Bug 1271640

Summary: evince segfault with signal 11 in doc_rect_to_view_rect()
Product: Red Hat Enterprise Linux 6 Reporter: Anthony Russell <anrussel>
Component: evinceAssignee: Martin Hatina <mhatina>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: jkoten, mkasik, tlavigne
Target Milestone: rc   
Target Release: 6.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: evince-2.28.2-18.el6 Doc Type: Bug Fix
Doc Text:
Cause: Pressing Ctrl+Left or Ctrl+Right when editing a text field of a PDF form. Consequence: Evince crashed. Fix: Forward key events to focused child widget. Result: Evince doesn't crash and behaves as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 20:49:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Russell 2015-10-14 12:32:33 UTC 
Description of problem:
evince (2.28) crashes on editing pdf documents

Version-Release number of selected component (if applicable):
evince-2.28.2-14.el6_0.1.x86_64


How reproducible:
Attempt to edit an editable PDF file

Steps to Reproduce:
1. Setup RHEL6.7 with Gnome Desktop
2. Open attached PDF
3. fill in few characters. Then press Ctrl-LeftArrow

Actual results:
evince segfault with signal 11
kernel: evince[2477]: segfault at 10 ip 0000003b20e1a728 sp 00007fffffac6770 error 4 in libevview.so.1.0.0[3b20e00000+2e000]

Expected results:


Additional info:


Core was generated by `evince /home/test/7013r_0.pdf.pdf'.
Program terminated with signal 11, Segmentation fault.
#0  doc_rect_to_view_rect (view=0xc60040, page=0, doc_rect=0x0, view_rect=0x7fffffac6830) at ev-view.c:969
969			y = height - doc_rect->x2;
(gdb) bt
#0  doc_rect_to_view_rect (view=0xc60040, page=0, doc_rect=0x0, view_rect=0x7fffffac6830) at ev-view.c:969
#1  0x0000003b20e209b6 in ev_view_get_area_from_mapping (view=0xc60040, page=0, mapping_list=<value optimized out>, 
    data=<value optimized out>, area=0x7fffffac6830) at ev-view.c:1152
#2  0x0000003b20e22af5 in ev_view_form_field_get_region (view=0xc60040, field=0x7fecec288320) at ev-view.c:1648
#3  0x0000003b20e22ba6 in ev_view_form_field_text_save (view=0xc60040, widget=<value optimized out>) at ev-view.c:1746
#4  0x0000003b15e0fd60 in weak_refs_notify (data=0xcd75c0) at gobject.c:2231
#5  0x0000003b14e293ba in g_data_set_internal (datalist=<value optimized out>, key_id=54, data=0x0, destroy_func=0) at gdataset.c:351
#6  g_datalist_id_set_data_full (datalist=<value optimized out>, key_id=54, data=0x0, destroy_func=0) at gdataset.c:598
#7  0x0000003b15e1070a in g_object_unref (_object=0xbe5510) at gobject.c:2697
#8  0x0000003b15e33783 in g_value_unset (value=0x7fecec001908) at gvalue.c:275
#9  0x0000003b15e25d99 in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7fffffac6a70) at gsignal.c:3012
#10 0x0000003b15e26333 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3040
#11 0x0000003b20e1bd91 in ev_view_remove_all (view=0xc60040) at ev-view.c:3149
#12 0x0000003b20e1bdf2 in ev_view_set_rotation (view=0xc60040, rotation=270) at ev-view.c:5231
#13 0x0000003b15e0e3de in g_closure_invoke (closure=0xb45330, return_value=0x0, n_param_values=1, param_values=0xcbcc80, 
    invocation_hint=0x7fffffac6cd0) at gclosure.c:767
#14 0x0000003b15e248d5 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0xb164e0, emission_return=0x0, 
    instance_and_params=0xcbcc80) at gsignal.c:3252
#15 0x0000003b15e25d76 in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7fffffac6ec0) at gsignal.c:2983
#16 0x0000003b15e26333 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
    at gsignal.c:3040
#17 0x0000003b1be746a8 in _gtk_action_emit_activate (action=<value optimized out>) at gtkaction.c:795
#18 0x0000003b1be76f54 in closure_accel_activate (closure=0xb12e70, return_value=0x7fffffac7150, n_param_values=<value optimized out>, 
    param_values=<value optimized out>, invocation_hint=<value optimized out>, marshal_data=<value optimized out>) at gtkaction.c:1766
#19 0x0000003b15e0e3de in g_closure_invoke (closure=0xb12e70, return_value=0x7fffffac7150, n_param_values=4, param_values=0xcbfe40, 
    invocation_hint=0x7fffffac7110) at gclosure.c:767
#20 0x0000003b15e248d5 in signal_emit_unlocked_R (node=<value optimized out>, detail=1164, instance=0xae6640, 
    emission_return=0x7fffffac72a0, instance_and_params=0xcbfe40) at gsignal.c:3252
#21 0x0000003b15e25bbb in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7fffffac7300) at gsignal.c:2993
#22 0x0000003b15e26333 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3040
#23 0x0000003b1be70444 in IA__gtk_accel_group_activate (accel_group=0xae6640, accel_quark=1164, acceleratable=0xb00140, 
    accel_key=65361, accel_mods=GDK_CONTROL_MASK) at gtkaccelgroup.c:891
#24 0x0000003b1be7054d in IA__gtk_accel_groups_activate (object=0xb00140, accel_key=65361, accel_mods=GDK_CONTROL_MASK)
    at gtkaccelgroup.c:928
#25 0x0000003b1c09ec62 in IA__gtk_window_activate_key (window=0xb00140, event=<value optimized out>) at gtkwindow.c:8355
#26 0x0000003b1c0a02a7 in gtk_window_key_press_event (widget=0xb00140, event=0xceed00) at gtkwindow.c:5225
#27 0x0000003b1bf559d3 in _gtk_marshal_BOOLEAN__BOXED (closure=0xac39f0, return_value=0x7fffffac7670, 
    n_param_values=<value optimized out>, param_values=0xcf4130, invocation_hint=<value optimized out>, 
    marshal_data=<value optimized out>) at gtkmarshalers.c:86
#28 0x0000003b15e0e3de in g_closure_invoke (closure=0xac39f0, return_value=0x7fffffac7670, n_param_values=2, param_values=0xcf4130, 
    invocation_hint=0x7fffffac7630) at gclosure.c:767
---Type <return> to continue, or q <return> to quit---
#29 0x0000003b15e2451f in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0xb00140, 
    emission_return=0x7fffffac77c0, instance_and_params=0xcf4130) at gsignal.c:3290
#30 0x0000003b15e25bbb in g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7fffffac7820) at gsignal.c:2993
#31 0x0000003b15e26333 in g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3040
#32 0x0000003b1c088bef in gtk_widget_event_internal (widget=0xb00140, event=0xceed00) at gtkwidget.c:5025
#33 0x0000003b1bf4c7b4 in IA__gtk_propagate_event (widget=0xb00140, event=0xceed00) at gtkmain.c:2464
#34 0x0000003b1bf4d87b in IA__gtk_main_do_event (event=0xceed00) at gtkmain.c:1685
#35 0x0000003b1ba6344c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, 
    user_data=<value optimized out>) at gdkevents-x11.c:2403
#36 0x0000003b14e40642 in g_main_dispatch (context=0xa88250) at gmain.c:2441
#37 g_main_context_dispatch (context=0xa88250) at gmain.c:3014
#38 0x0000003b14e44c98 in g_main_context_iterate (context=0xa88250, block=1, dispatch=1, self=<value optimized out>) at gmain.c:3092
#39 0x0000003b14e451a5 in g_main_loop_run (loop=0xa6b840) at gmain.c:3300
#40 0x0000003b1bf4dd17 in IA__gtk_main () at gtkmain.c:1257
#41 0x000000000043bbac in main (argc=1, argv=0x7fffffac7d48) at main.c:497
(gdb)
Comment 1 Marek Kašík 2015-10-29 14:02:05 UTC 
This commit fixes the problem but it is a big one: https://git.gnome.org/browse/evince/commit/?id=3a8589a7c5e0394df456074048845cddd04bc43d. Martin, could you find which part of the commit fixes the problem?
Comment 8 errata-xmlrpc 2016-05-10 20:49:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0799.html