Binary package hint: evince
When viewing http://www.mediaatlantic.com/Downloads/avermedia/A808_AVerTV_DVB-T_Volar.pdf , I find evince crashes:
$ evince A808_AVerTV_DVB-T_Volar.pdf
Error (288089): Illegal character <3f> in hex string
Error (288090): Illegal character <78> in hex string
Error (288091): Illegal character <70> in hex string
Error (288094): Illegal character <6b> in hex string
Error (288096): Illegal character <74> in hex string
Error (288099): Illegal character <6e> in hex string
Error (288101): Illegal character <3d> in hex string
Error (288102): Illegal character <22> in hex string
Error (288103): Illegal character <77> in hex string
Error (288104): Illegal character <22> in hex string
Error (288105): Illegal character <3f> in hex string
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (239248): Unexpected end of file in flate stream
Segmentation fault (core dumped)
Installing debug packages and running with valgrind, we see memory violation via stack corruption (which happens to be caught by GCC this time), thus this has potential to be a security violation:
$ valgrind --trace-children=yes evince A808_AVerTV_DVB-T_Volar.pdf
==6220== Memcheck, a memory error detector.
==6220== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6220== Using LibVEX rev 1854, a library for dynamic binary translation.
==6220== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==6220== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==6220== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6220== For more details, rerun with: -v
==6220==
==6220== Syscall param write(buf) points to uninitialised byte(s)
==6220== at 0xBA47E90: __write_nocancel (in /usr/lib/debug/libpthread-2.8.90.so)
==6220== by 0x60C8EFE: _IceTransSocketWrite (Xtranssock.c:2171)
==6220== by 0x60CC787: _IceWrite (misc.c:369)
==6220== by 0x60CC863: IceFlush (misc.c:82)
==6220== by 0x5C49DFB: client_set_string (gnome-client.c:264)
==6220== by 0x5C4BBC2: gnome_real_client_connect (gnome-client.c:2442)
==6220== by 0xB33628C: g_closure_invoke (gclosure.c:767)
==6220== by 0xB34C91D: signal_emit_unlocked_R (gsignal.c:3174)
==6220== by 0xB34E718: g_signal_emit_valist (gsignal.c:2977)
==6220== by 0xB34EC82: g_signal_emit (gsignal.c:3034)
==6220== by 0x5C4B92E: gnome_client_connect (gnome-client.c:1627)
==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==6220== Address 0x10b2e3f4 is 12 bytes inside a block of size 1,024 alloc'd
==6220== at 0x4C24384: calloc (vg_replace_malloc.c:397)
==6220== by 0x60C5373: IceOpenConnection (connect.c:211)
==6220== by 0x5EB8CB0: SmcOpenConnection (sm_client.c:135)
==6220== by 0x5C4B8AC: gnome_client_connect (gnome-client.c:1595)
==6220== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==6220== by 0x69F6DBD: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F718A: (within /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F740C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x69F7503: gnome_program_init (in /usr/lib/libgnome-2.so.0.2303.2)
==6220== by 0x44B5CC: main (main.c:346)
Error (288089): Illegal character <3f> in hex string
Error (288090): Illegal character <78> in hex string
Error (288091): Illegal character <70> in hex string
Error (288094): Illegal character <6b> in hex string
Error (288096): Illegal character <74> in hex string
Error (288099): Illegal character <6e> in hex string
Error (288101): Illegal character <3d> in hex string
Error (288102): Illegal character <22> in hex string
Error (288103): Illegal character <77> in hex string
Error (288104): Illegal character <22> in hex string
Error (288105): Illegal character <3f> in hex string
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (239248): Unexpected end of file in flate stream
==6220==
==6220== Thread 2:
==6220== Invalid read of size 8
==6220== at 0x10627E25: read_markers (jdmarker.c:474)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid write of size 8
==6220== at 0x106281A9: read_markers (jdmarker.c:475)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid read of size 8
==6220== at 0x10627E2F: read_markers (jdmarker.c:477)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
==6220==
==6220== Invalid read of size 8
==6220== at 0x10627E54: read_markers (jdmarker.c:478)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== by 0x481432DA14440813: ???
==6220== by 0x186C5D8113128544: ???
==6220== by 0xBD985AC1307756F6: ???
==6220== by 0x5108B342B70D594F: ???
==6220== by 0x8E67ABC68C514A2C: ???
==6220== by 0x47AA517AF7BB0638: ???
==6220== Address 0x11cde050 is 16 bytes before a block of size 17 alloc'd
==6220== at 0x4C265AE: malloc (vg_replace_malloc.c:207)
==6220== by 0xB7B75E2: g_malloc (gmem.c:131)
==6220== by 0xB7CF44D: g_strdup (gstrfuncs.c:92)
==6220== by 0x7837247: insert_theme (gtkicontheme.c:2569)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7837381: insert_theme (gtkicontheme.c:1005)
==6220== by 0x7838390: ensure_valid_themes (gtkicontheme.c:1053)
==6220== by 0x7839BC3: gtk_icon_theme_has_icon (gtkicontheme.c:1577)
==6220== by 0x779D3E1: gtk_action_group_add_actions_full (gtkactiongroup.c:1049)
==6220== by 0x441889: ev_window_init (ev-window.c:5296)
==6220== by 0xB358777: g_type_create_instance (gtype.c:1674)
==6220== by 0xB33BB3A: g_object_constructor (gobject.c:1328)
Corrupt JPEG data: 53679 extraneous bytes before marker 0xd9
*** stack smashing detected ***: evince terminated
==6220==
==6220== Invalid read of size 1
==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1)
==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1)
==6220== by 0xBD51B31: backtrace (backtrace.c:85)
==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150)
==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32)
==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29)
==6220== by 0x10628229: read_markers (jdmarker.c:1097)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220== Address 0xd6aa80bd6be5d89c is not stack'd, malloc'd or (recently) free'd
==6220==
==6220== Process terminating with default action of signal 11 (SIGSEGV)
==6220== General Protection Fault
==6220== at 0xE8301CF: (within /lib/libgcc_s.so.1)
==6220== by 0xE830A9A: _Unwind_Backtrace (in /lib/libgcc_s.so.1)
==6220== by 0xBD51B31: backtrace (backtrace.c:85)
==6220== by 0xBCCA06B: __libc_message (libc_fatal.c:150)
==6220== by 0xBD557D6: __fortify_fail (fortify_fail.c:32)
==6220== by 0xBD5579F: __stack_chk_fail (stack_chk_fail.c:29)
==6220== by 0x10628229: read_markers (jdmarker.c:1097)
==6220== by 0xD6AA80BD6BE5D89B: ???
==6220== by 0x323CBB9363293CD0: ???
==6220== by 0x4A8BCA16C5042DF3: ???
==6220== by 0x991621B605B5318: ???
==6220== by 0x52844021315714D2: ???
==6220==
==6220== ERROR SUMMARY: 11 errors from 6 contexts (suppressed: 11 from 1)
==6220== malloc/free: in use at exit: 19,120,263 bytes in 52,977 blocks.
==6220== malloc/free: 286,383 allocs, 233,406 frees, 140,419,963 bytes allocated.
==6220== For counts of detected errors, rerun with: -v
==6220== searching for pointers to 52,977 not-freed blocks.
==6220== checked 26,922,880 bytes.
==6220==
==6220== LEAK SUMMARY:
==6220== definitely lost: 335,607 bytes in 4,569 blocks.
==6220== possibly lost: 9,442,898 bytes in 252 blocks.
==6220== still reachable: 9,341,758 bytes in 48,156 blocks.
==6220== suppressed: 0 bytes in 0 blocks.
==6220== Rerun with --leak-check=full to see details of leaked memory.
Killed
ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/evince
Package: evince 2.23.6-0ubuntu1
ProcCmdline: evince A808_AVerTV_DVB-T_Volar.pdf
ProcEnviron:
SHELL=/bin/bash
PATH=/store/users/username/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LANG=en_GB.UTF-8
Signal: 11
SourcePackage: evince
StacktraceTop:
read_markers (cinfo=0x7f19e8082660)
?? ()
?? ()
?? ()
?? ()
Title: evince crashed with SIGSEGV in read_markers()
Uname: Linux 2.6.27-rc4-224c x86_64
UserGroups: adm admin audio cdrom dialout dip floppy kvm lpadmin mythtv plugdev scanner video
Crashes Okular too. Most likely a poppler issue.