6841 – Crash when opening a specific file

Bug 6841 - Crash when opening a specific file

Summary: Crash when opening a specific file

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	x86 (IA32) Linux (All)

Importance:	high major
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-05-05 01:04 UTC by Guillaume Desmottes
Modified:	2009-09-26 05:59 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Check length before doing memcpy (453 bytes, patch) 2006-09-10 06:13 UTC, Pascal Terjan	Details \| Splinter Review
View All

Description Guillaume Desmottes 2006-05-05 01:04:57 UTC

Transfering this bug from GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=340265

On my Dapper, evince crashs when i try to open this file:
http://www.ulb.ac.be/catalogue/polytech/pdf/polytech-r.pdf

Evince 0.5.2
Poppler 0.5.1

Starting program: /usr/bin/evince /tmp/polytech-r.pdf
[Thread debugging using libthread_db enabled]
[New Thread -1229183296 (LWP 29847)]
[New Thread -1231025232 (LWP 29853)]
Error (481274): Missing 'endstream'
Error (475592): Unexpected end of file in flate stream
Error (523795): Missing 'endstream'
Error (528568): Unexpected end of file in flate stream
Error (633617): Illegal character '>'
Error (633617): Missing 'endstream'
Error (638608): Unexpected end of file in flate stream
Error (577440): Missing 'endstream'
Error (582086): Unexpected end of file in flate stream
Error (481274): Missing 'endstream'
Error (475592): Unexpected end of file in flate stream

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231025232 (LWP 29853)]
0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) thread apply all bt

Thread 2 (Thread -1231025232 (LWP 29853)):
#0  0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xb6ff3f40 in FT_Stream_OpenLZW () from /usr/lib/libfreetype.so.6
#2  0xb701230a in TT_RunIns () from /usr/lib/libfreetype.so.6
#3  0xb7012a74 in TT_RunIns () from /usr/lib/libfreetype.so.6
#4  0xb7013cfa in TT_RunIns () from /usr/lib/libfreetype.so.6
#5  0xb6fcd854 in FT_Get_Char_Index () from /usr/lib/libfreetype.so.6
#6  0xb6fce205 in FT_Open_Face () from /usr/lib/libfreetype.so.6
#7  0xb6fcec73 in FT_New_Memory_Face () from /usr/lib/libfreetype.so.6
#8  0xb79ded2b in SplashFTFontFile::loadType1Font (engineA=0x83d2cc8,
idA=0x8424088, src=0x84073d0,
    encA=0x84299ac) at SplashFTFontFile.cc:38
#9  0xb79de838 in SplashFTFontEngine::loadType1Font (this=0x83d2cc8,
idA=0x8424088, src=0x84073d0,
    enc=0x84299ac) at SplashFTFontEngine.cc:69
#10 0xb79dfdb0 in SplashFontEngine::loadType1Font (this=0x83dc878,
idA=0x8424088, src=0x84073d0,
    enc=0x84299ac) at SplashFontEngine.cc:120
#11 0xb7906fcf in SplashOutputDev::updateFont (this=0x83dc8f8, state=0x843c4a8)
    at SplashOutputDev.cc:1025
#12 0xb792f947 in Gfx::opShowSpaceText (this=0x8429210, args=0xb6a00068,
numArgs=1) at Gfx.cc:2673
#13 0xb792488e in Gfx::execOp (this=0x8429210, cmd=0xb6a000c8, args=0xb6a00068,
numArgs=1)
    at Gfx.cc:712
#14 0xb7924a71 in Gfx::go (this=0x8429210, topLevel=1) at Gfx.cc:580
#15 0xb792503d in Gfx::display (this=0x8429210, obj=0xb6a001c0, topLevel=1) at
Gfx.cc:543
#16 0xb798062a in Page::displaySlice (this=0x83e3908, out=0x83dc8f8, hDPI=72,
vDPI=72, rotate=0,
    useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=595, sliceH=842,
links=0x0,
    catalog=0x83e37a0, abortCheckCbk=0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0,
    annotDisplayDecideCbkData=0x0) at Page.cc:375
#17 0xb7a3bf10 in poppler_page_render_to_pixbuf (page=0x82d8880, src_x=0,
src_y=0, src_width=595,
    src_height=842, scale=1, rotation=0, pixbuf=0x83b2288) at
poppler-page.cc:324
#18 0x0809d0c2 in pdf_document_render_pixbuf (document=0x8310400, rc=0x82e0590)
at ev-poppler.cc:350
#19 0x0809ad91 in ev_document_render_pixbuf (document=0x8310400, rc=0x82e0590)
at ev-document.c:215
#20 0x08065f3e in ev_job_render_run (job=0x818f750) at ev-jobs.c:298
#21 0x08064237 in handle_job (job=0x818f750) at ev-job-queue.c:104
#22 0x08064515 in ev_render_thread (data=0x0) at ev-job-queue.c:187
#23 0xb6e22582 in g_thread_create_proxy (data=0x8154960) at gthread.c:582
#24 0xb7a47341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#25 0xb778b4ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread -1229183296 (LWP 29847)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb77818c4 in poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb6e09788 in g_main_context_iterate (context=0x8115e00, block=1,
dispatch=1, self=0x80e0a80)
    at gmain.c:2849
#3  0xb6e09c58 in IA__g_main_loop_run (loop=0x8384ac8) at gmain.c:2751
#4  0xb7322495 in IA__gtk_main () at gtkmain.c:1026
#5  0x08087f90 in main (argc=2, argv=0xbfcd9ee4) at main.c:295
#0  0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6

Comment 1 Pascal Terjan 2006-09-10 06:13:14 UTC

Created attachment 6893 [details] [review]
Check length before doing memcpy

This patch in freetype avoids the crash but I think it could be catched
earlier.

Comment 2 Brad Hards 2007-11-01 03:18:43 UTC

That example works fine in acroread 8.1.1, and although it no longer crashes,  poppler master branch still has problems with this file.

Comment 3 Brad Hards 2007-11-03 20:47:09 UTC

The problem appears to be in the handling of some quite large font files.

In the example http://www.ulb.ac.be/catalogue/polytech/pdf/polytech-r.pdf
there are four font files (obj 279, obj 284, obj 289 and obj 293) and we aren't parsing those correctly.

Comment 4 Albert Astals Cid 2009-09-26 05:59:01 UTC

Will be fixed in poppler 0.12.1

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.