Description of problem: Opened a corrupt PDF (about first 3.9 M of https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf) Version-Release number of selected component: atril-1.19.4-1.fc27 Additional info: reporter: libreport-2.9.3 backtrace_rating: 4 cmdline: atril /home/kmarek/Downloads/tails/325462-sdm-vol-1-2abcd-3abcd.pdf crash_function: ev_page_cache_schedule_job_if_needed executable: /usr/bin/atril journald_cursor: s=232da011bd4c418e8e541df2095e8361;i=d1c26;b=2f1c7b137b794e0bb17f7e1d47ea034d;m=f2ae6ffa75;t=5634cf152ea05;x=72309f5376a9265e kernel: 4.13.13-300.fc27.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (9 frames) #0 ev_page_cache_schedule_job_if_needed at ev-page-cache.c:329 #1 ev_page_cache_set_page_range at ev-page-cache.c:361 #2 setup_caches at ev-view.c:6686 #3 ev_view_document_changed_cb at ev-view.c:6841 #9 g_object_notify_by_spec_internal at gobject.c:1173 #11 ev_document_model_set_document at ev-document-model.c:338 #12 ev_window_load_job_cb at ev-window.c:1865 #17 emit_finished at ev-jobs.c:189 #23 gtk_main at gtkmain.c:1322
Created attachment 1384101 [details] File: backtrace
Created attachment 1384102 [details] File: cgroup
Created attachment 1384103 [details] File: core_backtrace
Created attachment 1384104 [details] File: cpuinfo
Created attachment 1384105 [details] File: dso_list
Created attachment 1384106 [details] File: environ
Created attachment 1384107 [details] File: exploitable
Created attachment 1384108 [details] File: limits
Created attachment 1384109 [details] File: maps
Created attachment 1384110 [details] File: mountinfo
Created attachment 1384111 [details] File: open_fds
Created attachment 1384112 [details] File: proc_pid_status
Seems like it is 100% reproducible when opening the resulting file of `truncate --size=4M /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf`. In this example, /tmp/325462-sdm-vol-1-2abcd-3abcd.pdf was the completed download of https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf evince, which has a lot of deviations but shares a codebase ancestor with atril, is unaffected. Might be worth investigating if they have a fix?
Similar problem has been detected: rewriting a pdf that is open in atril reporter: libreport-2.9.3 backtrace_rating: 4 cmdline: atril test.pdf crash_function: ev_page_cache_schedule_job_if_needed executable: /usr/bin/atril journald_cursor: s=b0fd28a48c3e497fb4bb0da91df759c4;i=5c3fa;b=749775ad35a64145a901671015b402e6;m=4d5138a57f;t=56751d2993385;x=537b374017e5a6c0 kernel: 4.15.6-300.fc27.x86_64 package: atril-1.19.6-1.fc27 reason: atril killed by SIGSEGV rootdir: / runlevel: N 5 type: CCpp uid: 1000
I opened your pdf from given link with that fixed scratch build and the document doesn't crash. Can you please try this scratch build? https://koji.fedoraproject.org/koji/taskinfo?taskID=25681394
I think you forgot to truncate the PDF after downloading. Issue applies to the scratch build when reading the same PDF truncated to 4M.
How should that work? And why?
No it should not "work" [1], but it should not crash Atril. This indicates there is a bug in Atril, and is potentially exploitable (jump to an invalid address). See: https://bugzilla.redhat.com/attachment.cgi?id=1384107 While it is true that there is such a thing as "untrusted data", it is a bug for a program to consciously handle input data as such; it means missing error-handling. It makes relatively harmless formats like plain images capable of inducing the execution of native code. Example: https://www.kb.cert.org/vuls/id/189754 [1]: Or maybe it could work. See: https://github.com/mozilla/pdf.js/wiki/Frequently-Asked-Questions/e81e9207c1d6a90d9e89f517ce3bf25f3d8d8f90#corrupted-pdf
Whoops! Correction: it is a bug for a program to *not* consciously handle input data as such
Created attachment 1408605 [details] test pdf I can still reproduce with the koji build atril-1.19.6-2.fc27.x86_64. I have attached a truncated version of the pdf from intel, which triggers the crash.
Can you please test this new scratch build? This fixes the problem with a truncated pdf for me. https://koji.fedoraproject.org/koji/taskinfo?taskID=25840846
That build works as expected with various truncations of this PDF.
atril-1.19.6-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b
atril-1.19.6-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b
atril-1.19.6-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b
atril-1.19.6-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-599fcb4d5b
atril-1.19.6-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.