706093 – mupdf-x11 segfault at source/html/html-layout.c:1253

Bug 706093 - mupdf-x11 segfault at source/html/html-layout.c:1253

Summary: mupdf-x11 segfault at source/html/html-layout.c:1253

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-21 22:39 UTC by Rik Faith
Modified:	2022-11-23 16:32 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rik Faith 2022-11-21 22:39:10 UTC

Comment 1 Rik Faith 2022-11-21 22:46:14 UTC

Using mupdf-1.21.0-source.tar.gz and "make debug", running build/debug/mupdf-x11 on the target epub:

Program received signal SIGSEGV, Segmentation fault.
0x000055555568781c in layout_collapse_margin_with_children (ctx=0x555557e012a0, here=0x0) at source/html/html-layout.c:1253
1253            first = here->down;
(gdb) bt
#0  0x000055555568781c in layout_collapse_margin_with_children (ctx=0x555557e012a0, here=0x0) at source/html/html-layout.c:1253
#1  0x0000555555687b46 in layout_collapse_margins (ctx=0x555557e012a0, box=0x0, top=0x555558060da8) at source/html/html-layout.c:1330
#2  0x0000555555687cfb in fz_restartable_layout_html (ctx=0x555557e012a0, tree=0x555558060d58, start_x=0, start_y=0, page_w=376, 
    page_h=529, em=11, restart=0x0) at source/html/html-layout.c:1368
#3  0x0000555555688015 in fz_layout_html (ctx=0x555557e012a0, html=0x555558060d58, w=420, h=595, em=11) at source/html/html-layout.c:1418
#4  0x0000555555680f7d in epub_get_laid_out_html (ctx=0x555557e012a0, doc=0x555557e364f0, ch=0x555557e402d0) at source/html/epub-doc.c:422
#5  0x00005555556802b4 in count_chapter_pages (ctx=0x555557e012a0, doc=0x555557e364f0, ch=0x555557e402d0) at source/html/epub-doc.c:132
#6  0x0000555555680769 in epub_count_pages (ctx=0x555557e012a0, doc_=0x555557e364f0, chapter=22) at source/html/epub-doc.c:232
#7  0x00005555555babb9 in fz_count_chapter_pages (ctx=0x555557e012a0, doc=0x555557e364f0, chapter=22) at source/fitz/document.c:438
#8  0x00005555555bac0e in fz_count_pages (ctx=0x555557e012a0, doc=0x555557e364f0) at source/fitz/document.c:448
#9  0x00005555555a5d35 in pdfapp_open_progressive (app=0x555557df34e0 <gapp>, 
    filename=0x7fffffffe6ec "elided.epub", reload=0, kbps=0) at platform/x11/pdfapp.c:501
#10 0x00005555555a55ef in pdfapp_open (app=0x555557df34e0 <gapp>, 
    filename=0x7fffffffe6ec "elided.epub", reload=0) at platform/x11/pdfapp.c:292
#11 0x00005555555ad76a in main (argc=2, argv=0x7fffffffe298) at platform/x11/x11_main.c:964

At this point, "here" can be NULL. This is tested for in the other functions called by layout_collapse_margins, but not in layout_collapse_margin_with_children

This change avoids the segfault:
--- source/html/html-layout.c.orig      2022-11-07 10:26:50.000000000 -0500
+++ source/html/html-layout.c   2022-11-21 17:34:33.727516854 -0500
@@ -1250,6 +1250,9 @@
 {
        fz_html_box *child, *first, *last = NULL;
 
+       if (!here) {
+               return;
+       }
        first = here->down;
        for (child = here->down; child; child = child->next)
        {

Comment 2 Robin Watts 2022-11-22 12:18:11 UTC

Can you attach the target epub please? We can't reproduce this without it.

Comment 3 Rik Faith 2022-11-22 12:33:19 UTC

Sorry, I can't attach the epub. I was hoping that the similarity with the three other functions that test for "here == NULL" would be sufficient to lead toward a fix.

Comment 4 Robin Watts 2022-11-23 16:32:59 UTC

Fixed with:

commit 69ab93d8054491e14f31abad8c5452faf1b1c405
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Nov 22 13:44:27 2022 +0100

    Bug 706093: Don't layout empty documents!

Thanks for the report.