME Desktop icon theme
ii  libatk1.0-0             1.30.0-1         The ATK accessibility toolkit
ii  libc6                   2.11.2-2         Embedded GNU C Library: Shared lib
ii  libcairo2               1.8.10-5         The Cairo 2D vector graphics libra
ii  libdbus-1-3             1.2.24-3         simple interprocess messaging syst
ii  libdbus-glib-1-2        0.88-2           simple interprocess messaging syst
ii  libevince2              2.30.3-1         Document (postscript, pdf) renderi
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfreetype6            2.4.2-1          FreeType 2 font engine, shared lib
ii  libgconf2-4             2.28.1-3         GNOME configuration database syste
ii  libglib2.0-0            2.24.1-1         The GLib library of C routines
ii  libgnome-keyring0       2.30.1-1         GNOME keyring services library
ii  libgtk2.0-0             2.20.1-1+b1      The GTK+ graphical user interface 
ii  libice6                 2:1.0.6-1        X11 Inter-Client Exchange library
ii  libnautilus-extension1  2.30.1-1         libraries for nautilus components 
ii  libpango1.0-0           1.28.1-1         Layout and rendering of internatio
ii  libsm6                  2:1.1.1-1        X11 Session Management library
ii  libx11-6                2:1.3.3-3        X11 client-side library
ii  libxml2                 2.7.7.dfsg-4     GNOME XML library
ii  shared-mime-info        0.71-3           FreeDesktop.org shared MIME databa
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages evince recommends:
ii  dbus-x11                      1.2.24-3   simple interprocess messaging syst
ii  gvfs                          1.6.3-1    userspace virtual filesystem - ser

Versions of packages evince suggests:
ii  nautilus                      2.30.1-1   file manager and graphical shell f
pn  poppler-data                  <none>     (no description available)
pn  unrar                         <none>     (no description available)

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1.dvi
Type: application/x-dvi
Size: 7068 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.dvi>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1img.eps
Type: application/postscript
Size: 345714 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.eps>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase1.tex
Type: text/x-tex
Size: 4356 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100914/4647188c/attachment-0001.tex>


More information about the pkg-gnome-maintainers mailing list