desktop-packages team mailing list archive

Thread
Date
[Bug 599439] Re: evince crashed with SIGSEGV in JPXStream::readTilePartData()

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: madbiologist <599439@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Sep 2015 18:10:05 -0000
Reply-to: Bug 599439 <599439@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Still crashes evince on Ubuntu 14.04 "Trusty Tahr".

evince 3.10.3-0ubuntu10.2
poppler 0.24.5-2ubuntu4.2

** Tags added: jaunty maverick

** Tags added: trusty

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to poppler in Ubuntu.
https://bugs.launchpad.net/bugs/599439

Title:
  evince crashed with SIGSEGV in JPXStream::readTilePartData()

Status in Poppler:
  Confirmed
Status in poppler package in Ubuntu:
  Triaged

Bug description:
  
  evince crashes with the following valgrind output when opening the attached file.

  $ valgrind evince sample.pdf
  ==12903== Memcheck, a memory error detector.
  ==12903== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
  ==12903== Using LibVEX rev 1884, a library for dynamic binary translation.
  ==12903== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
  ==12903== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
  ==12903== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
  ==12903== For more details, rerun with: -v
  ==12903== 
  Error: PDF file is damaged - attempting to reconstruct xref table...
  ==12903== Thread 2:
  ==12903== Use of uninitialised value of size 4
  ==12903==    at 0x4E1E47F: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1951)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903== 
  ==12903== Use of uninitialised value of size 4
  ==12903==    at 0x4E1E48A: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1952)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903== 
  ==12903== Conditional jump or move depends on uninitialised value(s)
  ==12903==    at 0x4E1E509: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1977)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903== 
  ==12903== Use of uninitialised value of size 4
  ==12903==    at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903== 
  ==12903== Invalid read of size 4
  ==12903==    at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
  ==12903== 
  ==12903== Process terminating with default action of signal 11 (SIGSEGV)
  ==12903==  Access not within mapped region at address 0x10
  ==12903==    at 0x4E1E515: JPXStream::readTilePartData(unsigned int, unsigned int, int) (JPXStream.cc:1978)
  ==12903==    by 0x4E1F5CD: JPXStream::readTilePart() (JPXStream.cc:1924)
  ==12903==    by 0x4E20766: JPXStream::readCodestream(unsigned int) (JPXStream.cc:1366)
  ==12903==    by 0x4E225C9: JPXStream::readBoxes() (JPXStream.cc:735)
  ==12903==    by 0x4E227EC: JPXStream::reset() (JPXStream.cc:272)
  ==12903==    by 0x4EA33E2: ImageStream::reset() (Stream.cc:419)
  ==12903==    by 0x4739923: CairoOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (CairoOutputDev.cc:1485)
  ==12903==    by 0x4E5C9B5: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3857)
  ==12903==    by 0x4E60894: Gfx::opXObject(Object*, int) (Gfx.cc:3526)
  ==12903==    by 0x4E52AB9: Gfx::execOp(Object*, Object*, int) (Gfx.cc:771)
  ==12903==    by 0x4E5307E: Gfx::go(int) (Gfx.cc:642)
  ==12903==    by 0x4E55AEE: Gfx::display(Object*, int) (Gfx.cc:611)
  ==12903==  If you believe this happened as a result of a stack overflow in your
  ==12903==  program's main thread (unlikely but possible), you can try to increase
  ==12903==  the size of the main thread stack using the --main-stacksize= flag.
  ==12903==  The main thread stack size used in this run was 8388608.
  ==12903== 
  ==12903== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 243 from 4)
  ==12903== malloc/free: in use at exit: 262,485,146 bytes in 86,891 blocks.
  ==12903== malloc/free: 263,012 allocs, 176,121 frees, 277,245,884 bytes allocated.
  ==12903== For counts of detected errors, rerun with: -v
  ==12903== Use --track-origins=yes to see where uninitialised values come from
  ==12903== searching for pointers to 86,891 not-freed blocks.
  ==12903== checked 212,587,460 bytes.
  ==12903== 
  ==12903== LEAK SUMMARY:
  ==12903==    definitely lost: 25,170 bytes in 994 blocks.
  ==12903==      possibly lost: 202,348 bytes in 229 blocks.
  ==12903==    still reachable: 262,257,628 bytes in 85,668 blocks.
  ==12903==         suppressed: 0 bytes in 0 blocks.
  ==12903== Rerun with --leak-check=full to see details of leaked memory.
  Killed

  ProblemType: Crash
  Architecture: i386
  DistroRelease: Ubuntu 9.04
  ExecutablePath: /usr/bin/evince
  Package: evince 2.26.1-0ubuntu1
  ProcCmdline: evince tehfu-113_2.pdf
  ProcEnviron:
   SHELL=/bin/bash
   LANG=en_US.UTF-8
  Signal: 11
  SourcePackage: evince
  StacktraceTop:
   JPXStream::readTilePartData (this=0x9264fd8, tileIdx=3, 
   JPXStream::readTilePart (this=0x9264fd8)
   JPXStream::readCodestream (this=0x9264fd8, len=0)
   JPXStream::readBoxes (this=0x9264fd8) at JPXStream.cc:735
   JPXStream::reset (this=0x9264fd8) at JPXStream.cc:272
  Title: evince crashed with SIGSEGV in JPXStream::readTilePartData()
  Uname: Linux 2.6.28-19-generic i686
  UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

To manage notifications about this bug go to:
https://bugs.launchpad.net/poppler/+bug/599439/+subscriptions