Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 598945 - Bogus memory allocation size when browsing a PDF in Evince
Bogus memory allocation size when browsing a PDF in Evince
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: poppler (Show other bugs)
5.5
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Marek Kašík
Desktop QE
: Patch, ZStream
Depends On:
Blocks: 698595
  Show dependency treegraph
 
Reported: 2010-06-02 07:51 EDT by Olivier Fourdan
Modified: 2013-03-03 21:49 EST (History)
8 users (show)

See Also:
Fixed In Version: poppler-0.5.4-15.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 01:11:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (716 bytes, patch)
2010-06-02 08:04 EDT, Olivier Fourdan 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0236 normal SHIPPED_LIVE poppler bug fix update 2012-02-20 10:07:36 EST

  None (edit)
Description Olivier Fourdan 2010-06-02 07:51:33 EDT 
Description of problem:

When browsing a given PDF file, evince exits with a "Bogus memory allocation size" error

Version-Release number of selected component (if applicable):

poppler-0.5.4-4.4.el5.11

How reproducible:

Always

Steps to Reproduce:
1. Open the PDF file in evince
2. Page down to page 13 / 15
  
Actual results:

evince exits with "Bogus memory allocation size"

Expected results:

evince does not exit

Additional info:

The problem does not occur in recent version of Evince. There is also an error displayed "Dictionary key must be a name object" but that's unrelated to the bogus memory allocation.

The message "Bogus memory allocation size" can come from different part of the code.

So breaking on _exit() in gdb, we can get a clearer idea of the code path that leads to the error:

Breakpoint 6, _exit (status=1) at ../sysdeps/unix/sysv/linux/_exit.c:29
29 {
(gdb) bt
#0  _exit (status=1) at ../sysdeps/unix/sysv/linux/_exit.c:29
#1  0x0000003ec44efb1a in gmallocn3 (a=<value optimized out>, b=<value optimized out>, c=<value optimized out>) at gmem.c:189
#2  0x0000003ec44b46b3 in JPXStream::readTilePart (this=0x2aaab01403d0) at JPXStream.cc:1750
#3  0x0000003ec44b5cbe in JPXStream::readCodestream (this=0x2aaab01403d0, len=<value optimized out>) at JPXStream.cc:1252
#4  0x0000003ec44b74f2 in JPXStream::readBoxes (this=0x2aaab01403d0) at JPXStream.cc:642
#5  0x0000003ec44b7816 in JPXStream::reset (this=0x2aaab01403d0) at JPXStream.cc:276
#6  0x0000003ec4810118 in CairoOutputDev::drawImage (this=0x2aaab002df90, state=<value optimized out>, ref=<value optimized out>, str=0x2aaab01403d0,
   width=370, height=259, colorMap=0x2aaab0140510, maskColors=0x0, inlineImg=0) at CairoOutputDev.cc:809
#7  0x0000003ec447cbec in Gfx::doImage (this=0x2aaab00008c0, ref=0x409ffcb0, str=0x2aaab01403d0, inlineImg=0) at Gfx.cc:3223
#8  0x0000003ec447fad1 in Gfx::opXObject (this=0x2aaab00008c0, args=0x409ffd80, numArgs=<value optimized out>) at Gfx.cc:2902
#9  0x0000003ec447a075 in Gfx::go (this=0x2aaab00008c0, topLevel=1) at Gfx.cc:580
#10 0x0000003ec447a4b0 in Gfx::display (this=0x2aaab00008c0, obj=0x409ffef0, topLevel=1) at Gfx.cc:543
#11 0x0000003ec44c0c89 in Page::displaySlice (this=0x2aaab0049340, out=0x2aaab002df90, hDPI=<value optimized out>, vDPI=<value optimized out>,
   rotate=<value optimized out>, useMediaBox=<value optimized out>, crop=<value optimized out>, sliceX=<value optimized out>, sliceY=0, sliceW=433,
   sliceH=554, links=0x0, catalog=0x2aaab002cba0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0)
   at Page.cc:375
#12 0x0000003ec480d4a3 in poppler_page_render_to_pixbuf (page=0x915b40, src_x=0, src_y=0, src_width=433, src_height=554, scale=0.70710700750350952,
   rotation=0, pixbuf=0x2aaab0029ca0) at poppler-page.cc:366
#13 0x000000000044c8a1 in ?? ()
#14 0x0000000000419209 in gtk_toggle_button_set_active () at gtktogglebutton.c:287
#15 0x0000000000417c52 in gtk_toggle_button_set_active () at gtktogglebutton.c:287
#16 0x00000000004181af in gtk_toggle_button_set_active () at gtktogglebutton.c:287
#17 0x0000003f35048e04 in g_thread_create_proxy (data=0x6c6b80) at gthread.c:553
#18 0x0000003f2f40673d in start_thread (arg=<value optimized out>) at pthread_create.c:301
#19 0x0000003f2e8d3d1d in clone () from /lib64/libc.so.6
(gdb) 

The values of a, b and c are optimized out, so gdb won't be of much help here.

Instrumenting poppler lib, we can get thr values actually passed to gmallocn3(), it's :

   a=1, b=0, c=72

So the program exits because b=0 

In poppler/JPXStream.cc, current upstream uses:

   subband->cbs = (JPXCodeBlock *)gmallocn(subband->nXCBs *
                                           subband->nYCBs,
                                           sizeof(JPXCodeBlock));

Instead of

   subband->cbs = (JPXCodeBlock *)gmallocn3( subband->nXCBs,
                                             subband->nYCBs,
                                             sizeof(JPXCodeBlock));

So that if subband->nYCBs == 0, subband->nXCBs * subband->nYCBs == 0 and the problem does not occur.

Patch for poppler 0.5.4 attached.
Comment 1 Olivier Fourdan 2010-06-02 08:04:22 EDT 
Created attachment 419004 [details]
Proposed patch
Comment 4 RHEL Product and Program Management 2010-08-09 15:51:18 EDT 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 17 errata-xmlrpc 2012-02-21 01:11:33 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0236.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.