Bug 2228384 - [abrt] evince: GfxResources::doLookupFont(): evince killed by SIGSEGV
Summary: [abrt] evince: GfxResources::doLookupFont(): evince killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: evince
Version: 38
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Marek Kašík
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:b696a752048203e83478956e26e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-02 09:52 UTC by xspielinbox+redhat
Modified: 2023-08-31 01:19 UTC (History)
6 users (show)

Fixed In Version: poppler-22.08.0-4.fc37 poppler-23.02.0-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-21 00:58:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: proc_pid_status (1.43 KB, text/plain)
2023-08-02 09:52 UTC, xspielinbox+redhat
no flags Details
File: maps (3.91 KB, text/plain)
2023-08-02 09:52 UTC, xspielinbox+redhat
no flags Details
File: limits (1.29 KB, text/plain)
2023-08-02 09:52 UTC, xspielinbox+redhat
no flags Details
File: mountinfo (3.95 KB, text/plain)
2023-08-02 09:52 UTC, xspielinbox+redhat
no flags Details
File: os_info (734 bytes, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: cpuinfo (2.85 KB, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: core_backtrace (41.05 KB, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: exploitable (81 bytes, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: dso_list (592 bytes, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: var_log_messages (339 bytes, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: backtrace (114.97 KB, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: open_fds (2.85 KB, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details
File: environ (1.50 KB, text/plain)
2023-08-02 09:53 UTC, xspielinbox+redhat
no flags Details

Description xspielinbox+redhat 2023-08-02 09:52:51 UTC
Description of problem:
I tried to fill out an PDF-form and whenever I leave a field, the application crashes. It interstingly is only reproducable with this one PDF, but with this one everytime.
Regardless, whether one switches the field with TAB, clicks somewhere else, the field has a default value or not.

Version-Release number of selected component:
evince-44.3-1.fc38

Additional info:
reporter:       libreport-2.17.11
type:           CCpp
reason:         evince killed by SIGSEGV
journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=236d81;b=227ff983b5e443ea9b73d8e89787bd4f;m=14f8428f4;t=601ed7a20c186;x=9b6e59b7be9175c9
executable:     /usr/bin/evince
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/dbus-:1.2-org.gnome.Nautilus
rootdir:        /
uid:            1000
kernel:         6.4.6-200.fc38.x86_64
package:        evince-44.3-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: GfxResources::doLookupFont
cmdline:        /usr/bin/evince /home/[...]/Documents/[...]/[...]/[...]/[...].pdf

Truncated backtrace:
Thread no. 1 (82 frames)
 #0 GfxResources::doLookupFont at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Gfx.cc:301
 #1 GfxResources::lookupFont at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Gfx.cc:313
 #2 Form::ensureFontsForAllCharacters at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Form.cc:2966
 #3 FormFieldText::setContentCopy at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/poppler/Form.cc:1684
 #4 poppler_form_field_text_set_text at /usr/src/debug/poppler-23.02.0-1.fc38.x86_64/glib/poppler-form-field.cc:757
 #5 pdf_document_forms_form_field_text_set_text at ../backend/pdf/ev-poppler.c:2503
 #6 ev_view_form_field_text_save.part.0.lto_priv.0 at ../libview/ev-view.c:2627
 #7 ev_view_form_field_text_save at ../libview/ev-view.c:2664
 #8 ev_view_form_field_text_focus_out at ../libview/ev-view.c:2665
 #9 _gtk_marshal_BOOLEAN__BOXED at gtk/gtkmarshalers.c:84
 #11 signal_emit_unlocked_R.isra.0 at ../gobject/gsignal.c:3812
 #14 gtk_widget_event_internal.part.0.lto_priv.0 at ../gtk/gtkwidget.c:7812
 #15 gtk_widget_send_focus_change at ../gtk/gtkwidget.c:16244
 #16 do_focus_change at ../gtk/gtkwindow.c:8487
 #17 gtk_window_real_set_focus at ../gtk/gtkwindow.c:8776
 #18 g_cclosure_marshal_VOID__OBJECTv at ../gobject/gmarshal.c:1910
 #19 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #22 _gtk_window_unset_focus_and_default at ../gtk/gtkwindow.c:9161
 #23 gtk_widget_unparent at ../gtk/gtkwidget.c:4654
 #25 ev_view_remove at ../libview/ev-view.c:7863
 #26 g_cclosure_marshal_VOID__OBJECTv at ../gobject/gmarshal.c:1910
 #27 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #30 gtk_container_remove at ../gtk/gtkcontainer.c:1907
 #32 gtk_widget_dispose at ../gtk/gtkwidget.c:12155
 #35 ev_view_forall at ../libview/ev-view.c:7890
 #36 ev_view_remove_all_form_fields at ../libview/ev-view.c:5818
 #37 ev_view_focus_next at ../libview/ev-view.c:8153
 #38 ev_view_focus at ../libview/ev-view.c:8193
 #39 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #40 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #43 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #44 gtk_scrolled_window_focus at ../gtk/gtkscrolledwindow.c:3886
 #45 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #46 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #49 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #50 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #51 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #52 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #53 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #56 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #57 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #58 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #59 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #60 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #63 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #64 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #65 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #66 gtk_paned_focus at ../gtk/gtkpaned.c:2069
 #67 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #68 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #71 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #72 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #73 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #74 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #75 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #78 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #79 gtk_container_focus_move at ../gtk/gtkcontainer.c:3288
 #80 gtk_container_focus at ../gtk/gtkcontainer.c:2816
 #81 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #82 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #85 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #86 gtk_window_focus at ../gtk/gtkwindow.c:8667
 #88 _gtk_marshal_BOOLEAN__ENUMv at gtk/gtkmarshalers.c:215
 #89 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #92 gtk_widget_child_focus at ../gtk/gtkwidget.c:11087
 #93 gtk_window_move_focus at ../gtk/gtkwindow.c:8729
 #95 signal_emit_unlocked_R.isra.0 at ../gobject/gsignal.c:3851
 #96 g_signal_emitv at ../gobject/gsignal.c:3284
 #97 gtk_binding_entry_activate at ../gtk/gtkbindings.c:646
 #98 binding_activate at ../gtk/gtkbindings.c:1455
 #99 gtk_bindings_activate_list at ../gtk/gtkbindings.c:1514
 #100 gtk_bindings_activate_event at ../gtk/gtkbindings.c:1601
 #102 _gtk_marshal_BOOLEAN__BOXEDv at gtk/gtkmarshalers.c:130
 #103 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #106 gtk_widget_event_internal.part.0.lto_priv.0 at ../gtk/gtkwidget.c:7812
 #107 propagate_event at ../gtk/gtkmain.c:2681
 #108 gtk_propagate_event at ../gtk/gtkmain.c:2725
 #109 gtk_main_do_event at ../gtk/gtkmain.c:1921
 #111 _gdk_event_emit at ../gdk/gdkevents.c:73
 #116 g_main_context_iterate.isra.0 at ../glib/gmain.c:4276
 #117 g_main_context_iteration at ../glib/gmain.c:4343
 #118 g_application_run at ../gio/gapplication.c:2573


Potential duplicate: bug 2175920

Comment 1 xspielinbox+redhat 2023-08-02 09:52:55 UTC
Created attachment 1981274 [details]
File: proc_pid_status

Comment 2 xspielinbox+redhat 2023-08-02 09:52:56 UTC
Created attachment 1981275 [details]
File: maps

Comment 3 xspielinbox+redhat 2023-08-02 09:52:57 UTC
Created attachment 1981276 [details]
File: limits

Comment 4 xspielinbox+redhat 2023-08-02 09:52:59 UTC
Created attachment 1981277 [details]
File: mountinfo

Comment 5 xspielinbox+redhat 2023-08-02 09:53:00 UTC
Created attachment 1981278 [details]
File: os_info

Comment 6 xspielinbox+redhat 2023-08-02 09:53:01 UTC
Created attachment 1981279 [details]
File: cpuinfo

Comment 7 xspielinbox+redhat 2023-08-02 09:53:03 UTC
Created attachment 1981280 [details]
File: core_backtrace

Comment 8 xspielinbox+redhat 2023-08-02 09:53:04 UTC
Created attachment 1981281 [details]
File: exploitable

Comment 9 xspielinbox+redhat 2023-08-02 09:53:06 UTC
Created attachment 1981282 [details]
File: dso_list

Comment 10 xspielinbox+redhat 2023-08-02 09:53:07 UTC
Created attachment 1981283 [details]
File: var_log_messages

Comment 11 xspielinbox+redhat 2023-08-02 09:53:09 UTC
Created attachment 1981284 [details]
File: backtrace

Comment 12 xspielinbox+redhat 2023-08-02 09:53:10 UTC
Created attachment 1981285 [details]
File: open_fds

Comment 13 xspielinbox+redhat 2023-08-02 09:53:11 UTC
Created attachment 1981286 [details]
File: environ

Comment 14 xspielinbox+redhat 2023-08-02 10:25:13 UTC
I tried to fill out an PDF-form and whenever I leave a field, evince crashes. It interstingly is only reproducable with this one PDF, but with this one everytime.
Regardless, whether one switches the field with TAB, clicks somewhere else, the field has a default value or not.


reporter:       libreport-2.17.11
type:           CCpp
reason:         evince killed by SIGSEGV
journald_cursor: s=9a7a550263b44ce2aae567ae74362384;i=236d9a;b=227ff983b5e443ea9b73d8e89787bd4f;m=150620919;t=601ed7afea1aa;x=5c092ce938cea2d
executable:     /usr/bin/evince
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/dbus-:1.2-org.gnome.Nautilus
rootdir:        /
uid:            1000
kernel:         6.4.6-200.fc38.x86_64
package:        evince-44.3-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: GfxResources::doLookupFont
cmdline:        /usr/bin/evince /home/[...]/Documents/[...]/[...]/[...]/[...].pdf

Comment 15 Marek Kašík 2023-08-02 10:52:53 UTC
Hi,

thank you for the report. Could you attach the PDF here or send it to my email?

Comment 17 Marek Kašík 2023-08-10 16:09:02 UTC
Thank you for the PDF. I can reproduce it now.
This bug has been already fixed upstream but unfortunately the fix changes API/ABI so I can not backport it as it is (see https://gitlab.freedesktop.org/poppler/poppler/-/commit/62f2eb80fb2a4d4c656e7583584aa73fbc1de511). I'll need to have a look at how to get around that.

Comment 18 Marek Kašík 2023-08-15 14:03:25 UTC
It was not that hard as I thought at the end so I've prepared an update fixing this crash.

Comment 19 Fedora Update System 2023-08-15 14:06:09 UTC
FEDORA-2023-5c5a1046b6 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c5a1046b6

Comment 20 Fedora Update System 2023-08-15 14:06:09 UTC
FEDORA-2023-48838b6e4c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-48838b6e4c

Comment 21 Fedora Update System 2023-08-16 02:05:55 UTC
FEDORA-2023-48838b6e4c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-48838b6e4c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-48838b6e4c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 22 Fedora Update System 2023-08-16 02:54:11 UTC
FEDORA-2023-5c5a1046b6 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5c5a1046b6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c5a1046b6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 23 xspielinbox+redhat 2023-08-16 14:34:27 UTC
Thank you for the timely solution!

The update works well!

Comment 24 Fedora Update System 2023-08-21 00:58:43 UTC
FEDORA-2023-5c5a1046b6 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Fedora Update System 2023-08-31 01:19:17 UTC
FEDORA-2023-48838b6e4c has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.