Bug#690799: Another gdb output

Kubo Hiroshi Sat, 26 Jan 2013 10:21:18 -0800

Control: severity -1 grave

Hi,


I investigated the problem further. 

The segmentation fault occurs when the thumbnail is shown, by selecting the menu
[View] - [Side pane].

Here I attach another file of the gdb output.

The segmentation fault is caused by the null pointer dereference in the function
active_edges(), which resides in cairo-1.12.2/src/cairo-polygon-intersect.c of
the cairo package.

Between the line 1233 and  1235 of cairo-1.12.2/src/cairo-polygon-intersect.c,
null pointer check is missing.

This seems to be a cairo-1.12.2's bug.
How about reassigning this bug to the cairo package ?

---
Kubo Hiroshi <h-k...@geisya.or.jp>

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xadbc8b70 (LWP 6045)]
active_edges (polygon=0xadbc72e8, top=9322, left=0xb5e19fe4)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-polygon-intersect.c:1235
1235                    if unlikely ((right->deferred.other))
(gdb) list
1230                        return;
1231                } while (1);
1232    
1233                right = left->next;
1234                do {
1235                    if unlikely ((right->deferred.other))
1236                        edges_end (right, top, polygon);
1237    
1238                    winding[right->a_or_b] += right->edge.dir;
1239                    if (is_zero (winding)) {
(gdb) p right
$1 = (cairo_bo_edge_t *) 0x0
(gdb) p *left
$2 = {a_or_b = 1, edge = {line = {p1 = {x = 14848, y = 8959}, p2 = {x = 14848, 
        y = 9322}}, top = 8959, bottom = 9322, dir = -1}, prev = 0xb5e15a48, 
  next = 0x0, deferred = {other = 0x0, top = 0}}
(gdb) where
#0  active_edges (polygon=0xadbc72e8, top=9322, left=0xb5e19fe4)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-polygon-intersect.c:1235
#1  intersection_sweep (polygon=0xadbc72e8, num_events=-1243501384, 
    start_events=0xadbc5e94)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-polygon-intersect.c:1271
#2  _cairo_polygon_intersect (a=a@entry=0xadbc72e8, 
    winding_a=winding_a@entry=0, b=0xadbc6ed8, winding_b=0)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-polygon-intersect.c:1466
#3  0xb772d58d in clip_and_composite_polygon (
    antialias=CAIRO_ANTIALIAS_DEFAULT, fill_rule=CAIRO_FILL_RULE_WINDING, 
    polygon=0xadbc72e8, extents=0xadbc76f0, compositor=0xb77d3880)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:861
#4  clip_and_composite_polygon (compositor=0xb77d3880, extents=0xadbc76f0, 
    polygon=0xadbc72e8, fill_rule=CAIRO_FILL_RULE_WINDING, 
    antialias=CAIRO_ANTIALIAS_DEFAULT)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:819
#5  0xb772e0cc in _cairo_spans_compositor_stroke (_compositor=0xb77d3880, 
    extents=0xadbc76f0, path=0x800d279c, style=0xadbc7a80, ctm=0xb5e4194c, 
    ctm_inverse=0xb5e4197c, tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:985
#6  0xb76ea3bc in _cairo_compositor_stroke (compositor=0xb77d3880, 
    surface=surface@entry=0xb5e12840, op=op@entry=CAIRO_OPERATOR_OVER, 
    source=source@entry=0xadbc7aac, path=path@entry=0x800d279c, 
    style=style@entry=0xadbc7a80, ctm=ctm@entry=0xb5e4194c, 
    ctm_inverse=ctm_inverse@entry=0xb5e4197c, tolerance=0.10000000000000001, 
    tolerance@entry=<error reading variable: Could not find type for 
DW_OP_GNU_const_type>, antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, 
    clip=clip@entry=0xb5e00840)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-compositor.c:153
#7  0xb76fd1b1 in _cairo_image_surface_stroke (abstract_surface=0xb5e12840, 
    op=CAIRO_OPERATOR_OVER, source=0xadbc7aac, path=0x800d279c, 
    style=0xadbc7a80, ctm=0xb5e4194c, ctm_inverse=0xb5e4197c, 
    tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, 
    clip=0xb5e00840)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-image-surface.c:952
#8  0xb7731919 in _cairo_surface_stroke (surface=0xb5e12840, 
    op=CAIRO_OPERATOR_OVER, source=0xadbc7aac, path=0x800d279c, 
    stroke_style=0xadbc7a80, ctm=0xb5e4194c, ctm_inverse=0xb5e4197c, 
    tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, 
    clip=0xb5e00840)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-surface.c:2043
#9  0xb76f36da in _cairo_gstate_stroke (gstate=0xb5e41898, 
    path=path@entry=0x800d279c)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-gstate.c:1171
#10 0xb76ec31d in _cairo_default_context_stroke (abstract_cr=0x800d24d8)
    at 
/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-default-context.c:965
#11 0xb76e46eb in INT_cairo_stroke (cr=0x800d24d8)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo.c:2146
#12 0xad3b1b89 in CairoOutputDev::stroke(GfxState*) ()
   from /usr/lib/i386-linux-gnu/libpoppler-glib.so.8
#13 0xad154811 in Gfx::opStroke(Object*, int) ()
   from /usr/lib/i386-linux-gnu/libpoppler.so.19
#14 0xad14abfa in Gfx::execOp(Object*, Object*, int) ()
   from /usr/lib/i386-linux-gnu/libpoppler.so.19
#15 0xad151b90 in Gfx::go(bool) ()
   from /usr/lib/i386-linux-gnu/libpoppler.so.19
#16 0xad152068 in Gfx::display(Object*, bool) ()
   from /usr/lib/i386-linux-gnu/libpoppler.so.19
#17 0xad1934bf in Page::displaySlice(OutputDev*, double, double, int, bool, 
bool, int, int, int, int, bool, Catalog*, bool (*)(void*), void*, bool 
(*)(Annot*, void*), void*) () from /usr/lib/i386-linux-gnu/libpoppler.so.19
#18 0xad3a50da in ?? () from /usr/lib/i386-linux-gnu/libpoppler-glib.so.8
#19 0xb5f3ff34 in pdf_page_render (page=page@entry=0x803425a0, 
    width=width@entry=100, height=height@entry=141, rc=rc@entry=0x803425c0)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./backend/pdf/ev-poppler.cc:359
#20 0xb5f405e3 in make_thumbnail_for_page (height=141, width=100, 
    rc=0x803425c0, poppler_page=0x803425a0)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./backend/pdf/ev-poppler.cc:405
#21 pdf_document_get_thumbnail (document=0x8027a968, rc=0x803425c0)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./backend/pdf/ev-poppler.cc:465
#22 0xb7f7a8e0 in ev_document_get_thumbnail (document=0x8027a968, 
    rc=rc@entry=0x803425c0)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./libdocument/ev-document.c:606
#23 0xb7f39b33 in ev_job_thumbnail_run (job=0x805ab618)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./libview/ev-jobs.c:817
#24 0xb7f38fdf in ev_job_run (job=job@entry=0x805ab618)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./libview/ev-jobs.c:213
#25 0xb7f3aec3 in ev_job_thread (job=0x805ab618)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./libview/ev-job-scheduler.c:204
#26 ev_job_thread_proxy (data=0x0)
    at 
/build/buildd-evince_3.4.0-3.1-i386-gBFlOX/evince-3.4.0/./libview/ev-job-scheduler.c:237
#27 0xb731beb3 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#28 0xb725ac39 in start_thread ()
   from /lib/i386-linux-gnu/i686/cmov/libpthread.so.0
#29 0xb71c778e in clone () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
(gdb)

Bug#690799: Another gdb output

Reply via email to