Bug#996639: Epiphany crashes when opening PDF in new tab (NULL pointer dereference)

John Scott Sat, 16 Oct 2021 09:15:17 -0700

Package: epiphany-browser
Version: 41.0-2
Severity: normal

Here is a proof-of-concept file you can open, assuming you have bash-
doc installed:


<!DOCTYPE html>
<html>
        <head>
                <title>Proof of concept</title>
        </head>
        <body>
                <a href="/usr/share/doc/bash/bash.pdf" target="_blank">Link</a>
        </body>
</html>

Clicking the link will try to open a new tab to view the PDF file in,
but this causes Epiphany to crash.

Here is the backtrace for the relevant thread:
#0  0x00007f6619804608 in decide_policy_cb
    (decision_type=WEBKIT_POLICY_DECISION_TYPE_RESPONSE, user_data=<optimized 
out>, decision=0x7f6600017e10 [WebKitResponsePolicyDecision], 
web_view=0x55a90c7f9230 [EphyWebView]) at ../embed/ephy-web-view.c:962
#1  decide_policy_cb
    (web_view=0x55a90c7f9230 [EphyWebView], decision=0x7f6600017e10 
[WebKitResponsePolicyDecision], decision_type=<optimized out>, 
user_data=<optimized out>) at ../embed/ephy-web-view.c:919
#2  0x00007f66126af9da in ffi_call_unix64 () at ../src/x86/unix64.S:105
#3  0x00007f66126aeb21 in ffi_call_int
    (cif=0x7ffd473cb370, fn=0x7f66198044b0 <decide_policy_cb>, 
rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>)
    at ../src/x86/ffi64.c:672
#8  0x00007f6618cb92cf in <emit signal ??? on instance 0x55a90c7f9230 
[EphyWebView]>
    (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized 
out>) at ../../../gobject/gsignal.c:3553
    #4  0x00007f6618ca0edc in g_cclosure_marshal_generic
    (closure=closure@entry=0x55a90c7ef070, 
return_gvalue=return_gvalue@entry=0x7ffd473cb510, 
n_param_values=n_param_values@entry=3, 
param_values=param_values@entry=0x7ffd473cb570, 
invocation_hint=invocation_hint@entry=0x7ffd473cb4f0, 
marshal_data=marshal_data@entry=0x0)
    at ../../../gobject/gclosure.c:1534
    #5  0x00007f6618ca06cf in g_closure_invoke
    (closure=0x55a90c7ef070, return_value=return_value@entry=0x7ffd473cb510, 
n_param_values=3, param_values=param_values@entry=0x7ffd473cb570, 
invocation_hint=invocation_hint@entry=0x7ffd473cb4f0) at 
../../../gobject/gclosure.c:830
    #6  0x00007f6618cb2a8b in signal_emit_unlocked_R
    (node=<optimized out>, detail=detail@entry=0, 
instance=instance@entry=0x55a90c7f9230, 
emission_return=emission_return@entry=0x7ffd473cb670, 
instance_and_params=instance_and_params@entry=0x7ffd473cb570) at 
../../../gobject/gsignal.c:3742
    #7  0x00007f6618cb88e9 in g_signal_emit_valist
    (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized 
out>, var_args=var_args@entry=0x7ffd473cb720)
    at ../../../gobject/gsignal.c:3507
#9  0x00007f661551ee8c in webkitWebViewMakePolicyDecision(_WebKitWebView*, 
WebKitPolicyDecisionType, _WebKitPolicyDecision*) ()
    at ./Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2627
#10 0x00007f66154fcd18 in 
NavigationClient::decidePolicyForNavigationResponse(WebKit::WebPageProxy&, 
WTF::Ref<API::NavigationResponse, WTF::RawPtrTraits<API::NavigationResponse> 
>&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, 
WTF::RawPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) () at 
./Source/WebKit/UIProcess/API/glib/WebKitNavigationClient.cpp:150
#11 0x00007f661544ae33 in 
WebKit::WebPageProxy::decidePolicyForResponseShared(WTF::Ref<WebKit::WebProcessProxy,
 WTF::RawPtrTraits<WebKit::WebProcessProxy> >&&, 
WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, 
WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse 
const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, 
WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, 
WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5681
#12 0x00007f661544af3e in 
WebKit::WebPageProxy::decidePolicyForResponse(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>,
 WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&) () at 
./Source/WebKit/UIProcess/WebPageProxy.cpp:5625
#13 0x00007f6615184d0d in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, 
void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&), 
std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, 
WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, 
WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 
11ul, 12ul>(WebKit::WebPageProxy*, void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&), 
std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, 
WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, 
WebKit::UserData>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 
4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>) () at 
./Source/WebKit/Platform/IPC/HandleMessage.h:43
#14 IPC::callMemberFunction<WebKit::WebPageProxy, void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&), 
std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, 
WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, 
WebKit::UserData>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 
4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul> 
>(std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, 
WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, 
WebKit::UserData>&&, WebKit::WebPageProxy*, void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&)) () at 
./Source/WebKit/Platform/IPC/HandleMessage.h:49
#15 IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForResponse, 
WebKit::WebPageProxy, void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&)>(IPC::Decoder&, 
WebKit::WebPageProxy*, void 
(WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, 
WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, 
WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, 
WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned 
long, unsigned long, WebKit::UserData const&)) () at 
./Source/WebKit/Platform/IPC/HandleMessage.h:119
#16 0x00007f6615153a6d in 
WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at 
./build/DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1093
#17 0x00007f66153829eb in 
IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) () at 
./Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129
#18 0x00007f661547ef13 in 
WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () 
at ./Source/WebKit/UIProcess/WebProcessProxy.cpp:844
#19 0x00007f661537be25 in 
IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, 
std::default_delete<IPC::Decoder> >) () at 
./Source/WebKit/Platform/IPC/Connection.cpp:1103
#20 0x00007f661537de21 in IPC::Connection::dispatchIncomingMessages() () at 
./Source/WebKit/Platform/IPC/Connection.cpp:1217
#21 0x00007f6614621cdd in WTF::Function<void ()>::operator()() const () at 
./Source/WTF/wtf/Function.h:82
#22 WTF::RunLoop::performWork() () at ./Source/WTF/wtf/RunLoop.cpp:133
#23 0x00007f6614670879 in operator() () at 
./Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#24 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#25 0x00007f661467119f in operator() () at 
./Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#26 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#27 0x00007f6618babc0f in g_main_dispatch (context=0x55a90b308a40) at 
../../../glib/gmain.c:3381
#28 g_main_context_dispatch (context=0x55a90b308a40) at 
../../../glib/gmain.c:4099
#29 0x00007f6618babfb8 in g_main_context_iterate 
(context=context@entry=0x55a90b308a40, block=block@entry=1, 
dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175
#30 0x00007f6618bac06f in g_main_context_iteration 
(context=context@entry=0x55a90b308a40, may_block=may_block@entry=1) at 
../../../glib/gmain.c:4240
#31 0x00007f6618dc87d5 in g_application_run (application=0x55a90b3006a0 
[EphyShell], argc=1195166532, argc@entry=1, argv=argv@entry=0x7ffd473ccce8) at 
../../../gio/gapplication.c:2569
#32 0x000055a9098d5c24 in main (argc=<optimized out>, argv=<optimized out>) at 
../src/ephy-main.c:431

I figured on my up-to-date system that this is probably not related to
the previous madness with libffi, so I took a look at line 962 of ephy-
web-view.c as a starting point:

} else if (strcmp (mime_type, "application/pdf") == 0 && strcmp (method, "GET") 
== 0) {

In this case, 'bt full' shows me that method is NULL, which was
obtained on line 953 via
  const char *method = webkit_uri_request_get_http_method (request);

I will probably report this to upstream shortly, seeing as none of the
Debian patches are pertinent, unless someone suggests I shouldn't.

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-
debug'), (2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages epiphany-browser depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.12.20-2
ii  dbus-x11 [dbus-session-bus]                   1.12.20-2
ii  epiphany-browser-data                         41.0-2
ii  gsettings-desktop-schemas                     41.0-1
ii  iso-codes                                     4.7.0-1
ii  libarchive13                                  3.4.3-2+b1
ii  libatk1.0-0                                   2.36.0-2
ii  libc6                                         2.32-4
ii  libcairo2                                     1.16.0-5
ii  libdazzle-1.0-0                               3.42.0-2
ii  libgcr-base-3-1                               3.40.0-3+b1
ii  libgcr-ui-3-1                                 3.40.0-3+b1
ii  libgdk-pixbuf-2.0-0                           2.42.6+dfsg-2
ii  libglib2.0-0                                  2.70.0-1+b1
ii  libgmp10                                      2:6.2.1+dfsg-2
ii  libgtk-3-0                                    3.24.30-3
ii  libhandy-1-0                                  1.4.0-1
ii  libhogweed6                                   3.7.3-1
ii  libjavascriptcoregtk-4.0-18                   2.34.0-1
ii  libjson-glib-1.0-0                            1.6.6-1
ii  libnettle8                                    3.7.3-1
ii  libpango-1.0-0                                1.48.10+ds1-1
ii  libsecret-1-0                                 0.20.4-2
ii  libsoup2.4-1                                  2.74.0-2
ii  libsqlite3-0                                  3.36.0-2
ii  libwebkit2gtk-4.0-37                          2.34.0-1
ii  libxml2                                       2.9.12+dfsg-5

Versions of packages epiphany-browser recommends:
ii  ca-certificates  20210119
ii  evince           41.2-1
ii  yelp             41.1-1

epiphany-browser suggests no packages.

-- no debconf information

signature.asc
Description: This is a digitally signed message part

Bug#996639: Epiphany crashes when opening PDF in new tab (NULL pointer dereference)

Reply via email to