Bug#996639: Epiphany crashes when opening PDF in new tab (NULL pointer dereference)
John Scott
jscott at posteo.net
Sat Oct 16 17:13:17 BST 2021
Package: epiphany-browser
Version: 41.0-2
Severity: normal
Here is a proof-of-concept file you can open, assuming you have bash-
doc installed:
<!DOCTYPE html>
<html>
<head>
<title>Proof of concept</title>
</head>
<body>
<a href="/usr/share/doc/bash/bash.pdf" target="_blank">Link</a>
</body>
</html>
Clicking the link will try to open a new tab to view the PDF file in,
but this causes Epiphany to crash.
Here is the backtrace for the relevant thread:
#0 0x00007f6619804608 in decide_policy_cb
(decision_type=WEBKIT_POLICY_DECISION_TYPE_RESPONSE, user_data=<optimized out>, decision=0x7f6600017e10 [WebKitResponsePolicyDecision], web_view=0x55a90c7f9230 [EphyWebView]) at ../embed/ephy-web-view.c:962
#1 decide_policy_cb
(web_view=0x55a90c7f9230 [EphyWebView], decision=0x7f6600017e10 [WebKitResponsePolicyDecision], decision_type=<optimized out>, user_data=<optimized out>) at ../embed/ephy-web-view.c:919
#2 0x00007f66126af9da in ffi_call_unix64 () at ../src/x86/unix64.S:105
#3 0x00007f66126aeb21 in ffi_call_int
(cif=0x7ffd473cb370, fn=0x7f66198044b0 <decide_policy_cb>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>)
at ../src/x86/ffi64.c:672
#8 0x00007f6618cb92cf in <emit signal ??? on instance 0x55a90c7f9230 [EphyWebView]>
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../../../gobject/gsignal.c:3553
#4 0x00007f6618ca0edc in g_cclosure_marshal_generic
(closure=closure at entry=0x55a90c7ef070, return_gvalue=return_gvalue at entry=0x7ffd473cb510, n_param_values=n_param_values at entry=3, param_values=param_values at entry=0x7ffd473cb570, invocation_hint=invocation_hint at entry=0x7ffd473cb4f0, marshal_data=marshal_data at entry=0x0)
at ../../../gobject/gclosure.c:1534
#5 0x00007f6618ca06cf in g_closure_invoke
(closure=0x55a90c7ef070, return_value=return_value at entry=0x7ffd473cb510, n_param_values=3, param_values=param_values at entry=0x7ffd473cb570, invocation_hint=invocation_hint at entry=0x7ffd473cb4f0) at ../../../gobject/gclosure.c:830
#6 0x00007f6618cb2a8b in signal_emit_unlocked_R
(node=<optimized out>, detail=detail at entry=0, instance=instance at entry=0x55a90c7f9230, emission_return=emission_return at entry=0x7ffd473cb670, instance_and_params=instance_and_params at entry=0x7ffd473cb570) at ../../../gobject/gsignal.c:3742
#7 0x00007f6618cb88e9 in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args at entry=0x7ffd473cb720)
at ../../../gobject/gsignal.c:3507
#9 0x00007f661551ee8c in webkitWebViewMakePolicyDecision(_WebKitWebView*, WebKitPolicyDecisionType, _WebKitPolicyDecision*) ()
at ./Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2627
#10 0x00007f66154fcd18 in NavigationClient::decidePolicyForNavigationResponse(WebKit::WebPageProxy&, WTF::Ref<API::NavigationResponse, WTF::RawPtrTraits<API::NavigationResponse> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::RawPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) () at ./Source/WebKit/UIProcess/API/glib/WebKitNavigationClient.cpp:150
#11 0x00007f661544ae33 in WebKit::WebPageProxy::decidePolicyForResponseShared(WTF::Ref<WebKit::WebProcessProxy, WTF::RawPtrTraits<WebKit::WebProcessProxy> >&&, WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5681
#12 0x00007f661544af3e in WebKit::WebPageProxy::decidePolicyForResponse(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5625
#13 0x00007f6615184d0d in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:43
#14 IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:49
#15 IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForResponse, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:119
#16 0x00007f6615153a6d in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./build/DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1093
#17 0x00007f66153829eb in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129
#18 0x00007f661547ef13 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/UIProcess/WebProcessProxy.cpp:844
#19 0x00007f661537be25 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at ./Source/WebKit/Platform/IPC/Connection.cpp:1103
#20 0x00007f661537de21 in IPC::Connection::dispatchIncomingMessages() () at ./Source/WebKit/Platform/IPC/Connection.cpp:1217
#21 0x00007f6614621cdd in WTF::Function<void ()>::operator()() const () at ./Source/WTF/wtf/Function.h:82
#22 WTF::RunLoop::performWork() () at ./Source/WTF/wtf/RunLoop.cpp:133
#23 0x00007f6614670879 in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#24 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#25 0x00007f661467119f in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#26 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#27 0x00007f6618babc0f in g_main_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:3381
#28 g_main_context_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:4099
#29 0x00007f6618babfb8 in g_main_context_iterate (context=context at entry=0x55a90b308a40, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175
#30 0x00007f6618bac06f in g_main_context_iteration (context=context at entry=0x55a90b308a40, may_block=may_block at entry=1) at ../../../glib/gmain.c:4240
#31 0x00007f6618dc87d5 in g_application_run (application=0x55a90b3006a0 [EphyShell], argc=1195166532, argc at entry=1, argv=argv at entry=0x7ffd473ccce8) at ../../../gio/gapplication.c:2569
#32 0x000055a9098d5c24 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:431
I figured on my up-to-date system that this is probably not related to
the previous madness with libffi, so I took a look at line 962 of ephy-
web-view.c as a starting point:
} else if (strcmp (mime_type, "application/pdf") == 0 && strcmp (method, "GET") == 0) {
In this case, 'bt full' shows me that method is NULL, which was
obtained on line 953 via
const char *method = webkit_uri_request_get_http_method (request);
I will probably report this to upstream shortly, seeing as none of the
Debian patches are pertinent, unless someone suggests I shouldn't.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-
debug'), (2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.14.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages epiphany-browser depends on:
ii dbus-user-session [default-dbus-session-bus] 1.12.20-2
ii dbus-x11 [dbus-session-bus] 1.12.20-2
ii epiphany-browser-data 41.0-2
ii gsettings-desktop-schemas 41.0-1
ii iso-codes 4.7.0-1
ii libarchive13 3.4.3-2+b1
ii libatk1.0-0 2.36.0-2
ii libc6 2.32-4
ii libcairo2 1.16.0-5
ii libdazzle-1.0-0 3.42.0-2
ii libgcr-base-3-1 3.40.0-3+b1
ii libgcr-ui-3-1 3.40.0-3+b1
ii libgdk-pixbuf-2.0-0 2.42.6+dfsg-2
ii libglib2.0-0 2.70.0-1+b1
ii libgmp10 2:6.2.1+dfsg-2
ii libgtk-3-0 3.24.30-3
ii libhandy-1-0 1.4.0-1
ii libhogweed6 3.7.3-1
ii libjavascriptcoregtk-4.0-18 2.34.0-1
ii libjson-glib-1.0-0 1.6.6-1
ii libnettle8 3.7.3-1
ii libpango-1.0-0 1.48.10+ds1-1
ii libsecret-1-0 0.20.4-2
ii libsoup2.4-1 2.74.0-2
ii libsqlite3-0 3.36.0-2
ii libwebkit2gtk-4.0-37 2.34.0-1
ii libxml2 2.9.12+dfsg-5
Versions of packages epiphany-browser recommends:
ii ca-certificates 20210119
ii evince 41.2-1
ii yelp 41.1-1
epiphany-browser suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20211016/7571aa65/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list