Bug 2228384

Summary: [abrt] evince: GfxResources::doLookupFont(): evince killed by SIGSEGV
Product: [Fedora] Fedora Reporter: xspielinbox+redhat
Component: evinceAssignee: Marek Kašík <mkasik>
Status: ON_QA --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: feborges, gnome-sig, mclasen, mkasik, rstrode, xspielinbox+redhat
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/5ddc7e9b7d841b09e0d30f40d60072e63b8b109
Whiteboard: abrt_hash:b696a752048203e83478956e26e582318f441f78;VARIANT_ID=workstation;
Fixed In Version: poppler-22.08.0-4.fc37 poppler-23.02.0-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: proc_pid_status
none
File: maps
none
File: limits
none
File: mountinfo
none
File: os_info
none
File: cpuinfo
none
File: core_backtrace
none
File: exploitable
none
File: dso_list
none
File: var_log_messages
none
File: backtrace
none
File: open_fds
none
File: environ none

Description xspielinbox+redhat 2023-08-02 09:52:51 UTC 
Description of problem:
I tried to fill out an PDF-form and whenever I leave a field, the application crashes. It interstingly is only reproducable with this one PDF, but with this one everytime.
Regardless, whether one switches the field with TAB, clicks somewhere else, the field has a default value or not.

Version-Release number of selected component:
evince-44.3-1.fc38

Additional info:
reporter:       libreport-2.17.11
type:           CCpp
reason:         evince killed by SIGSEGV
journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=236d81;b=227ff983b5e443ea9b73d8e89787bd4f;m=14f8428f4;t=601ed7a20c186;x=9b6e59b7be9175c9
executable:     /usr/bin/evince
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/dbus-:1.2-org.gnome.Nautilus
rootdir:        /
uid:            1000
kernel:         6.4.6-200.fc38.x86_64
package:        evince-44.3-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: GfxResources::doLookupFont
cmdline:        /usr/bin/evince /home/[...]/Documents/[...]/[...]/[...]/[...].pdf

Truncated backtrace:
Thread no. 1 (82 frames)
 #0 GfxResources::doLookupFont at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Gfx.cc:301
 #1 GfxResources::lookupFont at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Gfx.cc:313
 #2 Form::ensureFontsForAllCharacters at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Form.cc:2966
 #3 FormFieldText::setContentCopy at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Form.cc:1684
 #4 poppler_form_field_text_set_text at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/glib/poppler-form-field.cc:757
 #5 pdf_document_forms_form_field_text_set_text at ../backend/pdf/ev-poppler.c:2503
 #6 ev_view_form_field_text_save.part.0.lto_priv.0 at ../libview/ev-view.c:2627
 #7 ev_view_form_field_text_save at ../libview/ev-view.c:2664
 #8 ev_view_form_field_text_focus_out at ../libview/ev-view.c:2665
 #9 _gtk_marshal_BOOLEAN__BOXED at gtk/gtkmarshalers.c:84
 #11 signal_emit_unlocked_R.isra.0 at ../gobject/gsignal.c:3812
 #14 gtk_widget_event_internal.part.0.lto_priv.0 at ../gtk/gtkwidget.c:7812
 #15 gtk_widget_send_focus_change at ../gtk/gtkwidget.c:16244
 #16 do_focus_change at ../gtk/gtkwindow.c:8487
 #17 gtk_window_real_set_focus at ../gtk/gtkwindow.c:8776
 #18 g_cclosure_marshal_VOID__OBJECTv at ../gobject/gmarshal.c:1910
 #19 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #22 _gtk_window_unset_focus_and_default at ../gtk/gtkwindow.c:9161
 #23 gtk_widget_unparent at ../gtk/gtkwidget.c:4654
 #25 ev_view_remove at ../libview/ev-view.c:7863
 #26 g_cclosure_marshal_VOID__OBJECTv at ../gobject/gmarshal.c:1910
 #27 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #30 gtk_container_remove at ../gtk/gtkcontainer.c:1907
 #32 gtk_widget_dispose at ../gtk/gtkwidget.c:12155
 #35 ev_view_forall at ../libview/ev-view.c:7890
 #36 ev_view_remove_all_form_fields at ../libview/ev-view.c:5818
 #37 ev_view_focus_next at ../libview/ev-view.c:8153
 #38 ev_view_focus at ../libview/ev-view.c:8193
 #39 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #40 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #43 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #44 gtk_scrolled_window_focus at ../gtk/gtkscrolledwindow.c:3886
 #45 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #46 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #49 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #50 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #51 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #52 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #53 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #56 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #57 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #58 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #59 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #60 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #63 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #64 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #65 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #66 gtk_paned_focus at ../gtk/gtkpaned.c:2069
 #67 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #68 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #71 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #72 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #73 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #74 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #75 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #78 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #79 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #80 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #81 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #82 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #85 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #86 gtk_window_focus at ../gtk/gtkwindow.c:8667
 #88 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #89 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #92 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #93 gtk_window_move_focus at ../gtk/gtkwindow.c:8729
 #95 signal_emit_unlocked_R.isra.0 at ../gobject/gsignal.c:3851
 #96 g_signal_emitv at ../gobject/gsignal.c:3284
 #97 gtk_binding_entry_activate at ../gtk/gtkbindings.c:646
 #98 binding_activate at ../gtk/gtkbindings.c:1455
 #99 gtk_bindings_activate_list at ../gtk/gtkbindings.c:1514
 #100 gtk_bindings_activate_event at ../gtk/gtkbindings.c:1601
 #102 _gtk_marshal_BOOLEAN__BOXEDv at gtk/gtkmarshalers.c:130
 #103 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #106 gtk_widget_event_internal.part.0.lto_priv.0 at ../gtk/gtkwidget.c:7812
 #107 propagate_event at ../gtk/gtkmain.c:2681
 #108 gtk_propagate_event at ../gtk/gtkmain.c:2725
 #109 gtk_main_do_event at ../gtk/gtkmain.c:1921
 #111 _gdk_event_emit at ../gdk/gdkevents.c:73
 #116 g_main_context_iterate.isra.0 at ../glib/gmain.c:4276
 #117 g_main_context_iteration at ../glib/gmain.c:4343
 #118 g_application_run at ../gio/gapplication.c:2573


Potential duplicate: bug 2175920
Comment 1 xspielinbox+redhat 2023-08-02 09:52:55 UTC 
Created attachment 1981274 [details]
File: proc_pid_status
Comment 2 xspielinbox+redhat 2023-08-02 09:52:56 UTC 
Created attachment 1981275 [details]
File: maps
Comment 3 xspielinbox+redhat 2023-08-02 09:52:57 UTC 
Created attachment 1981276 [details]
File: limits
Comment 4 xspielinbox+redhat 2023-08-02 09:52:59 UTC 
Created attachment 1981277 [details]
File: mountinfo
Comment 5 xspielinbox+redhat 2023-08-02 09:53:00 UTC 
Created attachment 1981278 [details]
File: os_info
Comment 6 xspielinbox+redhat 2023-08-02 09:53:01 UTC 
Created attachment 1981279 [details]
File: cpuinfo
Comment 7 xspielinbox+redhat 2023-08-02 09:53:03 UTC 
Created attachment 1981280 [details]
File: core_backtrace
Comment 8 xspielinbox+redhat 2023-08-02 09:53:04 UTC 
Created attachment 1981281 [details]
File: exploitable
Comment 9 xspielinbox+redhat 2023-08-02 09:53:06 UTC 
Created attachment 1981282 [details]
File: dso_list
Comment 10 xspielinbox+redhat 2023-08-02 09:53:07 UTC 
Created attachment 1981283 [details]
File: var_log_messages
Comment 11 xspielinbox+redhat 2023-08-02 09:53:09 UTC 
Created attachment 1981284 [details]
File: backtrace
Comment 12 xspielinbox+redhat 2023-08-02 09:53:10 UTC 
Created attachment 1981285 [details]
File: open_fds
Comment 13 xspielinbox+redhat 2023-08-02 09:53:11 UTC 
Created attachment 1981286 [details]
File: environ
Comment 14 xspielinbox+redhat 2023-08-02 10:25:13 UTC 
I tried to fill out an PDF-form and whenever I leave a field, evince crashes. It interstingly is only reproducable with this one PDF, but with this one everytime.
Regardless, whether one switches the field with TAB, clicks somewhere else, the field has a default value or not.


reporter:       libreport-2.17.11
type:           CCpp
reason:         evince killed by SIGSEGV
journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=236d9a;b=227ff983b5e443ea9b73d8e89787bd4f;m=150620919;t=601ed7afea1aa;x=5c092ce938cea2d
executable:     /usr/bin/evince
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/dbus-:1.2-org.gnome.Nautilus
rootdir:        /
uid:            1000
kernel:         6.4.6-200.fc38.x86_64
package:        evince-44.3-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: GfxResources::doLookupFont
cmdline:        /usr/bin/evince /home/[...]/Documents/[...]/[...]/[...]/[...].pdf
Comment 15 Marek Kašík 2023-08-02 10:52:53 UTC 
Hi,

thank you for the report. Could you attach the PDF here or send it to my email?
Comment 16 xspielinbox+redhat 2023-08-02 18:10:04 UTC 
Sorry, of course:
I downloaded it from here:
https://wiki.tum.de/download/attachments/239108496/Arbeitszeitdokumentation_MiLoG_080415.pdf?version=2&modificationDate=1613639440963&api=v2
Comment 17 Marek Kašík 2023-08-10 16:09:02 UTC 
Thank you for the PDF. I can reproduce it now.
This bug has been already fixed upstream but unfortunately the fix changes API/ABI so I can not backport it as it is (see https://gitlab.freedesktop.org/poppler/poppler/-/commit/62f2eb80fb2a4d4c656e7583584aa73fbc1de511). I'll need to have a look at how to get around that.
Comment 18 Marek Kašík 2023-08-15 14:03:25 UTC 
It was not that hard as I thought at the end so I've prepared an update fixing this crash.
Comment 19 Fedora Update System 2023-08-15 14:06:09 UTC 
FEDORA-2023-5c5a1046b6 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c5a1046b6
Comment 20 Fedora Update System 2023-08-15 14:06:09 UTC 
FEDORA-2023-48838b6e4c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-48838b6e4c
Comment 21 Fedora Update System 2023-08-16 02:05:55 UTC 
FEDORA-2023-48838b6e4c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-48838b6e4c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-48838b6e4c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 22 Fedora Update System 2023-08-16 02:54:11 UTC 
FEDORA-2023-5c5a1046b6 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5c5a1046b6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c5a1046b6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 23 xspielinbox+redhat 2023-08-16 14:34:27 UTC 
Thank you for the timely solution!

The update works well!