Bug#996639: Epiphany crashes when opening PDF in new tab (NULL pointer dereference)

John Scott jscott at posteo.net
Sat Oct 16 17:13:17 BST 2021


Package: epiphany-browser
Version: 41.0-2
Severity: normal

Here is a proof-of-concept file you can open, assuming you have bash-
doc installed:

<!DOCTYPE html>
<html>
	<head>
		<title>Proof of concept</title>
	</head>
	<body>
		<a href="/usr/share/doc/bash/bash.pdf" target="_blank">Link</a>
	</body>
</html>

Clicking the link will try to open a new tab to view the PDF file in,
but this causes Epiphany to crash.

Here is the backtrace for the relevant thread:
#0  0x00007f6619804608 in decide_policy_cb
    (decision_type=WEBKIT_POLICY_DECISION_TYPE_RESPONSE, user_data=<optimized out>, decision=0x7f6600017e10 [WebKitResponsePolicyDecision], web_view=0x55a90c7f9230 [EphyWebView]) at ../embed/ephy-web-view.c:962
#1  decide_policy_cb
    (web_view=0x55a90c7f9230 [EphyWebView], decision=0x7f6600017e10 [WebKitResponsePolicyDecision], decision_type=<optimized out>, user_data=<optimized out>) at ../embed/ephy-web-view.c:919
#2  0x00007f66126af9da in ffi_call_unix64 () at ../src/x86/unix64.S:105
#3  0x00007f66126aeb21 in ffi_call_int
    (cif=0x7ffd473cb370, fn=0x7f66198044b0 <decide_policy_cb>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>)
    at ../src/x86/ffi64.c:672
#8  0x00007f6618cb92cf in <emit signal ??? on instance 0x55a90c7f9230 [EphyWebView]>
    (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../../../gobject/gsignal.c:3553
    #4  0x00007f6618ca0edc in g_cclosure_marshal_generic
    (closure=closure at entry=0x55a90c7ef070, return_gvalue=return_gvalue at entry=0x7ffd473cb510, n_param_values=n_param_values at entry=3, param_values=param_values at entry=0x7ffd473cb570, invocation_hint=invocation_hint at entry=0x7ffd473cb4f0, marshal_data=marshal_data at entry=0x0)
    at ../../../gobject/gclosure.c:1534
    #5  0x00007f6618ca06cf in g_closure_invoke
    (closure=0x55a90c7ef070, return_value=return_value at entry=0x7ffd473cb510, n_param_values=3, param_values=param_values at entry=0x7ffd473cb570, invocation_hint=invocation_hint at entry=0x7ffd473cb4f0) at ../../../gobject/gclosure.c:830
    #6  0x00007f6618cb2a8b in signal_emit_unlocked_R
    (node=<optimized out>, detail=detail at entry=0, instance=instance at entry=0x55a90c7f9230, emission_return=emission_return at entry=0x7ffd473cb670, instance_and_params=instance_and_params at entry=0x7ffd473cb570) at ../../../gobject/gsignal.c:3742
    #7  0x00007f6618cb88e9 in g_signal_emit_valist
    (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args at entry=0x7ffd473cb720)
    at ../../../gobject/gsignal.c:3507
#9  0x00007f661551ee8c in webkitWebViewMakePolicyDecision(_WebKitWebView*, WebKitPolicyDecisionType, _WebKitPolicyDecision*) ()
    at ./Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2627
#10 0x00007f66154fcd18 in NavigationClient::decidePolicyForNavigationResponse(WebKit::WebPageProxy&, WTF::Ref<API::NavigationResponse, WTF::RawPtrTraits<API::NavigationResponse> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::RawPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) () at ./Source/WebKit/UIProcess/API/glib/WebKitNavigationClient.cpp:150
#11 0x00007f661544ae33 in WebKit::WebPageProxy::decidePolicyForResponseShared(WTF::Ref<WebKit::WebProcessProxy, WTF::RawPtrTraits<WebKit::WebProcessProxy> >&&, WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5681
#12 0x00007f661544af3e in WebKit::WebPageProxy::decidePolicyForResponse(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5625
#13 0x00007f6615184d0d in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:43
#14 IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:49
#15 IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForResponse, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:119
#16 0x00007f6615153a6d in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./build/DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1093
#17 0x00007f66153829eb in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129
#18 0x00007f661547ef13 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/UIProcess/WebProcessProxy.cpp:844
#19 0x00007f661537be25 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at ./Source/WebKit/Platform/IPC/Connection.cpp:1103
#20 0x00007f661537de21 in IPC::Connection::dispatchIncomingMessages() () at ./Source/WebKit/Platform/IPC/Connection.cpp:1217
#21 0x00007f6614621cdd in WTF::Function<void ()>::operator()() const () at ./Source/WTF/wtf/Function.h:82
#22 WTF::RunLoop::performWork() () at ./Source/WTF/wtf/RunLoop.cpp:133
#23 0x00007f6614670879 in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#24 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#25 0x00007f661467119f in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#26 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#27 0x00007f6618babc0f in g_main_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:3381
#28 g_main_context_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:4099
#29 0x00007f6618babfb8 in g_main_context_iterate (context=context at entry=0x55a90b308a40, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175
#30 0x00007f6618bac06f in g_main_context_iteration (context=context at entry=0x55a90b308a40, may_block=may_block at entry=1) at ../../../glib/gmain.c:4240
#31 0x00007f6618dc87d5 in g_application_run (application=0x55a90b3006a0 [EphyShell], argc=1195166532, argc at entry=1, argv=argv at entry=0x7ffd473ccce8) at ../../../gio/gapplication.c:2569
#32 0x000055a9098d5c24 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:431

I figured on my up-to-date system that this is probably not related to
the previous madness with libffi, so I took a look at line 962 of ephy-
web-view.c as a starting point:

} else if (strcmp (mime_type, "application/pdf") == 0 && strcmp (method, "GET") == 0) {

In this case, 'bt full' shows me that method is NULL, which was
obtained on line 953 via
  const char *method = webkit_uri_request_get_http_method (request);

I will probably report this to upstream shortly, seeing as none of the
Debian patches are pertinent, unless someone suggests I shouldn't.

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-
debug'), (2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages epiphany-browser depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.12.20-2
ii  dbus-x11 [dbus-session-bus]                   1.12.20-2
ii  epiphany-browser-data                         41.0-2
ii  gsettings-desktop-schemas                     41.0-1
ii  iso-codes                                     4.7.0-1
ii  libarchive13                                  3.4.3-2+b1
ii  libatk1.0-0                                   2.36.0-2
ii  libc6                                         2.32-4
ii  libcairo2                                     1.16.0-5
ii  libdazzle-1.0-0                               3.42.0-2
ii  libgcr-base-3-1                               3.40.0-3+b1
ii  libgcr-ui-3-1                                 3.40.0-3+b1
ii  libgdk-pixbuf-2.0-0                           2.42.6+dfsg-2
ii  libglib2.0-0                                  2.70.0-1+b1
ii  libgmp10                                      2:6.2.1+dfsg-2
ii  libgtk-3-0                                    3.24.30-3
ii  libhandy-1-0                                  1.4.0-1
ii  libhogweed6                                   3.7.3-1
ii  libjavascriptcoregtk-4.0-18                   2.34.0-1
ii  libjson-glib-1.0-0                            1.6.6-1
ii  libnettle8                                    3.7.3-1
ii  libpango-1.0-0                                1.48.10+ds1-1
ii  libsecret-1-0                                 0.20.4-2
ii  libsoup2.4-1                                  2.74.0-2
ii  libsqlite3-0                                  3.36.0-2
ii  libwebkit2gtk-4.0-37                          2.34.0-1
ii  libxml2                                       2.9.12+dfsg-5

Versions of packages epiphany-browser recommends:
ii  ca-certificates  20210119
ii  evince           41.2-1
ii  yelp             41.1-1

epiphany-browser suggests no packages.

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20211016/7571aa65/attachment.sig>


More information about the pkg-gnome-maintainers mailing list