1981108 – evince crashes with a normal pdf file as input.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1981108 - evince crashes with a normal pdf file as input.

Summary: evince crashes with a normal pdf file as input.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	poppler
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Marek Kašík
QA Contact:	Radek Duda
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-11 14:01 UTC by Leon Fauster
Modified:	2021-11-09 20:01 UTC (History)
CC List:	2 users (show)
Fixed In Version:	poppler-20.11.0-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 17:40:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
reproducer (211.24 KB, application/pdf) 2021-07-26 14:03 UTC, Marek Kašík	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4155	0	None	None	None	2021-11-09 17:40:54 UTC

Description Leon Fauster 2021-07-11 14:01:02 UTC

# rpm -q evince poppler
evince-3.28.4-11.el8.x86_64
poppler-20.11.0-2.el8.x86_64




Description of problem:

When trying to open a PDF file evince dies. This happens ONLY to some PDF documents.



Jul 11 15:50:46 s.localdomain systemd[2847]: Starting Evince document viewer...
Jul 11 15:50:46 s.localdomain dbus-daemon[2887]: [session uid=1200 pid=2887] Successfully activated service 'org.gnome.evince.Daemon'
Jul 11 15:50:46 s.localdomain systemd[2847]: Started Evince document viewer.
Jul 11 15:50:46 s.localdomain kernel: EvJobScheduler[17050]: segfault at 10 ip 00007effd422cbb8 sp 00007effb6f367e0 error 4 in libglib-2.0.so.0.5600.4[7effd41f6000+116000]
Jul 11 15:50:46 s.localdomain kernel: Code: 15 69 49 06 00 48 8d 35 16 4d 06 00 48 8d 3d cd 0d 06 00 e8 6a e8 01 00 66 0f ef c0 48 83 c4 08 c3 90 f3 0f 1e fa 53 48 89 fb <8b> 77 10 48 8b 7f 08 e8 2c 3b 04 00 48 63 4b 14 48 ba 00 60 d7 1d
Jul 11 15:50:46 s.localdomain systemd[1]: Started Process Core Dump (PID 17051/UID 0).
Jul 11 15:50:46 s.localdomain systemd[2847]: evince.service: Succeeded.
Jul 11 15:50:47 s.localdomain systemd-coredump[17052]: Process 17039 (evince) of user 1200 dumped core.
                                                           
                                                           Stack trace of thread 17050:
                                                           #0  0x00007effd422cbb8 g_date_time_to_unix (libglib-2.0.so.0)
                                                           #1  0x00007effb62d3db9 _Z23_poppler_attachment_newP8FileSpec (libpoppler-glib.so.8)
                                                           #2  0x00007effb62c940b poppler_document_get_attachments (libpoppler-glib.so.8)
                                                           #3  0x00007effb652dd3e n/a (libpdfdocument.so)
                                                           #4  0x00007effd71206fe ev_job_attachments_run (libevview3.so.3)
                                                           #5  0x00007effd7122822 ev_job_thread_proxy (libevview3.so.3)
                                                           #6  0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0)
                                                           #7  0x00007effd3a4514a start_thread (libpthread.so.0)
                                                           #8  0x00007effd3774dc3 __clone (libc.so.6)
                                                           
                                                           Stack trace of thread 17039:
                                                           #0  0x00007effd4249340 g_malloc0 (libglib-2.0.so.0)
                                                           #1  0x00007effd49d8bb6 g_file_real_set_attributes_async (libgio-2.0.so.0)
                                                           #2  0x000055e9bee3abe8 ev_metadata_set_string (evince)
                                                           #3  0x000055e9bee4a9f5 ev_window_document_changed_cb (evince)
                                                           #4  0x00007effd451f3bd g_closure_invoke (libgobject-2.0.so.0)
                                                           #5  0x00007effd4532945 signal_emit_unlocked_R (libgobject-2.0.so.0)
                                                           #6  0x00007effd453ba56 g_signal_emit_valist (libgobject-2.0.so.0)
                                                           #7  0x00007effd453c093 g_signal_emit (libgobject-2.0.so.0)
                                                           #8  0x00007effd4523df4 g_object_dispatch_properties_changed (libgobject-2.0.so.0)
                                                           #9  0x00007effd45262d1 g_object_notify (libgobject-2.0.so.0)
                                                           #10 0x000055e9bee4babb ev_window_load_job_cb (evince)
                                                           #11 0x00007effd451f3bd g_closure_invoke (libgobject-2.0.so.0)
                                                           #12 0x00007effd4532945 signal_emit_unlocked_R (libgobject-2.0.so.0)
                                                           #13 0x00007effd453ba56 g_signal_emit_valist (libgobject-2.0.so.0)
                                                           #14 0x00007effd453c093 g_signal_emit (libgobject-2.0.so.0)
                                                           #15 0x00007effd711e86b emit_finished (libevview3.so.3)
                                                           #16 0x00007effd424015b g_idle_dispatch (libglib-2.0.so.0)
                                                           #17 0x00007effd42437ed g_main_context_dispatch (libglib-2.0.so.0)
                                                           #18 0x00007effd4243ba8 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
                                                           #19 0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0)
                                                           #20 0x00007effd4a3513d g_application_run (libgio-2.0.so.0)
                                                           #21 0x000055e9bee31f9c main (evince)
                                                           #22 0x00007effd369b493 __libc_start_main (libc.so.6)
                                                           #23 0x000055e9bee3207e _start (evince)
                                                           
                                                           Stack trace of thread 17042:
                                                           #0  0x00007effd3769a41 __poll (libc.so.6)
                                                           #1  0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
                                                           #2  0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0)
                                                           #3  0x00007effbd7f3e6d dconf_gdbus_worker_thread (libdconfsettings.so)
                                                           #4  0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0)
                                                           #5  0x00007effd3a4514a start_thread (libpthread.so.0)
                                                           #6  0x00007effd3774dc3 __clone (libc.so.6)
                                                           
                                                           Stack trace of thread 17045:
                                                           #0  0x00007effd376f52d syscall (libc.so.6)
                                                           #1  0x00007effd428acce g_cond_wait_until (libglib-2.0.so.0)
                                                           #2  0x00007effd42160f1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0)
                                                           #3  0x00007effd426c9a2 g_thread_pool_thread_proxy (libglib-2.0.so.0)
                                                           #4  0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0)
                                                           #5  0x00007effd3a4514a start_thread (libpthread.so.0)
                                                           #6  0x00007effd3774dc3 __clone (libc.so.6)
                                                           
                                                           Stack trace of thread 17043:
                                                           #0  0x00007effd3769a41 __poll (libc.so.6)
                                                           #1  0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
                                                           #2  0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0)
                                                           #3  0x00007effd4243c91 glib_worker_main (libglib-2.0.so.0)
                                                           #4  0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0)
                                                           #5  0x00007effd3a4514a start_thread (libpthread.so.0)
                                                           #6  0x00007effd3774dc3 __clone (libc.so.6)
                                                           
                                                           Stack trace of thread 17044:
                                                           #0  0x00007effd3769a41 __poll (libc.so.6)
                                                           #1  0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
                                                           #2  0x00007effd4243ed2 g_main_loop_run (libglib-2.0.so.0)
                                                           #3  0x00007effd4a625da gdbus_shared_thread_func (libgio-2.0.so.0)
                                                           #4  0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0)
                                                           #5  0x00007effd3a4514a start_thread (libpthread.so.0)
                                                           #6  0x00007effd3774dc3 __clone (libc.so.6)
Jul 11 15:50:47 s.localdomain systemd[1]: systemd-coredump: Succeeded.




Unfortunately its a confidential document and therefore I can not provide it. 


$ hexdump -C '983911.pdf' |head
00000000  25 50 44 46 2d 31 2e 37  0a 25 b7 be ad aa 0a 31  |%PDF-1.7.%.....1|
00000010  20 30 20 6f 62 6a 0a 3c  3c 0a 2f 54 79 70 65 20  | 0 obj.<<./Type |
00000020  2f 43 61 74 61 6c 6f 67  0a 2f 50 61 67 65 73 20  |/Catalog./Pages |
00000030  32 20 30 20 52 0a 2f 4f  75 74 70 75 74 49 6e 74  |2 0 R./OutputInt|
00000040  65 6e 74 73 20 5b 20 38  20 30 20 52 20 5d 0a 2f  |ents [ 8 0 R ]./|
00000050  4e 61 6d 65 73 20 31 31  20 30 20 52 0a 2f 41 46  |Names 11 0 R./AF|
00000060  20 31 36 20 30 20 52 0a  2f 4d 65 74 61 64 61 74  | 16 0 R./Metadat|
00000070  61 20 32 30 20 30 20 52  0a 3e 3e 0a 65 6e 64 6f  |a 20 0 R.>>.endo|
00000080  62 6a 0a 32 20 30 20 6f  62 6a 0a 3c 3c 0a 2f 54  |bj.2 0 obj.<<./T|
00000090  79 70 65 20 2f 50 61 67  65 73 0a 2f 4b 69 64 73  |ype /Pages./Kids|


I can convert the document with 

gs -q -dPDFSETTINGS=/ebook -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=output.pdf 983911.pdf 

and that produces a working copy (evince opens it)

$ hexdump -C output.pdf |head -1
00000000  25 50 44 46 2d 31 2e 35  0a 25 c7 ec 8f a2 0a 35  |%PDF-1.5.%.....5|

Comment 1 Marek Kašík 2021-07-15 14:57:12 UTC

Hi,

it is hard to debug this without a PDF which triggers the issue so I'll ask you to show me backtrace from valgrind.

First, you'll need to install debug packages. I hope that you can do that this way:

"dnf debuginfo-install evince gtk3 glib2 poppler"

Then install valgrind package please

"dnf install valgrind"

Then run evince inside valgrind (replacing the the-document.pdf with actual document name):

"valgrind --track-origins=yes --num-callers=80 --malloc-fill=0xfa --free-fill=0xfb --trace-children=yes --read-var-info=yes --error-limit=no evince the-document.pdf &> ./valgrind.log"

It will be very slow but it will give us better view of what is going on.


Also, could you have a look at "Title" and "Author" of the PDF? Evince probably crashes when saving this info as metadata. So I would need to know whether there is something unusual (as some non-standard characters etc.).

"pdfinfo the-document.pdf | grep -e Author -e Title"

pdfinfo is part of poppler-utils package.

Comment 2 Leon Fauster 2021-07-25 13:21:13 UTC

(In reply to Marek Kašík from comment #1)

> Also, could you have a look at "Title" and "Author" of the PDF? Evince
> probably crashes when saving this info as metadata. So I would need to know
> whether there is something unusual (as some non-standard characters etc.).
> 
> "pdfinfo the-document.pdf | grep -e Author -e Title"
> 
> pdfinfo is part of poppler-utils package.



It seems to be plain ASCII:

$ pdfinfo nonpublic_test.pdf |egrep 'Author|Title|Subject|Keywords|Producer|CreationDate' > pdfinfos.txt

$ file pdfinfos.txt 
pdfinfos.txt: ASCII text

$ cat pdfinfos.txt |tr -d [A-Z][a-z][0-9]
:           // .  
:        
:       ,//,,. ,
:          
:        
:      :: 



I also deleted this content without any change to the coredumps


$ cp nonpublic_test.pdf nonpublic_test_deltitle.pdf

$ /usr/bin/exiftool -all= --ICC_Profile:all nonpublic_test_deltitle.pdf

$ pdfinfo nonpublic_test_deltitle.pdf |egrep 'Author|Title|Subject|Keywords|Producer|CreationDate'
(manually annotated: empty output)

$ evince  nonpublic_test_deltitle.pdf 
(manually annotated: dumped core here again)

YFI: The ExifTool PDF edits are reversible. So the data may be still in the file.

Comment 3 Leon Fauster 2021-07-25 13:22:54 UTC

(In reply to Marek Kašík from comment #1)

> Then run evince inside valgrind (replacing the the-document.pdf with actual
> document name):
> 
> "valgrind --track-origins=yes --num-callers=80 --malloc-fill=0xfa
> --free-fill=0xfb --trace-children=yes --read-var-info=yes --error-limit=no
> evince the-document.pdf &> ./valgrind.log"
> 

I added  --show-error-list=yes 


$ cat valgrind.log 
==3908== Memcheck, a memory error detector
==3908== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3908== Using Valgrind-3.16.0 and LibVEX; rerun with -h for copyright info
==3908== Command: evince nonpublic_test.pdf
==3908== 
==3908== Thread 6 EvJobScheduler:
==3908== Invalid read of size 4
==3908==    at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734)
==3908==    by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502)
==3908==    by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so)
==3908==    by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x7F41E59: g_thread_proxy (gthread.c:784)
==3908==    by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so)
==3908==    by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so)
==3908==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==3908== 
==3908== 
==3908== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3908==  Access not within mapped region at address 0x10
==3908==    at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734)
==3908==    by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502)
==3908==    by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so)
==3908==    by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x7F41E59: g_thread_proxy (gthread.c:784)
==3908==    by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so)
==3908==    by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so)
==3908==  If you believe this happened as a result of a stack
==3908==  overflow in your program's main thread (unlikely but
==3908==  possible), you can try to increase the size of the
==3908==  main thread stack using the --main-stacksize= flag.
==3908==  The main thread stack size used in this run was 8388608.
==3908== 
==3908== HEAP SUMMARY:
==3908==     in use at exit: 7,411,381 bytes in 83,157 blocks
==3908==   total heap usage: 435,452 allocs, 352,295 frees, 33,521,745 bytes allocated
==3908== 
==3908== LEAK SUMMARY:
==3908==    definitely lost: 20,829 bytes in 41 blocks
==3908==    indirectly lost: 21,935 bytes in 931 blocks
==3908==      possibly lost: 13,680 bytes in 131 blocks
==3908==    still reachable: 6,078,609 bytes in 73,676 blocks
==3908==                       of which reachable via heuristic:
==3908==                         length64           : 16,792 bytes in 211 blocks
==3908==                         newarray           : 2,672 bytes in 87 blocks
==3908==         suppressed: 32 bytes in 1 blocks
==3908== Rerun with --leak-check=full to see details of leaked memory
==3908== 
==3908== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==3908== 
==3908== 1 errors in context 1 of 1:
==3908== Invalid read of size 4
==3908==    at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734)
==3908==    by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502)
==3908==    by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0)
==3908==    by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so)
==3908==    by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0)
==3908==    by 0x7F41E59: g_thread_proxy (gthread.c:784)
==3908==    by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so)
==3908==    by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so)
==3908==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==3908== 
--3908-- 
--3908-- used_suppression:      1 dtv-addr-tail /usr/libexec/valgrind/default.supp:1450 suppressed: 32 bytes in 1 blocks
==3908== 
==3908== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Comment 4 Leon Fauster 2021-07-25 13:26:11 UTC

BTW: The pdf document can be opened in Fedora 34's evince ...

Comment 5 Marek Kašík 2021-07-26 13:29:50 UTC

I am able to reproduce the issue now. I've attached a file inside a PDF and modified its ModDate and CreationDate to contain non-existing dates. This causes passing NULL to "g_date_time_to_unix()" and the crash at RHEL 8, it does not crash at Fedora 34 since it placed assert in the function so it just shows a warning.

Could you check values of ModDate and CreationDate in your PDF? If they are not readable there you maybe need to uncompress streams in the PDF by "qpdf --stream-data=uncompress input.pdf output.pdf".

Comment 6 Marek Kašík 2021-07-26 14:03:56 UTC

Created attachment 1805938 [details]
reproducer

Comment 7 Leon Fauster 2021-07-26 16:39:08 UTC

Great that you can reproduce it. Indeed my PDF file (both original and uncompressed) does not have any ModDate entry !

Comment 8 Marek Kašík 2021-07-30 14:23:27 UTC

(In reply to Leon Fauster from comment #7)
> Great that you can reproduce it. Indeed my PDF file (both original and
> uncompressed) does not have any ModDate entry !

Is there any CreationDate?

The backtrace I get is the same as yours.

Comment 10 Marek Kašík 2021-08-02 15:33:03 UTC

Hi,

I've prepared a COPR repository with a fix for the issue I see. Could you try to update poppler from it and test whether it fixes the crash?

You can enable it by running:

dnf copr enable mkasik/poppler-test-build

and then run the update:

dnf update poppler

The COPR repository comes from here: https://copr.fedorainfracloud.org/coprs/mkasik/poppler-test-build/

Comment 11 Leon Fauster 2021-08-02 16:05:55 UTC

(In reply to Marek Kašík from comment #8)
> (In reply to Leon Fauster from comment #7)
> > Great that you can reproduce it. Indeed my PDF file (both original and
> > uncompressed) does not have any ModDate entry !
> 
> Is there any CreationDate?
> 
> The backtrace I get is the same as yours.

It has only the CreationDate:

$ pdfinfo Q1.pdf|grep -i date
CreationDate:   Mon Apr 19 23:55:54 2021 CEST

Comment 12 Leon Fauster 2021-08-02 20:51:54 UTC

(In reply to Marek Kašík from comment #10)
 
> I've prepared a COPR repository with a fix for the issue I see. Could you
> try to update poppler from it and test whether it fixes the crash?
> 
> You can enable it by running:
> 
> dnf copr enable mkasik/poppler-test-build
> 
> and then run the update:
> 
> dnf update poppler
> 
> The COPR repository comes from here:
> https://copr.fedorainfracloud.org/coprs/mkasik/poppler-test-build/

Hey Marek, this worked! Evince does not crash anymore and displays the PDF document. 

JFI: When looking into the "properties" of the document in Evince the "ModDate"
field (that is missing in the PDF file) has the epoch time as value displayed.
So, it seems that the patch addresses this issue. Thanks!

Comment 13 Marek Kašík 2021-08-04 10:00:24 UTC

Great! Thank you for testing it.

You'll need to downgrade the poppler and remove the COPR repository before updating to official release once ready though (it will take some time yet).
You can do it this way:

dnf downgrade poppler
dnf copr remove mkasik/poppler-test-build

Comment 14 Radek Duda 2021-08-04 11:46:22 UTC

I reproduced evince crash with attached pdf file (poppler-20.11.0-2.el8.x86_64)
Then I installed poppler-20.11.0-3.el8.x86_64 and file was successfully opened by evince.

Comment 19 errata-xmlrpc 2021-11-09 17:40:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (evince bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4155

Note You need to log in before you can comment on or make changes to this bug.