Bug 303472

Summary: An invalid pfb font (dvi) makes Okular crash on exit
Product: [Applications] okular Reporter: Nikolai Iorgov <n_iorgov>
Component: DVI backendAssignee: Okular developers <okular-devel>
Status: RESOLVED FIXED    
Severity: crash CC: luigi.toscano
Priority: NOR    
Version: 0.14.3   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=303479
Latest Commit: http://commits.kde.org/okular/823a84942df4d3604b041ef7878a9984b1f12b7f Version Fixed In: 4.8.5
Sentry Crash Report:
Attachments: corrupted font which leads to crash of Okular

Description Nikolai Iorgov 2012-07-13 14:05:19 UTC 
Application: okular (0.14.3)
KDE Platform Version: 4.8.4 (4.8.4)
Qt Version: 4.8.2
Operating System: Linux 3.4.4-4.fc16.i686 i686
Distribution: "Fedora release 16 (Verne)"

-- Information about the crash:
Okular is crashing when I close (by Alt-F4 or by clicking on the sign of closing at up-right corner of the window)  *.dvi files

The crash can be reproduced every time.

-- Backtrace:
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib/libthread_db.so.1".
[KCrash Handler]
#7  0x4c0d6a7c in FT_Done_Face (face=0x84bee100) at /usr/src/debug/freetype-2.4.6/src/base/ftobjs.c:2333
#8  0xb5750cc1 in TeXFont_PFB::~TeXFont_PFB (this=0xa0b8ad0, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/TeXFont_PFB.cpp:135
#9  0xb5750d03 in TeXFont_PFB::~TeXFont_PFB (this=0xa0b8ad0, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/TeXFont_PFB.cpp:136
#10 0xb574fc15 in TeXFontDefinition::~TeXFontDefinition (this=0x9fa2a00, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/TeXFontDefinition.cpp:67
#11 0xb575ef3e in qDeleteAll<QList<TeXFontDefinition*>::const_iterator> (end=<optimized out>, begin=<optimized out>) at /usr/include/QtCore/qalgorithms.h:322
#12 qDeleteAll<QList<TeXFontDefinition*> > (c=...) at /usr/include/QtCore/qalgorithms.h:330
#13 fontPool::~fontPool (this=0x9f69dc8, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/fontpool.cpp:111
#14 0xb5732afa in dviRenderer::~dviRenderer (this=0x9f69da8, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/dviRenderer.cpp:83
#15 0xb5732ca3 in dviRenderer::~dviRenderer (this=0x9f69da8, __in_chrg=<optimized out>) at /usr/src/debug/okular-4.8.4/generators/dvi/dviRenderer.cpp:93
#16 0xb572c77a in DviGenerator::doCloseDocument (this=0x9f68880) at /usr/src/debug/okular-4.8.4/generators/dvi/generator_dvi.cpp:136
#17 0xb631036c in Okular::Generator::closeDocument (this=0x9f68880) at /usr/src/debug/okular-4.8.4/core/generator.cpp:203
#18 0xb6301ed4 in Okular::Document::closeDocument (this=0x9e5a8a0) at /usr/src/debug/okular-4.8.4/core/document.cpp:1786
#19 0xb63bc621 in Okular::Part::closeUrl (this=0x9e3d990) at /usr/src/debug/okular-4.8.4/part.cpp:1337
#20 0xb63bcb98 in Okular::Part::~Part (this=0x9e3d990, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/okular-4.8.4/part.cpp:774
#21 0xb63bcc13 in Okular::Part::~Part (this=0x9e3d990, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/okular-4.8.4/part.cpp:799
#22 0x08050ad9 in Shell::~Shell (this=0x9e29788, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/okular-4.8.4/shell/shell.cpp:123
#23 0x08050ba1 in Shell::~Shell (this=0x9e29788, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/src/debug/okular-4.8.4/shell/shell.cpp:126
#24 0x416c7bd4 in qDeleteInEventHandler (o=0x9e29788) at kernel/qobject.cpp:4277
#25 0x416ced78 in QObject::event (this=0x9e29788, e=0x9daf4e0) at kernel/qobject.cpp:1176
#26 0x41defc72 in QWidget::event (this=0x9e29788, event=0x9daf4e0) at kernel/qwidget.cpp:8830
#27 0x422291e4 in QMainWindow::event (this=0x9e29788, event=0x9daf4e0) at widgets/qmainwindow.cpp:1478
#28 0x43377734 in KMainWindow::event (this=0x9e29788, ev=0x9daf4e0) at /usr/src/debug/kdelibs-4.8.4/kdeui/widgets/kmainwindow.cpp:1084
#29 0x433c15c3 in KXmlGuiWindow::event (this=0x9e29788, ev=0x9daf4e0) at /usr/src/debug/kdelibs-4.8.4/kdeui/xmlgui/kxmlguiwindow.cpp:126
#30 0x41d95264 in notify_helper (e=0x9daf4e0, receiver=0x9e29788, this=0x9cc29d8) at kernel/qapplication.cpp:4551
#31 QApplicationPrivate::notify_helper (this=0x9cc29d8, receiver=0x9e29788, e=0x9daf4e0) at kernel/qapplication.cpp:4523
#32 0x41d9a6db in QApplication::notify (this=0x9cc29d8, receiver=0x9e29788, e=0x9daf4e0) at kernel/qapplication.cpp:4516
#33 0x432988b2 in KApplication::notify (this=0xbf893f80, receiver=0x9e29788, event=0x9daf4e0) at /usr/src/debug/kdelibs-4.8.4/kdeui/kernel/kapplication.cpp:311
#34 0x416b3eae in QCoreApplication::notifyInternal (this=0xbf893f80, receiver=0x9e29788, event=0x9daf4e0) at kernel/qcoreapplication.cpp:915
#35 0x416b7e08 in sendEvent (event=<optimized out>, receiver=<optimized out>) at kernel/qcoreapplication.h:231
#36 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x9ca19e0) at kernel/qcoreapplication.cpp:1539
#37 0x416b813d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1432
#38 0x416e67d5 in sendPostedEvents () at kernel/qcoreapplication.h:236
#39 postEventSourceDispatch (s=0x9cc2fa0) at kernel/qeventdispatcher_glib.cpp:279
#40 0x4bbfeaff in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#41 0x4bbff240 in ?? () from /lib/libglib-2.0.so.0
#42 0x4bbff4ef in g_main_context_iteration () from /lib/libglib-2.0.so.0
#43 0x416e6bd8 in QEventDispatcherGlib::processEvents (this=0x9ca2548, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#44 0x41e49d1b in QGuiEventDispatcherGlib::processEvents (this=0x9ca2548, flags=...) at kernel/qguieventdispatcher_glib.cpp:207
#45 0x416b2a9e in QEventLoop::processEvents (this=0xbf893ef4, flags=...) at kernel/qeventloop.cpp:149
#46 0x416b2d49 in QEventLoop::exec (this=0xbf893ef4, flags=...) at kernel/qeventloop.cpp:204
#47 0x416b81eb in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1187
#48 0x41d93095 in QApplication::exec () at kernel/qapplication.cpp:3812
#49 0x0804e030 in main (argc=6, argv=0xbf8941c4) at /usr/src/debug/okular-4.8.4/shell/main.cpp:85

Reported using DrKonqi
Comment 1 Nikolai Iorgov 2012-07-13 21:25:04 UTC 
This bug probably related to the other bug I reported:
https://bugs.kde.org/show_bug.cgi?id=303479

One of the fonts used to display DVI-file maybe corrupted:

Name : "cmsy7, 100%" 
Type : TeX Free Type-handled 
File:  The font /usr/share/texmf/fonts/type1/bluesky/cm/cmsy7.pfb could be opened and read, but its font format is unsupported

If I change the DVI-file to exclude the usage of the mentioned font, 
the problem with crashing while closing or returning to Editor (kile) disappear.

In any case the problems with fonts should not lead to Okular's crashing.
Comment 2 Nikolai Iorgov 2012-07-14 12:56:10 UTC 
Created attachment 72520 [details]
corrupted font which leads to crash of Okular
Comment 3 Luigi Toscano 2012-07-15 20:08:50 UTC 
Git commit 99c4da2f9ef86e345ee02cecb10e0df8f5e5b2e2 by Luigi Toscano.
Committed on 15/07/2012 at 21:15.
Pushed by ltoscano into branch 'master'.

Avoid crash when the font is broken.

The call to FT_New_Face takes the address of the 'face' variable, whose type is a
typedef *something TF_Face;
The value of TF_Face (so a pointer to the properly filled font structure) s then
replaced inside the call of TF_New_Face; but when the latter function fails,
the value of 'face' is not reset and this leads to a crash in the distructor of
TeXFont_PFB.
So properly initialize TF_Face to 0, its address is valid, and the code works.
FIXED-IN: 4.8.5

M  +1    -1    generators/dvi/TeXFont_PFB.cpp

http://commits.kde.org/okular/99c4da2f9ef86e345ee02cecb10e0df8f5e5b2e2
Comment 4 Luigi Toscano 2012-07-15 20:11:02 UTC 
Git commit bd733dab90ab3e7709c0e47796881b9cdf224554 by Luigi Toscano.
Committed on 15/07/2012 at 21:15.
Pushed by ltoscano into branch 'KDE/4.9'.

Avoid crash when the font is broken.

The call to FT_New_Face takes the address of the 'face' variable, whose type is a
typedef *something TF_Face;
The value of TF_Face (so a pointer to the properly filled font structure) s then
replaced inside the call of TF_New_Face; but when the latter function fails,
the value of 'face' is not reset and this leads to a crash in the distructor of
TeXFont_PFB.
So properly initialize TF_Face to 0, its address is valid, and the code works.
FIXED-IN: 4.8.5
(cherry picked from commit 99c4da2f9ef86e345ee02cecb10e0df8f5e5b2e2)

M  +1    -1    generators/dvi/TeXFont_PFB.cpp

http://commits.kde.org/okular/bd733dab90ab3e7709c0e47796881b9cdf224554
Comment 5 Luigi Toscano 2012-07-15 20:11:25 UTC 
Git commit 823a84942df4d3604b041ef7878a9984b1f12b7f by Luigi Toscano.
Committed on 15/07/2012 at 21:15.
Pushed by ltoscano into branch 'KDE/4.8'.

Avoid crash when the font is broken.

The call to FT_New_Face takes the address of the 'face' variable, whose type is a
typedef *something TF_Face;
The value of TF_Face (so a pointer to the properly filled font structure) s then
replaced inside the call of TF_New_Face; but when the latter function fails,
the value of 'face' is not reset and this leads to a crash in the distructor of
TeXFont_PFB.
So properly initialize TF_Face to 0, its address is valid, and the code works.
FIXED-IN: 4.8.5
(cherry picked from commit 99c4da2f9ef86e345ee02cecb10e0df8f5e5b2e2)

M  +1    -1    generators/dvi/TeXFont_PFB.cpp

http://commits.kde.org/okular/823a84942df4d3604b041ef7878a9984b1f12b7f