#261 Crash in `HashMgr::add_hidden_capitalized_word`

[Paul Menzel]

In Debian Sid/unstable Evolution up to (at least) version 3.12.10 sometimes crashes due to a segmentation fault in libhunspell 1.3.3.

evolution[6395]: segfault at bf99ab50 ip a79ca80a sp bf99ab54 error 6 in libhunspell-1.3.so.0.0.0[a79ac000+57000]

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xa79ca80a in HashMgr::add_hidden_capitalized_word (this=0x9eb1e160, word=0x9e7ea818 "ACLs", wbl=4, wcl=4, flags=0x0, 
    flagslen=<optimized out>, dp=0x0, captype=4) at hashmgr.cxx:227
227 hashmgr.cxx: Datei oder Verzeichnis nicht gefunden.
(gdb) info registers
eax            0x1  1
ecx            0x0  0
edx            0x4  4
ebx            0xa7a03310   -1482673392
esp            0xbf99ab54   0xbf99ab54
ebp            0xbf9cabe8   0xbf9cabe8
esi            0x0  0
edi            0x9e7ea818   -1635866600
eip            0xa79ca80a   0xa79ca80a <HashMgr::add_hidden_capitalized_word(char*, int, int, unsigned short*, int, char*, int)+362>
eflags         0x210292 [ AF SF IF RF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51

Here is the backtrace.

Thread 1 (Thread 0xb0200900 (LWP 6395)):
#0  0xa79ca80a in HashMgr::add_hidden_capitalized_word (this=0x9eb1e160, word=0x9e7ea818 "ACLs", wbl=4, wcl=4, flags=0x0, 
    flagslen=<optimized out>, dp=0x0, captype=4) at hashmgr.cxx:227
        flags2 = <optimized out>
#1  0xa79cade2 in HashMgr::load_tables (this=0x9eb1e160, tpath=0xa6a9e6f0 "/usr/share/hunspell/de_DE.dic", key=0x0) at hashmgr.cxx:475
        captype = 4
        wbl = 4
        wcl = 4
        dp = 0x0
        flags = 0x0
        dict = <optimized out>
        nExtra = 1005
        al = 0
        ap = <optimized out>
        ts = 0x9e7ea818 "ACLs"
#2  0xa79cb008 in HashMgr::HashMgr (this=0x9eb1e160, tpath=0xa6a9e6f0 "/usr/share/hunspell/de_DE.dic", 
    apath=0x9eb16ae8 "/usr/share/hunspell/de_DE.aff", key=0x0) at hashmgr.cxx:38
        ec = <optimized out>
#3  0xa79cb595 in Hunspell::Hunspell (this=0xa6765c78, affpath=0x9eb16ae8 "/usr/share/hunspell/de_DE.aff", 
    dpath=0xa6a9e6f0 "/usr/share/hunspell/de_DE.dic", key=0x0) at hunspell.cxx:27
        try_string = <optimized out>
#4  0xa8762d20 in MySpellChecker::requestDictionary(char const*) () from /usr/lib/i386-linux-gnu/enchant/libenchant_myspell.so
No symbol table info available.
#5  0xa87630c6 in ?? () from /usr/lib/i386-linux-gnu/enchant/libenchant_myspell.so
No symbol table info available.
#6  0xb2fa36f0 in ?? () from /usr/lib/i386-linux-gnu/libenchant.so.1
No symbol table info available.
#7  0xb2fa4bed in enchant_broker_request_dict () from /usr/lib/i386-linux-gnu/libenchant.so.1
No symbol table info available.
#8  0xb425accd in spell_checker_request_dict (checker=0x1, checker@entry=0x9f4d2d30) at gtkhtml-spell-checker.c:100
        priv = 0x9f4d2d20
        code = 0xbf05fff0 "de_DE"
#9  0xb425b073 in gtkhtml_spell_checker_check_word (checker=0x9f4d2d30, word=0xa6763fc8 "Content", length=-1)
    at gtkhtml-spell-checker.c:299
        dict = <optimized out>
        result = <optimized out>
        __FUNCTION__ = "gtkhtml_spell_checker_check_word"
#10 0xb424b229 in editor_method_check_word (html=0x9f48f1b0, word=0xa6763fc8 "Content", user_data=0x9f75c338) at gtkhtml-editor.c:269
        checker = <optimized out>
        editor = 0x9f75c338
        correct = 0
        list = 0xa68e97d0
#11 0xb4188975 in html_clueflow_spell_check (flow=0xa6763fcf, e=0x9f48f208, interval=0x9e889af0) at htmlclueflow.c:3267
        result = 1
        cited = 0
        off = 0
        __FUNCTION__ = "html_clueflow_spell_check"
#12 0xb419078e in html_engine_spell_check_range (e=0x9f48f208, begin=0x9e7a0270, end=0xa6761250) at htmlengine-edit.c:250
        i = 0x1
        cited = 0
#13 0xb4195bfb in insert_object_do (dir=HTML_UNDO_UNDO, check=1, position_after=44, level=1, len=<synthetic pointer>, obj=0x9e8712f8, 
    e=0x9f48f208) at htmlengine-edit-cut-and-paste.c:1001
        last = 0xa678e740
        position_before = <optimized out>
        orig = 0x9e7a9ef3
        left = 0x9e7e0370
        right = 0x9e79d5a0
        first = 0x0
#14 insert_object_for_undo (e=0x9f48f208, obj=0x9e8712f8, len=44, position_after=44, level=1, dir=HTML_UNDO_UNDO, check=1)
    at htmlengine-edit-cut-and-paste.c:1215
        delete_paragraph_before = 0
        delete_paragraph_after = 0
        position_before = <optimized out>
#15 0xb4196f61 in insert_object (dir=<optimized out>, check=<optimized out>, level=<optimized out>, position_after=44, 
    len=<optimized out>, obj=<optimized out>, e=<optimized out>) at htmlengine-edit-cut-and-paste.c:1233
No locals.
#16 html_engine_insert_text_with_extra_attributes (e=0x9f48f208, 
    ptext=0x9e7e4c50 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"..., len=4055, attrs=0x0)
    at htmlengine-edit-cut-and-paste.c:1545
        nl = 0x9e7e5c5c "\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: gnome-core: Audio muted\nBcc: Joey Deb <joe"...
        sanitized_text = 0x9e7e5c30 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"...
        text = 0x9e7e5c30 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"...
        alen = 44
#17 0xb41974c4 in html_engine_paste_text_with_extra_attributes (e=0x9f48f208, 
    text=0x9e7e4c50 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"..., len=4055, attrs=0x0)
    at htmlengine-edit-cut-and-paste.c:1583
        undo_name = 0x9e7e6850 ' ' <repeats 14 times>, "1.22.2-1\nii  iceweasel", ' ' <repeats 18 times>, "31.5.0esr-1\nii  libatk-adaptor", ' ' <repeats 13 times>, "2.14.0-2\nii  libcanberra-pulse          0.30-2.1\nii  libcaribou-gtk-module      0.4.15-1\nii  libcaribou"...
        redo_name = 0xbf9cafe8 "PL~\236\002u\031\264\b\362H\237PL~\236\327\017"
#18 0xb4197502 in html_engine_paste_text (e=0x9f48f208, 
    text=0x9e7e4c50 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"..., len=4055)
    at htmlengine-edit-cut-and-paste.c:1592
No locals.
#19 0xb417efa1 in clipboard_paste_received_cb (clipboard=0xa7723320, selection_data=0xbf9cb460, user_data=0x9f48f1b0) at gtkhtml.c:4677
        i = -1635890096
        widget = 0x9f48f1b0
        data_type = 0x4
#20 0xb5066670 in selection_received (widget=0xa7f26158, selection_data=0xbf9cb460, time=1586594)
    at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkclipboard.c:940
No locals.
#21 0xb4f08801 in _gtk_marshal_VOID__BOXED_UINT (closure=0xa1f34860, return_value=0x0, n_param_values=3, param_values=0xbf9cb260, 
    invocation_hint=0xbf9cb218, marshal_data=0x0) at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkmarshalers.c:3348
        callback = 0xb5066600 <selection_received>
        cc = 0xa1f34860
        data1 = 0xa7f26158
        data2 = 0x0
        __FUNCTION__ = "_gtk_marshal_VOID__BOXED_UINT"
#22 0xb4b1983b in g_closure_invoke (closure=0xa1f34860, return_value=0x0, n_param_values=3, param_values=0xbf9cb260, 
    invocation_hint=0xbf9cb218) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gclosure.c:768
        marshal = 0xb4f08760 <_gtk_marshal_VOID__BOXED_UINT>
        marshal_data = 0x0
        in_marshal = 0
        real_closure = 0xa1f34850
        __FUNCTION__ = "g_closure_invoke"
#23 0xb4b2b855 in signal_emit_unlocked_R (node=0x1, node@entry=0xb7d3dee8, detail=4, detail@entry=0, instance=0xa7f26158, 
    emission_return=0x0, instance_and_params=0xbf9cb260) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gsignal.c:3553
        emission = {next = 0xbf9cb650, instance = 0xa7f26158, ihint = {signal_id = 52, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, 
          state = EMISSION_RUN, chain_type = 4}
        accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
#24 0xb4b33eda in g_signal_emit_valist (instance=0xa7f26158, signal_id=52, detail=0, var_args=0xbf9cb450 "Xa\362\247\020")
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gsignal.c:3309
        instance_and_params = <optimized out>
        signal_return_type = <optimized out>
        param_values = <optimized out>
        i = <optimized out>
        n_params = <optimized out>
        __FUNCTION__ = "g_signal_emit_valist"
#25 0xb4b34575 in g_signal_emit_by_name (instance=0xa7f26158, detailed_signal=0xb50efc43 "selection-received")
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gsignal.c:3405
        detail = 0
        signal_id = 52
        __FUNCTION__ = "g_signal_emit_by_name"
#26 0xb4f8160a in gtk_selection_retrieval_report (info=0x9e865b40, type=<optimized out>, format=8, 
    buffer=0x9e7e3400 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"..., length=4057, time=1586594)
    at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkselection.c:3023
        data = {selection = 0x1, target = 0x46, type = 0x46, format = 8, 
          data = 0x9e7e3400 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"..., length = 4057, display = 0xb7d67048}
#27 0xb4f8576f in _gtk_selection_notify (widget=0x4, event=0xa67e40c0) at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkselection.c:2827
        info = 0x9e865b40
        buffer = 0x9e7e3400 "Content-Type: text/plain; charset=\"us-ascii\"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nFrom: Joey Deb <joey.deb@example.net>\nTo: Debian Bug Tracking System <submit@bugs.debian.org>\nSubject: g"...
        length = 4
        type = 0x46
        format = 8
#28 0xb4f0449d in _gtk_marshal_BOOLEAN__BOXEDv (closure=0xb7d394e0, return_value=0xbf9cb628, instance=0xa7f26158, 
    args=0xbf9cb6fc "\300@~\246(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ", 
    marshal_data=0xb4f85670 <_gtk_selection_notify>, n_params=1, param_types=0xb7d394f8)
    at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkmarshalers.c:130
        cc = 0xb7d394e0
        data1 = <optimized out>
        data2 = <optimized out>
        callback = <optimized out>
        arg0 = 0xa67e40c0
        args_copy = 0xbf9cb700 "(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ"
        v_return = <optimized out>
        __FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXEDv"
#29 0xb4b182e2 in g_type_class_meta_marshalv (closure=0xb7d394e0, return_value=0xbf9cb628, instance=0xa7f26158, 
    args=0xbf9cb6fc "\300@~\246(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ", marshal_data=0x108, n_params=1, 
    param_types=0xb7d394f8) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gclosure.c:988
        real_closure = 0xb7d394d0
        class = 0xa7e3ebf0
        callback = <optimized out>
        offset = 264
#30 0xb4b19a5f in _g_closure_invoke_va (closure=0xb7d394e0, return_value=0xbf9cb628, instance=0xa7f26158, 
    args=0xbf9cb6fc "\300@~\246(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ", n_params=1, param_types=0xb7d394f8)
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gclosure.c:831
        marshal = 0xb4b182b0 <g_type_class_meta_marshalv>
        marshal_data = 0x108
        in_marshal = 0
        real_closure = 0xb7d394d0
        __FUNCTION__ = "_g_closure_invoke_va"
#31 0xb4b33353 in g_signal_emit_valist (instance=0xa7f26158, signal_id=51, detail=0, 
    var_args=0xbf9cb6fc "\300@~\246(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ")
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gsignal.c:3218
        return_accu = <optimized out>
        accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}}}
        accumulator = <optimized out>
        emission = {next = 0x0, instance = 0xa7f26158, ihint = {signal_id = 51, detail = 0, run_type = G_SIGNAL_RUN_LAST}, 
          state = EMISSION_RUN, chain_type = 2816732024}
        instance_type = <optimized out>
        emission_return = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
              v_double = 0, v_pointer = 0x0}}}
        rtype = 20
        static_scope = 0
        fastpath_handler = <optimized out>
        closure = 0xb7d394e0
        run_type = <optimized out>
        l = <optimized out>
        fastpath = <optimized out>
        instance_and_params = <optimized out>
        signal_return_type = <optimized out>
        param_values = <optimized out>
        i = <optimized out>
        n_params = <optimized out>
        __FUNCTION__ = "g_signal_emit_valist"
#32 0xb4b340d5 in g_signal_emit (instance=0xa7f26158, signal_id=51, detail=0)
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./gobject/gsignal.c:3365
        var_args = 0xbf9cb6fc "\300@~\246(\267\234\277\300@~\246Xa\362\247\374\376\003\265Xa\362\247X{ӷ"
#33 0xb503ffec in gtk_widget_event_internal (widget=0xa7f26158, event=0xa67e40c0)
    at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkwidget.c:7773
        signal_num = <optimized out>
        return_val = 0
        handled = 0
        event = 0xa67e40c0
        widget = 0xa7f26158
#34 0xb4f038ef in gtk_main_do_event (event=0xa67e40c0) at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkmain.c:1695
        device = 0x0
        tmp_list = 0xa67e40c0
        __FUNCTION__ = "gtk_main_do_event"
#35 0xb47092e8 in _gdk_event_emit (event=0xa67e40c0) at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gdk/gdkevents.c:69
No locals.
#36 0xb4730ed7 in gdk_event_source_dispatch (source=0xb7d7ef18, callback=0x0, user_data=0x0)
    at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gdk/x11/gdkeventsource.c:364
        display = <optimized out>
        event = 0xa67e40c0
#37 0xb4a2ada4 in g_main_dispatch (context=<optimized out>) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gmain.c:3111
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x4
        source = 0xb7d7ef18
        current = 0xb7e729c8
        i = 4
#38 g_main_context_dispatch (context=0x0) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gmain.c:3710
No locals.
#39 0xb4a2b0c9 in g_main_context_iterate (context=0xb7d55608, block=4, block@entry=1, dispatch=1, self=<optimized out>)
    at /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gmain.c:3781
        max_priority = 0
        timeout = 0
        some_ready = 1
        fds = 0x1
#40 0xb4a2b479 in g_main_loop_run (loop=0xbaff91a8) at /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gmain.c:3975
        __FUNCTION__ = "g_main_loop_run"
#41 0xb4f029ae in gtk_main () at /build/gtk+3.0-IGfsio/gtk+3.0-3.14.5/./gtk/gtkmain.c:1207
        loop = 0xbaff91a8
#42 0xb777eb0a in main (argc=1, argv=0xbf9cb9e4) at main.c:685
        shell = 0xb7d672b8
        settings = <optimized out>
        error = 0x0