[Secure-testing-team] Bug#612668: evince-gtk: crashes with Segfault

Mike Dornberger Mike.Dornberger at gmx.de
Wed Feb 9 20:49:43 UTC 2011 

Package: evince-gtk
Version: 2.22.2-4~lenny1
Severity: normal
Tags: security

Hi,

Lenny's evince segfaults on
<http://content.karger.com/ProdukteDB/produkte.asp?Aktion=ShowPDF&ArtikelNr=289587&Ausgabe=253989&ProduktNr=224242&filename=289587.pdf>.
(I haven't tested the version Squeeze.)

It opens the document, renders the first page (I don't know if complete,
though) and crashes right after that without any user interaction; see
evince_test.log, backtrace in evince_test_bt.log. (I installed
evince-gtk-dbg after starting this bugreport.)

I tagged this security since often segfaults are a hint for that and so
the secteam gets a copy automatically. :)

Greetings,
 Mike Dornberger

-- System Information:
Debian Release: 5.0.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages evince-gtk depends on:
ii  gconf2              2.22.0-1             GNOME configuration database syste
ii  gnome-icon-theme    2.22.0-1             GNOME Desktop icon theme
ii  libatk1.0-0         1.22.0-1             The ATK accessibility toolkit
ii  libc6               2.7-18lenny7         GNU C Library: Shared libraries
ii  libcairo2           1.8.8-2~bpo50+1      The Cairo 2D vector graphics libra
ii  libdbus-1-3         1.2.1-5+lenny2       simple interprocess messaging syst
ii  libdbus-glib-1-2    0.76-1               simple interprocess messaging syst
ii  libdjvulibre21      3.5.20-8+lenny1      Runtime support for the DjVu image
ii  libgcc1             1:4.3.2-1.1          GCC support library
ii  libgconf2-4         2.22.0-1             GNOME configuration database syste
ii  libglade2-0         1:2.6.2-1            library to load .glade files at ru
ii  libglib2.0-0        2.22.4-1~bpo50+1     The GLib library of C routines
ii  libgnome-keyring0   2.22.3-2             GNOME keyring services library
ii  libgtk2.0-0         2.12.12-1~lenny2     The GTK+ graphical user interface 
ii  libjpeg62           6b-14                The Independent JPEG Group's JPEG 
ii  libkpathsea4        2007.dfsg.2-4+lenny3 TeX Live: path search library for 
ii  libpango1.0-0       1.20.5-6             Layout and rendering of internatio
ii  libpoppler-glib3    0.8.7-4              PDF rendering library (GLib-based 
ii  libspectre1         0.2.0.ds-1           Library for rendering Postscript d
ii  libstdc++6          4.3.2-1.1            The GNU Standard C++ Library v3
ii  libtiff4            3.8.2-11.3           Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.1.5-2            X11 client-side library
ii  libxml2             2.6.32.dfsg-5+lenny3 GNOME XML library
ii  shared-mime-info    0.30-2               FreeDesktop.org shared MIME databa
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

Versions of packages evince-gtk recommends:
ii  dbus-x11                  1.2.1-5+lenny2 simple interprocess messaging syst

Versions of packages evince-gtk suggests:
pn  poppler-data                  <none>     (no description available)
ii  unrar                         1:3.8.2-1  Unarchiver for .rar files (non-fre

-- no debconf information
-------------- next part --------------
/tmp/x$ gdb --args evince 289587.pdf
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) r
Starting program: /usr/bin/evince 289587.pdf
[Thread debugging using libthread_db enabled]
[New Thread 0xb6678a00 (LWP 28342)]
[New Thread 0xb6333b90 (LWP 28345)]
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6333b90 (LWP 28345)]
0xb6a00b7b in Form::findWidgetByRef () from /usr/lib/libpoppler.so.3
(gdb) bt
#0  0xb6a00b7b in Form::findWidgetByRef () from /usr/lib/libpoppler.so.3
#1  0xb69f2d44 in AnnotWidget::initialize () from /usr/lib/libpoppler.so.3
#2  0xb69f3054 in AnnotWidget::AnnotWidget () from /usr/lib/libpoppler.so.3
#3  0xb69f5472 in Annots::createAnnot () from /usr/lib/libpoppler.so.3
#4  0xb69f578a in Annots::Annots () from /usr/lib/libpoppler.so.3
#5  0xb6a5bd56 in Page::displaySlice () from /usr/lib/libpoppler.so.3
#6  0xb715d59a in ?? () from /usr/lib/libpoppler-glib.so.3
#7  0xb715d6d7 in poppler_page_render () from /usr/lib/libpoppler-glib.so.3
#8  0xb5a79ab1 in pdf_document_render (document=0xb590db40, rc=0xb5900918)
    at /build/buildd/evince-2.22.2/./backend/pdf/ev-poppler.cc:488
#9  0xb77c63c0 in ev_document_render (document=0xb590db40, rc=0xb5900918)
    at /build/buildd/evince-2.22.2/./libdocument/ev-document.c:221
#10 0x080610fe in ev_job_render_run (job=0x88e74e0)
    at /build/buildd/evince-2.22.2/./shell/ev-jobs.c:372
#11 0x0805f3c4 in handle_job (job=0x88e74e0)
    at /build/buildd/evince-2.22.2/./shell/ev-job-queue.c:137
#12 0x0805f979 in ev_render_thread (data=0x0)
    at /build/buildd/evince-2.22.2/./shell/ev-job-queue.c:264
#13 0xb6f2bb9f in ?? () from /lib/libglib-2.0.so.0
#14 0x00000000 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y
/tmp/x$
-------------- next part --------------
/tmp/x$ wget 'http://content.karger.com/ProdukteDB/produkte.asp?Aktion=ShowPDF&ArtikelNr=289587&Ausgabe=253989&ProduktNr=224242&filename=289587.pdf' -O 289587.pdf
--2011-02-09 20:40:25--  http://content.karger.com/ProdukteDB/produkte.asp?Aktion=ShowPDF&ArtikelNr=289587&Ausgabe=253989&ProduktNr=224242&filename=289587.pdf
Resolving content.karger.com... 194.209.48.25
Connecting to content.karger.com|194.209.48.25|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154739 (151K) [application/pdf]
Saving to: `289587.pdf'

100%[======================================>] 154,739      161K/s   in 0.9s

2011-02-09 20:40:26 (161 KB/s) - `289587.pdf' saved [154739/154739]

/tmp/x$ evince 289587.pdf
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Error: Illegal entry in bfchar block in ToUnicode CMap
Segmentation fault

More information about the Secure-testing-team mailing list