[cairo-bugs] [Bug 102921] New: evince abrt on a double free in cairo_truetype_font_destroy

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 21 07:11:37 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102921

            Bug ID: 102921
           Summary: evince abrt on a double free in
                    cairo_truetype_font_destroy
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: pdf backend
          Assignee: ajohnson at redneon.com
          Reporter: seb128 at ubuntu.com
        QA Contact: cairo-bugs at cairographics.org

Using cairo 1.14.10 on Ubuntu, evince sibabrt when printing a document (which I
got from the submitter but don't share here since it includes private info)

Backtrace

#0  0x00007f8d67db80bb in __GI_raise (sig=sig at entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f8d67db9f5d in __GI_abort () at abort.c:90
#2  0x00007f8d67e0229d in __libc_message (action=action at entry=
    do_abort, fmt=fmt at entry=0x7f8d67f29408 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f8d67e0965a in malloc_printerr (action=<optimised out>,
str=0x7f8d67f29740 "double free or corruption (!prev)", ptr=<optimised out>,
ar_ptr=<optimised out>) at malloc.c:5423
#4  0x00007f8d67e0b74e in _int_free (av=0x7f8d6815bc20 <main_arena>,
p=<optimised out>, have_lock=0) at malloc.c:4172
#5  0x00007f8d67e1040e in __GI___libc_free (mem=<optimised out>)
    at malloc.c:3142
#6  0x00007f8d6928621c in cairo_truetype_font_destroy
(font=font at entry=0x556abc58ce30) at ../../../../src/cairo-truetype-subset.c:292
#7  0x00007f8d692881df in cairo_truetype_subset_init_internal
(truetype_subset=truetype_subset at entry=0x7ffe160e3490,
font_subset=font_subset at entry=0x7ffe160e3600, is_pdf=is_pdf at entry=1) at
../../../../src/cairo-truetype-subset.c:1226
#8  0x00007f8d69288b4a in _cairo_truetype_subset_init_pdf
(truetype_subset=truetype_subset at entry=0x7ffe160e3490,
font_subset=font_subset at entry=0x7ffe160e3600)
    at ../../../../src/cairo-truetype-subset.c:1242
#9  0x00007f8d692c637b in _cairo_pdf_surface_emit_truetype_font_subset
(font_subset=0x7ffe160e3600, surface=0x556abcd1f5c0)
    at ../../../../src/cairo-pdf-surface.c:5436
#10 0x00007f8d692c637b in _cairo_pdf_surface_emit_unscaled_font_subset
(font_subset=0x7ffe160e3600, closure=0x556abcd1f5c0)
    at ../../../../src/cairo-pdf-surface.c:5910
#11 0x00007f8d69284ce1 in _cairo_sub_font_collect (closure=0x7ffe160e35b0,
entry=0x556abcb6d150) at ../../../../src/cairo-scaled-font-subsets.c:746
#12 0x00007f8d69284ce1 in _cairo_scaled_font_subsets_foreach_internal
(font_subsets=<optimised out>,
font_subset_callback=font_subset_callback at entry=0x7f8d692c6290
<_cairo_pdf_surface_emit_unscaled_font_subset>,
closure=closure at entry=0x556abcd1f5c0,
type=type at entry=CAIRO_SUBSETS_FOREACH_UNSCALED)
    at ../../../../src/cairo-scaled-font-subsets.c:1067
#13 0x00007f8d69285c77 in _cairo_scaled_font_subsets_foreach_unscaled
(font_subsets=<optimised out>,
font_subset_callback=font_subset_callback at entry=0x7f8d692c6290
<_cairo_pdf_surface_emit_unscaled_font_subset>,
closure=closure at entry=0x556abcd1f5c0) at
../../../../src/cairo-scaled-font-subsets.c:1095
#14 0x00007f8d692c20d8 in _cairo_pdf_surface_emit_font_subsets
(surface=0x556abcd1f5c0) at ../../../../src/cairo-pdf-surface.c:5956
#15 0x00007f8d692c20d8 in _cairo_pdf_surface_finish
(abstract_surface=0x556abcd1f5c0) at ../../../../src/cairo-pdf-surface.c:2031
#16 0x00007f8d69268ec6 in _cairo_surface_finish (surface=0x556abcd1f5c0)
    at ../../../../src/cairo-surface.c:1033
#17 0x00007f8d69269ad7 in INT_cairo_surface_finish (surface=0x556abcd1f5c0)
    at ../../../../src/cairo-surface.c:1080
#18 0x00007f8d6923dc8f in _cairo_paginated_surface_finish
(abstract_surface=0x556abcd189b0) at
../../../../src/cairo-paginated-surface.c:213
#19 0x00007f8d69268ec6 in _cairo_surface_finish (surface=0x556abcd189b0)
    at ../../../../src/cairo-surface.c:1033
#20 0x00007f8d69269ad7 in INT_cairo_surface_finish (surface=0x556abcd189b0)
    at ../../../../src/cairo-surface.c:1080
#21 0x00007f8d6a458b17 in unix_end_run (op=0x556abc2d5430, wait=0, cancelled=0)
    at ././gtk/gtkprintoperation-unix.c:373
#22 0x00007f8d6a32a5f8 in print_pages_idle (user_data=0x556abcd048c0)
    at ././gtk/gtkprintoperation.c:2935
#23 0x00007f8d69dc7b90 in gdk_threads_dispatch (data=0x556abc48fa00)
    at ././gdk/gdk.c:743

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170921/67766b0a/attachment-0001.html>

More information about the cairo-bugs mailing list