Bug 13972

Summary: Crash in AESV2 protected PDF files
Product: poppler Reporter: Pedro Villavicencio <pvillavi>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: medium CC: carlosgc, cbergemann
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Pedro Villavicencio 2008-01-08 10:46:47 UTC 
This report has been filled here:

https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/180887

"The Document Viewer won't open this PDF:

http://launchpadlibrarian.net/11179656/ch2-online.pdf

This is the Child Benefit claim form for the UK."

Stacktrace:

"Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6999b90 (LWP 9324)]
DecryptStream::getChar (this=0x8372e38) at Decrypt.cc:271
271	      c = state.aes.buf[state.aes.bufIdx++];
Current language:  auto; currently c++
#0  DecryptStream::getChar (this=0x8372e38) at Decrypt.cc:271
#1  0xb7b10dae in Parser::getObj (this=0x83719a8, obj=0xb6998fb0, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:127
#2  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb6999020, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
#3  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb6999090, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
#4  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb69991c0, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
#5  0xb7b1e3b3 in XRef::fetch (this=0x836fee0, num=23, gen=0, obj=0xb69991c0)
    at XRef.cc:906
#6  0xb7ab4b35 in Catalog (this=0x8370658, xrefA=0x836fee0) at XRef.h:79
#7  0xb7b11b26 in PDFDoc::setup (this=0x836faa0, ownerPassword=0x0, 
    userPassword=0x0) at PDFDoc.cc:206
#8  0xb7b11db5 in PDFDoc (this=0x836faa0, fileNameA=0x836fa78, 
    ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at PDFDoc.cc:102
#9  0xb7bf67e2 in poppler_document_new_from_file (
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", password=0x0, 
    error=0xb69992bc) at poppler-document.cc:143
#10 0x080a2279 in pdf_document_load (document=0x81990c8, 
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", error=0x8313574)
    at ev-poppler.cc:284
#11 0x0809ad11 in ev_document_load (document=0x81990c8, 
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", error=0x8313574)
    at ev-document.c:122
#12 0x0809b125 in ev_document_factory_get_document (
    uri=0xc90c8 <Address 0xc90c8 out of bounds>, error=0x8313574)
    at ev-document-factory.c:347
#13 0x08061e90 in ev_job_load_run (job=0x8313550) at ev-jobs.c:570
#14 0x08060750 in handle_job (job=0x8313550) at ev-job-queue.c:132
#15 0x08060d3c in ev_render_thread (data=0x0) at ev-job-queue.c:263
#16 0xb6eb122f in g_thread_create_proxy (data=0x811e128) at gthread.c:635
#17 0xb7c184fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#18 0xb79698ee in clone () from /lib/tls/i686/cmov/libc.so.6"

"Thread 2 (Thread 0xb6999b90 (LWP 9324)):
#0  DecryptStream::getChar (this=0x8372e38) at Decrypt.cc:271
	in = "BDŽ· \0307\bà\216\231¶\001\000\000"
	c = -1
	i = 137834040
#1  0xb7b10dae in Parser::getObj (this=0x83719a8, obj=0xb6998fb0, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:127
	key = <value optimized out>
	str = <value optimized out>
	obj2 = {type = objNull, {booln = 137828800, intg = 137828800, 
    real = -nan(0xfffff083719c0), string = 0x83719c0, name = 0x83719c0 "\004", 
    array = 0x83719c0, dict = 0x83719c0, stream = 0x83719c0, ref = {
      num = 137828800, gen = -1}, cmd = 0x83719c0 "\004"}}
	num = <value optimized out>
	decrypt = (class DecryptStream *) 0x8372e38
	s = <value optimized out>
	s2 = (GooString *) 0x8371820
	c = <value optimized out>
#2  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb6999020, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
	key = 0x8370108 "Contents"
	str = <value optimized out>
	obj2 = {type = objName, {booln = 137829520, intg = 137829520, 
    real = 6.8096830814789007e-316, string = 0x8371c90, 
    name = 0x8371c90 "Adobe.PPKLite", array = 0x8371c90, dict = 0x8371c90, 
    stream = 0x8371c90, ref = {num = 137829520, gen = 0}, 
    cmd = 0x8371c90 "Adobe.PPKLite"}}
	num = <value optimized out>
	decrypt = <value optimized out>
	s = <value optimized out>
	s2 = <value optimized out>
	c = <value optimized out>
#3  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb6999090, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
	key = 0x8371960 "UR3"
	str = <value optimized out>
	obj2 = {type = objDict, {booln = 137829496, intg = 137829496, 
    real = -nan(0xfffff08371c78), string = 0x8371c78, 
    name = 0x8371c78 "àþ6\bš\0347\b\b", array = 0x8371c78, dict = 0x8371c78, 
    stream = 0x8371c78, ref = {num = 137829496, gen = -1}, 
    cmd = 0x8371c78 "àþ6\bš\0347\b\b"}}
	num = <value optimized out>
	decrypt = <value optimized out>
	s = <value optimized out>
	s2 = <value optimized out>
	c = <value optimized out>
#4  0xb7b111ef in Parser::getObj (this=0x83719a8, obj=0xb69991c0, 
    fileKey=0x836ff34 "\224š÷ë\033\r^s$ÅíÁ$Ä+è", encAlgorithm=cryptAES, 
    keyLength=16, objNum=23, objGen=0) at Parser.cc:86
	key = 0x8371970 "Perms"
	str = <value optimized out>
	obj2 = {type = objDict, {booln = 137822520, intg = 137822520, 
    real = 6.8093372355268119e-316, string = 0x8370138, 
    name = 0x8370138 "àþ6\b", array = 0x8370138, dict = 0x8370138, 
    stream = 0x8370138, ref = {num = 137822520, gen = 0}, 
    cmd = 0x8370138 "àþ6\b"}}
	num = <value optimized out>
	decrypt = <value optimized out>
	s = <value optimized out>
	s2 = <value optimized out>
	c = <value optimized out>
#5  0xb7b1e3b3 in XRef::fetch (this=0x836fee0, num=23, gen=0, obj=0xb69991c0)
    at XRef.cc:906
	e = <value optimized out>
	parser = (Parser *) 0x83719a8
	obj1 = {type = objInt, {booln = 23, intg = 23, 
    real = 4.3587385789441928e-269, string = 0x17, 
    name = 0x17 <Address 0x17 out of bounds>, array = 0x17, dict = 0x17, 
    stream = 0x17, ref = {num = 23, gen = 137823976}, 
    cmd = 0x17 <Address 0x17 out of bounds>}}
	obj2 = {type = objInt, {booln = 0, intg = 0, 
    real = -1.1196959744695033e-45, string = 0x0, name = 0x0, array = 0x0, 
    dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1231449664}, cmd = 0x0}}
	obj3 = {type = objCmd, {booln = 137828888, intg = 137828888, 
    real = 6.8096518565300836e-316, string = 0x8371a18, 
    name = 0x8371a18 "obj", array = 0x8371a18, dict = 0x8371a18, 
    stream = 0x8371a18, ref = {num = 137828888, gen = 0}, 
    cmd = 0x8371a18 "obj"}}
#6  0xb7ab4b35 in Catalog (this=0x8370658, xrefA=0x836fee0) at XRef.h:79
No locals.
#7  0xb7b11b26 in PDFDoc::setup (this=0x836faa0, ownerPassword=0x0, 
    userPassword=0x0) at PDFDoc.cc:206
No locals.
#8  0xb7b11db5 in PDFDoc (this=0x836faa0, fileNameA=0x836fa78, 
    ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at PDFDoc.cc:102
No locals.
#9  0xb7bf67e2 in poppler_document_new_from_file (
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", password=0x0, 
    error=0xb69992bc) at poppler-document.cc:143
	newDoc = (PDFDoc *) 0x836faa0
	filename_g = (GooString *) 0x836fa78
	password_g = (GooString *) 0x0
	filename = <value optimized out>
#10 0x080a2279 in pdf_document_load (document=0x81990c8, 
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", error=0x8313574)
    at ev-poppler.cc:284
	poppler_error = (GError *) 0x0
#11 0x0809ad11 in ev_document_load (document=0x81990c8, 
    uri=0x834e738 "file:///home/pvillavi/ch2-online.pdf", error=0x8313574)
    at ev-document.c:122
	retval = 823496
#12 0x0809b125 in ev_document_factory_get_document (
    uri=0xc90c8 <Address 0xc90c8 out of bounds>, error=0x8313574)
    at ev-document-factory.c:347
	document = (EvDocument *) 0x81990c8
	result = <value optimized out>
	compression = EV_COMPRESSION_NONE
	uri_unc = (gchar *) 0x0
#13 0x08061e90 in ev_job_load_run (job=0x8313550) at ev-jobs.c:570
	__PRETTY_FUNCTION__ = "ev_job_load_run"
#14 0x08060750 in handle_job (job=0x8313550) at ev-job-queue.c:132
	__PRETTY_FUNCTION__ = "handle_job"
#15 0x08060d3c in ev_render_thread (data=0x0) at ev-job-queue.c:263
	job = (EvJob *) 0x8313550
#16 0xb6eb122f in g_thread_create_proxy (data=0x811e128) at gthread.c:635
	__PRETTY_FUNCTION__ = "g_thread_create_proxy"
#17 0xb7c184fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#18 0xb79698ee in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 1 (Thread 0xb6d0b6c0 (LWP 9321)):
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7c1f589 in __lll_lock_wait () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb7c1aba6 in _L_lock_95 () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#3  0xb7c1a58a in pthread_mutex_lock () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#4  0x0809a776 in ev_document_fc_mutex_lock () at ev-document.c:105
No locals.
#5  0x08077beb in draw_loading_text (view=0x8280028, page_area=0xbfef4d40, 
    expose_area=<value optimized out>) at ev-view.c:3517
	layout = <value optimized out>
	font_desc = <value optimized out>
	logical_rect = {x = 16, y = 135006696, width = -1212040692, 
  height = 16777224}
	cr = <value optimized out>
#6  0x080782f2 in ev_view_expose_event (widget=0x8280028, event=0xbfef52d4)
    at ev-view.c:2499
	area = {x = 0, y = 0, width = 449, height = 512}
	view = (EvView *) 0x8280028
	cr = <value optimized out>
	i = <value optimized out>
#7  0xb755cb84 in _gtk_marshal_BOOLEAN__BOXED (closure=0x80f9128, 
    return_value=0xbfef4f00, n_param_values=2, param_values=0xbfef4fdc, 
    invocation_hint=0xbfef4eec, marshal_data=0x8077d40) at gtkmarshalers.c:84
	data1 = (gpointer) 0x8280028
	data2 = <value optimized out>
	v_return = <value optimized out>
	__PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
#8  0xb6f301f9 in g_type_class_meta_marshal (closure=0x80f9128, 
    return_value=0xbfef4f00, n_param_values=2, param_values=0xbfef4fdc, 
    invocation_hint=0xbfef4eec, marshal_data=0xc8) at gclosure.c:567
	callback = <value optimized out>
#9  0xb6f319e3 in IA__g_closure_invoke (closure=0x80f9128, 
    return_value=0xbfef4f00, n_param_values=2, param_values=0xbfef4fdc, 
    invocation_hint=0xbfef4eec) at gclosure.c:490
	marshal = (GClosureMarshal) 0xb6f301b0 <g_type_class_meta_marshal>
	marshal_data = (gpointer) 0xc8
	__PRETTY_FUNCTION__ = "IA__g_closure_invoke"
#10 0xb6f4431f in signal_emit_unlocked_R (node=0x80f9328, detail=0, 
    instance=0x8280028, emission_return=0xbfef519c, 
    instance_and_params=0xbfef4fdc) at gsignal.c:2478
	tmp = <value optimized out>
	handler = (Handler *) 0xbfef4eb8
	accumulator = (SignalAccumulator *) 0x80f9218
	emission = {next = 0x0, instance = 0x8280028, ihint = {signal_id = 43, 
    detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, 
  chain_type = 136830352}
	class_closure = (GClosure *) 0x80f9128
	handler_list = (Handler *) 0x0
	return_accu = (GValue *) 0xbfef4f00
	accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, 
      v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
      v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, 
      v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
	signal_id = 43
	max_sequential_handler_number = 2402
	return_value_altered = 0
#11 0xb6f44da2 in IA__g_signal_emit_valist (instance=0x8280028, signal_id=43, 
    detail=0, var_args=0xbfef5220 "8Rï¿ÔRï¿(") at gsignal.c:2209
	_flags = <value optimized out>
	_vtable = <value optimized out>
	_lcopy_format = <value optimized out>
	_cvalues = {{v_int = -1074834888, v_long = -1074834888, 
    v_int64 = 3220132408, v_double = 1.5909567978528484e-314, 
    v_pointer = 0xbfef5238}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}, {v_int = 0, v_long = 0, v_int64 = 0, 
    v_double = 0, v_pointer = 0x0}}
	return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, 
      v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, 
      v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, 
      v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
      v_pointer = 0x0}}}
	error = <value optimized out>
	instance_and_params = (GValue *) 0xbfef4fdc
	stack_values = {{g_type = 136830352, data = {{v_int = 136839208, 
        v_uint = 136839208, v_long = 136839208, v_ulong = 136839208, 
        v_int64 = 136839208, v_uint64 = 136839208, v_float = 5.05558447e-34, 
        v_double = 6.7607551676924671e-316, v_pointer = 0x8280028}, {
        v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, 
        v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}, {
    g_type = 135236648, data = {{v_int = -1074834732, v_uint = 3220132564, 
        v_long = -1074834732, v_ulong = 3220132564, v_int64 = 3220132564, 
        v_uint64 = 3220132564, v_float = -1.86971521, 
        v_double = 1.5909568749270892e-314, v_pointer = 0xbfef52d4}, {
        v_int = 134217728, v_uint = 134217728, v_long = 134217728, 
        v_ulong = 134217728, v_int64 = 134217728, v_uint64 = 134217728, 
        v_float = 3.85185989e-34, v_double = 6.631236846766476e-316, 
        v_pointer = 0x8000000}}}, {g_type = 4096, data = {{v_int = 0, 
        v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, 
        v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = -1221656236, 
        v_uint = 3073311060, v_long = -1221656236, v_ulong = 3073311060, 
        v_int64 = -4616382390293561004, v_uint64 = 13830361683415990612, 
        v_float = -1.04311221e-05, v_double = -0.978597982197281, 
        v_pointer = 0xb72f0154}}}, {g_type = 3220131912, data = {{
        v_int = -1221982988, v_uint = 3072984308, v_long = -1221982988, 
        v_ulong = 3072984308, v_int64 = -4616382338754280204, 
        v_uint64 = 13830361734955271412, v_float = -1.01339429e-05, 
        v_double = -0.97860370420690268, v_pointer = 0xb72a04f4}, {v_int = 0, 
        v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = -4616382255927918592, 
        v_uint64 = 13830361817781633024, v_float = 0, 
        v_double = -0.97861289978027344, v_pointer = 0x0}}}, {
    g_type = 3072984212, data = {{v_int = 136220512, v_uint = 136220512, 
        v_long = 136220512, v_ulong = 136220512, 
        v_int64 = -4616382341691044000, v_uint64 = 13830361732018507616, 
        v_float = 4.7714932e-34, v_double = -0.97860337816062426, 
        v_pointer = 0x81e8f60}, {v_int = 0, v_uint = 0, v_long = 0, 
        v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
        v_pointer = 0x0}}}, {g_type = 3073311060, data = {{
        v_int = -1074835284, v_uint = 3220132012, v_long = -1074835284, 
        v_ulong = 3220132012, v_int64 = -4616382682204516180, 
        v_uint64 = 13830361391505035436, v_float = -1.86964941, 
        v_double = -0.97856557357092333, v_pointer = 0xbfef50ac}, {
        v_int = -1221873371, v_uint = 3073093925, v_long = -1221873371, 
        v_ulong = 3073093925, v_int64 = -4616382338754170587, 
        v_uint64 = 13830361734955381029, v_float = -1.02336389e-05, 
        v_double = -0.97860370421907261, v_pointer = 0xb72bb125}}}, {
    g_type = 137633824, data = {{v_int = -1074835352, v_uint = 3220131944, 
        v_long = -1074835352, v_ulong = 3220131944, 
        v_int64 = -5241905292606746520, v_uint64 = 13204838781102805096, 
        v_float = -1.8696413, v_double = -1.5256318860941175e-42, 
        v_pointer = 0xbfef5068}, {v_int = -1220476184, v_uint = 3074491112, 
        v_long = -1220476184, v_ulong = 3074491112, v_int64 = 3074491112, 
        v_uint64 = 3074491112, v_float = -1.15043731e-05, 
        v_double = 1.5190004368834523e-314, v_pointer = 0xb74102e8}}}, {
    g_type = 3220132232, data = {{v_int = -1221961293, v_uint = 3073006003, 
        v_long = -1221961293, v_ulong = 3073006003, 
        v_int64 = -4616382390293866061, v_uint64 = 13830361683415685555, 
        v_float = -1.01536743e-05, v_double = -0.97859798216341287, 
        v_pointer = 0xb72a59b3}, {v_int = 2, v_uint = 2, v_long = 2, 
        v_ulong = 2, v_int64 = -4616382393366872062, 
        v_uint64 = 13830361680342679554, v_float = 2.80259693e-45, 
        v_double = -0.97859764099121116, v_pointer = 0x2}}}, {
    g_type = 137634164, data = {{v_int = 0, v_uint = 0, v_long = 0, 
        v_ulong = 0, v_int64 = -7378697627765833728, 
        v_uint64 = 11068046445943717888, v_float = 0, 
        v_double = -2.3534379293677286e-185, v_pointer = 0x0}, {
        v_int = 1069128089, v_uint = 1069128089, v_long = 1069128089, 
        v_ulong = 1069128089, v_int64 = 1069128089, v_uint64 = 1069128089, 
        v_float = 1.44999993, v_double = 5.2821945977880272e-315, 
        v_pointer = 0x3fb99999}}}, {g_type = 137633824, data = {{
        v_int = 136220512, v_uint = 136220512, v_long = 136220512, 
        v_ulong = 136220512, v_int64 = -1374462183955591328, 
        v_uint64 = 17072281889753960288, v_float = 4.7714932e-34, 
        v_double = -4.9863906224439929e+216, v_pointer = 0x81e8f60}, {
        v_int = -1074835284, v_uint = 3220132012, v_long = -1074835284, 
        v_ulong = 3220132012, v_int64 = -5246973577354325844, 
        v_uint64 = 13199770496355225772, v_float = -1.86964941, 
        v_double = -6.9516061352360553e-43, v_pointer = 0xbfef50ac}}}, {
    g_type = 136220512, data = {{v_int = -1074835208, v_uint = 3220132088, 
        v_long = -1074835208, v_ulong = 3220132088, v_int64 = 3220132088, 
        v_uint64 = 3220132088, v_float = -1.86965847, 
        v_double = 1.5909566397518418e-314, v_pointer = 0xbfef50f8}, {
        v_int = 1, v_uint = 1, v_long = 1, v_ulong = 1, v_int64 = 1, 
        v_uint64 = 1, v_float = 1.40129846e-45, 
        v_double = 4.9406564584124654e-324, v_pointer = 0x1}}}, {g_type = 0, 
    data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, 
        v_int64 = 51539607552, v_uint64 = 51539607552, v_float = 0, 
        v_double = 2.5463949491583268e-313, v_pointer = 0x0}, {v_int = 0, 
        v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, 
        v_float = 0, v_double = 0, v_pointer = 0x0}}}, {g_type = 0, data = {{
        v_int = 1072693248, v_uint = 1072693248, v_long = 1072693248, 
        v_ulong = 1072693248, v_int64 = 1072693248, v_uint64 = 1072693248, 
        v_float = 1.875, v_double = 5.2998088236266445e-315, 
        v_pointer = 0x3ff00000}, {v_int = 0, v_uint = 0, v_long = 0, 
        v_ulong = 0, v_int64 = -5219704055823073280, 
        v_uint64 = 13227040017886478336, v_float = 0, 
        v_double = -4.5754168378574188e-41, v_pointer = 0x0}}}, {g_type = 0, 
    data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, 
        v_int64 = 4607182418800017408, v_uint64 = 4607182418800017408, 
        v_float = 0, v_double = 1, v_pointer = 0x0}, {v_int = 0, v_uint = 0, 
        v_long = 0, v_ulong = 0, v_int64 = -5246973580574457856, 
        v_uint64 = 13199770493135093760, v_float = 0, 
        v_double = -6.9516035702529248e-43, v_pointer = 0x0}}}, {
    g_type = 136220512, data = {{v_int = -1212046031, v_uint = 3082921265, 
        v_long = -1212046031, v_ulong = 3082921265, 
        v_int64 = 591132604187649329, v_uint64 = 591132604187649329, 
        v_float = -2.30843161e-05, v_double = 3.8094070061944305e-269, 
        v_pointer = 0xb7c1a531}, {v_int = 136220524, v_uint = 136220524, 
        v_long = 136220524, v_ulong = 136220524, v_int64 = 68855697260, 
        v_uint64 = 68855697260, v_float = 4.77149871e-34, 
        v_double = 3.401923453661125e-313, v_pointer = 0x81e8f6c}}}, {
    g_type = 3080465984, data = {{v_int = 9321, v_uint = 9321, v_long = 9321, 
        v_ulong = 9321, v_int64 = 4606511291505321065, 
        v_uint64 = 4606511291505321065, v_float = 1.3061503e-41, 
        v_double = 0.92548990249737273, v_pointer = 0x2469}, {
        v_int = 136220524, v_uint = 136220524, v_long = 136220524, 
        v_ulong = 136220524, v_int64 = 136220524, v_uint64 = 136220524, 
        v_float = 4.77149871e-34, v_double = 6.7301881166893025e-316, 
        v_pointer = 0x81e8f6c}}}}
	free_me = (GValue *) 0x0
	signal_return_type = 20
	param_values = (GValue *) 0xbfef4ff0
	node = (SignalNode *) 0x80f9328
	i = 1
	n_params = 1
	__PRETTY_FUNCTION__ = "IA__g_signal_emit_valist"
#12 0xb6f45369 in IA__g_signal_emit (instance=0x8280028, signal_id=43, 
    detail=0) at gsignal.c:2243
	var_args = 0xbfef521c "ÔRï¿8Rï¿ÔRï¿("
#13 0xb767cd37 in gtk_widget_event_internal (widget=0x8280028, 
    event=0xbfef52d4) at gtkwidget.c:4675
	signal_num = <value optimized out>
	return_val = 0
#14 0xb75572b0 in IA__gtk_main_do_event (event=0xbfef52d4) at gtkmain.c:1514
	event_widget = (GtkWidget *) 0x8280028
	grab_widget = (GtkWidget *) 0x8280028
	window_group = (GtkWindowGroup *) 0x811d140
	rewritten_event = (GdkEvent *) 0x0
	tmp_list = <value optimized out>
	__PRETTY_FUNCTION__ = "IA__gtk_main_do_event"
#15 0xb73bd783 in gdk_window_process_updates_internal (window=0x82f11a0)
    at gdkwindow.c:2378
	event = {type = GDK_EXPOSE, any = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0'}, expose = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', area = {x = 0, y = 0, 
      width = 449, height = 512}, region = 0x832ec20, count = 0}, no_expose = {
    type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0'}, visibility = {
    type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    state = GDK_VISIBILITY_UNOBSCURED}, motion = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', time = 0, 
    x = 9.5277611014340727e-312, y = 3.581782919572299e-269, axes = 0x0, 
    state = 3220132632, is_hint = -9413, device = 0xb74102e8, 
    x_root = -0.97890090942382812, y_root = -1.5256318395826248e-42}, 
  button = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    time = 0, x = 9.5277611014340727e-312, y = 3.581782919572299e-269, 
    axes = 0x0, state = 3220132632, button = 3074153275, device = 0xb74102e8, 
    x_root = -0.97890090942382812, y_root = -1.5256318395826248e-42}, 
  scroll = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    time = 0, x = 9.5277611014340727e-312, y = 3.581782919572299e-269, 
    state = 0, direction = 3220132632, device = 0xb73bdb3b, 
    x_root = 1.5190004368834523e-314, y_root = -1.2491116692004242e-42}, 
  key = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', time = 0, 
    state = 0, keyval = 449, length = 512, string = 0x832ec20 "\002", 
    hardware_keycode = 0, group = 0 '\0', is_modifier = 0}, crossing = {
    type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    subwindow = 0x0, time = 0, x = 1.0864618451960549e-311, 
    y = 6.7961188056117168e-316, x_root = -1.2491233010724399e-42, 
    y_root = 1.5190004368834523e-314, mode = 3220132648, detail = 3074153258, 
    focus = -1220476184, state = 137302432}, focus_change = {
    type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', in = -18698}, 
  configure = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    x = 0, y = 0, width = 449, height = 512}, property = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', atom = 0x0, time = 0, 
    state = 449}, selection = {type = GDK_EXPOSE, window = 0x82f11a0, 
    send_event = 0 '\0', selection = 0x0, target = 0x0, property = 0x1c1, 
    time = 512, requestor = 137554976}, owner_change = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', owner = 0, 
    reason = GDK_OWNER_CHANGE_NEW_OWNER, selection = 0x1c1, time = 512, 
    selection_time = 137554976}, proximity = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', time = 0, device = 0x0}, 
  client = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    message_type = 0x0, data_format = 0, data = {
      b = "Á\001\000\000\000\002\000\000 ì2\b\000\000\000\000\030Sï¿", s = {
        449, 0, 512, 0, -5088, 2098, 0, 0, 21272, -16401}, l = {449, 512, 
        137554976, 0, -1074834664}}}, dnd = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', context = 0x0, time = 0, 
    x_root = 449, y_root = 0}, window_state = {type = GDK_EXPOSE, 
    window = 0x82f11a0, send_event = 0 '\0', changed_mask = 0, 
    new_window_state = 0}, setting = {type = GDK_EXPOSE, window = 0x82f11a0, 
    send_event = 0 '\0', action = GDK_SETTING_ACTION_NEW, name = 0x0}, 
  grab_broken = {type = GDK_EXPOSE, window = 0x82f11a0, send_event = 0 '\0', 
    keyboard = 0, implicit = 0, grab_window = 0x1c1}}
	window_rect = {x = 0, y = 0, width = 449, height = 512}
	expose_region = (GdkRegion *) 0x832ec20
	window_region = (GdkRegion *) 0x8310560
	width = 449
	height = 512
	save_region = 1
#16 0xb73bde18 in IA__gdk_window_process_all_updates () at gdkwindow.c:2444
	old_update_windows = (GSList *) 0x820d550
	tmp_list = (GSList *) 0x820d550
#17 0xb74bfacf in gtk_container_idle_sizer (data=0x0) at gtkcontainer.c:1307
No locals.
#18 0xb73a3dcb in gdk_threads_dispatch (data=0x83571c0) at gdk.c:470
	ret = 0
#19 0xb6e87041 in g_idle_dispatch (source=0x834e8f8, callback=0x83633a0, 
    user_data=0x83571c0) at gmain.c:4142
No locals.
#20 0xb6e88c1f in IA__g_main_context_dispatch (context=0x80ed608)
    at gmain.c:2064
No locals.
#21 0xb6e8c0cf in g_main_context_iterate (context=0x80ed608, block=1, 
    dispatch=1, self=0x80c02a8) at gmain.c:2697
	got_ownership = <value optimized out>
	max_priority = 110
	timeout = 0
	some_ready = 1
	nfds = <value optimized out>
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x8341a28
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#22 0xb6e8c479 in IA__g_main_loop_run (loop=0x811d858) at gmain.c:2905
	got_ownership = -1212046048
	self = (GThread *) 0x80c02a8
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#23 0xb7557514 in IA__gtk_main () at gtkmain.c:1163
	tmp_list = (GList *) 0x0
	functions = (GList *) 0x0
	init = (GtkInitFunction *) 0x2
	loop = (GMainLoop *) 0x811d858
#24 0x0808b130 in main (argc=1, argv=Cannot access memory at address 0x84
) at main.c:396
	enable_metadata = 1
	context = <value optimized out>
	args = (GHashTable *) 0x8117d90
	program = (GnomeProgram *) 0x80c8c58
271	      c = state.aes.buf[state.aes.bufIdx++];"

Thanks,
Comment 1 Brad Hards 2008-01-08 23:24:36 UTC 
Can reproduce with current poppler (master branch) using Qt4 test tools.
Comment 2 Brad Hards 2008-01-08 23:40:39 UTC 
It is very ugly in valgrind (just spins after this):
[bradh@conferta tests]$ valgrind ./test-poppler-qt4 ~/samples/pdf/bug13972.pdf
==7719== Memcheck, a memory error detector.
==7719== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==7719== Using LibVEX rev 1730, a library for dynamic binary translation.
==7719== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==7719== Using valgrind-3.4.0.SVN, a dynamic binary instrumentation framework.
==7719== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==7719== For more details, rerun with: -v
==7719==
==7719== Conditional jump or move depends on uninitialised value(s)
==7719==    at 0x4F5FD9D: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:127)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F6BD07: XRef::fetch(int, int, Object*) (XRef.cc:906)
==7719==    by 0x4F05963: Catalog::Catalog(XRef*) (XRef.h:79)
==7719==    by 0x4F60978: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:206)
==7719==    by 0x4F60B6E: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:102)
==7719==    by 0x4C459DA: Poppler::Document::load(QString const&, QByteArray const&, QByteArray const&) (poppler-private.h:106)
==7719==    by 0x404E54: main (test-poppler-qt4.cpp:108)
==7719==
==7719== Invalid read of size 1
==7719==    at 0x4F0C11E: DecryptStream::getChar() (Decrypt.cc:271)
==7719==    by 0x4F5FD97: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:127)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F6BD07: XRef::fetch(int, int, Object*) (XRef.cc:906)
==7719==    by 0x4F05963: Catalog::Catalog(XRef*) (XRef.h:79)
==7719==    by 0x4F60978: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:206)
==7719==    by 0x4F60B6E: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:102)
==7719==    by 0x4C459DA: Poppler::Document::load(QString const&, QByteArray const&, QByteArray const&) (poppler-private.h:106)
==7719==    by 0x404E54: main (test-poppler-qt4.cpp:108)
==7719==  Address 0x97a7e08 is 0 bytes after a block of size 328 alloc'd
==7719==    at 0x4A06579: operator new(unsigned long) (vg_replace_malloc.c:230)
==7719==    by 0x4F5FD4B: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:125)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F600B4: Parser::getObj(Object*, unsigned char*, CryptAlgorithm, int, int, int) (Parser.cc:86)
==7719==    by 0x4F6BD07: XRef::fetch(int, int, Object*) (XRef.cc:906)
==7719==    by 0x4F05963: Catalog::Catalog(XRef*) (XRef.h:79)
==7719==    by 0x4F60978: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:206)
==7719==    by 0x4F60B6E: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:102)
==7719==    by 0x4C459DA: Poppler::Document::load(QString const&, QByteArray const&, QByteArray const&) (poppler-private.h:106)
==7719==    by 0x404E54: main (test-poppler-qt4.cpp:108)
==7719==
==7719== ERROR SUMMARY: 2967270 errors from 2 contexts (suppressed: 4 from 1)
==7719== malloc/free: in use at exit: 3,584,288 bytes in 3,975 blocks.
==7719== malloc/free: 25,074 allocs, 21,099 frees, 21,535,259,242 bytes allocated.
==7719== For counts of detected errors, rerun with: -v
==7719== searching for pointers to 3,975 not-freed blocks.
==7719== checked 1,292,208 bytes.
==7719==
==7719== LEAK SUMMARY:
==7719==    definitely lost: 3,323,330 bytes in 32 blocks.
==7719==      possibly lost: 1,656 bytes in 35 blocks.
==7719==    still reachable: 259,302 bytes in 3,908 blocks.
==7719==         suppressed: 0 bytes in 0 blocks.
==7719== Rerun with --leak-check=full to see details of leaked memory.
Comment 3 Albert Astals Cid 2008-01-09 10:42:32 UTC 
i tracked it a bit yesterday and seems like the aesDecryptBlock was not filling all the values of state.aes.buf but could not have much more in depth look, it have passed 5 years since i implemented an aes function so i really don't remember much of it :D
Comment 4 Albert Astals Cid 2008-05-25 10:37:01 UTC 
*** Bug 16092 has been marked as a duplicate of this bug. ***
Comment 5 Albert Astals Cid 2008-09-10 13:22:58 UTC 
*** Bug 17523 has been marked as a duplicate of this bug. ***
Comment 6 Albert Astals Cid 2008-09-12 03:09:21 UTC 
Will not crash anymore with poppler 0.9.1

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.