Bug 16579

Summary: Corrupted PDF causes abort with 'Call to Object where the object was type 11, not the expected type 8'
Product: poppler Reporter: Tom Parker <freedesktop>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Tom Parker 2008-07-01 10:43:25 UTC 
Evince should really be able to catch + display this rather than just plain dying.

(gdb) r
Starting program: /usr/bin/evince sdarticle-1.pdf
[Thread debugging using libthread_db enabled]
[New Thread 0xb6ad06d0 (LWP 23514)]
[New Thread 0xb699fb90 (LWP 23532)]
Error (6355211): Bad 'Length' attribute in stream
Error (0): Call to Object where the object was type 11, not the expected type 8

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6ad06d0 (LWP 23514)]
0xffffe410 in __kernel_vsyscall ()
(gdb) thread apply all bt full

Thread 2 (Thread 0xb699fb90 (LWP 23532)):
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb766d5c6 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0x0805fba8 in ev_render_thread (data=0x0) at /data/tparker/builder/sources/evince_2.22.1.1-2/./shell/ev-job-queue.c:256
	job = (EvJob *) 0x841d5b0
#3  0xb725429f in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0x00000000 in ?? ()
No symbol table info available.

Thread 1 (Thread 0xb6ad06d0 (LWP 23514)):
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb70dcdf0 in raise () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2  0xb70de641 in abort () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#3  0xb7634867 in poppler_page_get_thumbnail_size (page=0x845d968, width=0xbfdcbb74, height=0xbfdcbb70) at ../poppler/Object.h:325
	thumb = {type = objError, {booln = 0, intg = 0, real = -6.9153805523323409e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1218230533}, 
    cmd = 0x0}}
	dict = <value optimized out>
	retval = <value optimized out>
	__PRETTY_FUNCTION__ = "gboolean poppler_page_get_thumbnail_size(PopplerPage*, int*, int*)"
#4  0xb534110d in pdf_document_thumbnails_get_dimensions (document_thumbnails=0x8451e50, rc=0x845d8f0, width=0xbfdcbb74, height=0xbfdcbb70)
    at /data/tparker/builder/sources/evince_2.22.1.1-2/./backend/pdf/ev-poppler.cc:1358
	poppler_page = (PopplerPage *) 0x845d968
	has_thumb = <value optimized out>
	__PRETTY_FUNCTION__ = "void pdf_document_thumbnails_get_dimensions(EvDocumentThumbnails*, EvRenderContext*, gint*, gint*)"
#5  0xb7f1318f in ev_document_thumbnails_get_dimensions (document=0x8451e50, rc=0x845d8f0, width=0xbfdcbb74, height=0xbfdcbb70)
    at /data/tparker/builder/sources/evince_2.22.1.1-2/./libdocument/ev-document-thumbnails.c:75
	__PRETTY_FUNCTION__ = "ev_document_thumbnails_get_dimensions"
#6  0x08067567 in ev_page_cache_new (document=0x8451e50) at /data/tparker/builder/sources/evince_2.22.1.1-2/./shell/ev-page-cache.c:360
	page_width = 576
	page_height = 792
	thumb_width = 0
	thumb_height = 0
	page_cache = (EvPageCache *) 0x8243358
	info = <value optimized out>
	thumb_info = <value optimized out>
	rc = (EvRenderContext *) 0x845d8f0
	i = 0
	__PRETTY_FUNCTION__ = "ev_page_cache_new"
#7  0x08067938 in ev_page_cache_get (document=0x8451e50) at /data/tparker/builder/sources/evince_2.22.1.1-2/./shell/ev-page-cache.c:688
	page_cache = (EvPageCache *) 0x0
	__PRETTY_FUNCTION__ = "ev_page_cache_get"
#8  0x0807df57 in ev_window_load_job_cb (job=0x841d5b0, data=0x8109010) at /data/tparker/builder/sources/evince_2.22.1.1-2/./shell/ev-window.c:1157
	ev_window = <value optimized out>
	document = (EvDocument *) 0x8451e50
---Type <return> to continue, or q <return> to quit---
	__PRETTY_FUNCTION__ = "ev_window_load_job_cb"
#9  0xb72c3c39 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#10 0xb72b686b in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#11 0xb72c722f in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#12 0x0843f890 in ?? ()
No symbol table info available.
#13 0x00000000 in ?? ()
No symbol table info available.
(gdb)
Comment 1 Tom Parker 2008-07-01 10:46:35 UTC 
Corrupted document (accidentally generated during normal use) is available at http://tevp.net/sdarticle-1.pdf (6.2mb - the 1mb upload limit sucks for people without webspace BTW). The crash is with poppler 0.8.4.
Comment 2 Albert Astals Cid 2008-07-01 11:17:37 UTC 
Fixed, thanks for reporting.
Comment 3 Tom Parker 2008-07-04 07:20:18 UTC 
The patch (http://cgit.freedesktop.org/poppler/poppler/commit/?id=0189ff8b86de18486f7397076f7a0fbf133a1a33) doesn't appear to fix things, and I'm still getting the same crash+stacktrace. Going through with gdb says the problem is on line 974 of glib/poppler-page.cc, and that the check there is only for thumb.isNull() but the thumb is an error thumb and so thumb.isError() should be checked there as well. Doing this fixes the bug for me, as evince is now able to show the rest of the document. I now get lots of errors of the form "Error (379611): Bad 'Length' attribute in stream" on the command line and "Weird Page Contents", but given it's a partially corrupted document this isn't entirely surprising.
Comment 4 Albert Astals Cid 2008-07-20 04:48:53 UTC 
Right, the problem was also on the glib frontend, should be fixed now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.