Bug 61451

Summary: crash in cairo PDF writer when rendering certain PDFs to PDFs using poppler
Product: cairo Reporter: Jana Saout <jana>
Component: pdf backendAssignee: Adrian Johnson <ajohnson>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: 1.12.12   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Jana Saout 2013-02-25 16:13:26 UTC 
We are using a simple PDF-to-PDF converter (the main reason is to simplify the PDFs).  For this we are using a small python script (simplified version attached below) that uses poppler to render into a cairo surface, which writes to a PDF.

During this, certain PDF files crash the PDF writer. At some point a NULL pointer is passed down which later crashes a function.

I "fixed" this bug by replacing the NULL pointer by another pointer somewhere up the call chain - not knowing if this is the correct fix. (the PDF looks right though, and the crash is gone)

I am getting the following crash:

Program received signal SIGSEGV, Segmentation fault.
_cairo_box_from_rectangle (box=box@entry=0x7fffffffd240, rect=rect@entry=0x0)
    at cairo-rectangle.c:77
77	    box->p1.x = _cairo_fixed_from_int (rect->x);
(gdb) bt
#0  _cairo_box_from_rectangle (box=box@entry=0x7fffffffd240, 
    rect=rect@entry=0x0) at cairo-rectangle.c:77
#1  0x00007ffff7a007a2 in _cairo_pdf_surface_add_padded_image_surface (
    surface=surface@entry=0xa24580, source=source@entry=0xb47910, extents=0x0, 
    surface_res=surface_res@entry=0x7fffffffd380, 
    width=width@entry=0x7fffffffd3a0, height=height@entry=0x7fffffffd3c0, 
    x_offset=x_offset@entry=0x7fffffffd400, 
    y_offset=y_offset@entry=0x7fffffffd408) at cairo-pdf-surface.c:2123
#2  0x00007ffff7a00d77 in _cairo_pdf_surface_paint_surface_pattern (
    surface=0xa24580, source=0xb47910, extents=<optimized out>, stencil_mask=1)
    at cairo-pdf-surface.c:3925
#3  0x00007ffff7a01252 in _cairo_pdf_surface_emit_stencil_mask (
    extents=0x7fffffffd56c, mask=<optimized out>, source=<optimized out>, 
    surface=0xa24580) at cairo-pdf-surface.c:6378
#4  _cairo_pdf_surface_mask (abstract_surface=0xa24580, op=<optimized out>, 
    source=0xb477f8, mask=0xb47910, clip=<optimized out>)
    at cairo-pdf-surface.c:6608
#5  0x00007ffff79a3c24 in _cairo_surface_mask (surface=0xa24580, 
    op=CAIRO_OPERATOR_OVER, source=0xb477f8, mask=0xb47910, clip=0xa27f10)
    at cairo-surface.c:2054
#6  0x00007ffff79a9fb6 in _cairo_surface_wrapper_mask (
    wrapper=wrapper@entry=0x7fffffffdc20, op=CAIRO_OPERATOR_OVER, 
    source=<optimized out>, source@entry=0xb477f8, mask=mask@entry=0xb47910, 
    clip=<optimized out>) at cairo-surface-wrapper.c:206
#7  0x00007ffff7995587 in _cairo_recording_surface_replay_internal (
    surface=<optimized out>, surface_extents=<optimized out>, 
    surface_transform=<optimized out>, target=<optimized out>, 
    target_clip=<optimized out>, type=CAIRO_RECORDING_REPLAY, 
    region=CAIRO_RECORDING_REGION_NATIVE) at cairo-recording-surface.c:1678
#8  0x00007ffff79966a7 in _cairo_recording_surface_replay_region (
    surface=<optimized out>, surface_extents=surface_extents@entry=0x0, 
    target=<optimized out>, region=region@entry=CAIRO_RECORDING_REGION_NATIVE)
    at cairo-recording-surface.c:1934
#9  0x00007ffff7977861 in _paint_page (surface=0xa26510)
    at cairo-paginated-surface.c:406
#10 0x00007ffff7977adc in _cairo_paginated_surface_show_page (
    abstract_surface=0xa26510) at cairo-paginated-surface.c:509
#11 0x00007ffff79a413b in INT_cairo_surface_show_page (surface=0xa26510)
    at cairo-surface.c:2305
#12 0x00007ffff7a712ea in surface_show_page ()
   from /usr/lib64/python2.7/site-packages/cairo/_cairo.so
[...]



and I "fixed" the NULL pointer issue using this:



--- cairo-1.12.12/src/cairo-pdf-surface.c.orig	2013-02-25 17:01:27.130438874 +0100
+++ cairo-1.12.12/src/cairo-pdf-surface.c	2013-02-25 17:01:33.217105734 +0100
@@ -6375,7 +6375,7 @@ _cairo_pdf_surface_emit_stencil_mask (ca
 	return status;
 
     _cairo_output_stream_printf (surface->output, "q\n");
-    status = _cairo_pdf_surface_paint_surface_pattern (surface, mask, NULL, TRUE);
+    status = _cairo_pdf_surface_paint_surface_pattern (surface, mask, extents, TRUE);
     if (unlikely (status))
 	return status;





The script used: (needs cairo python bindings, poppler and poppler-python bindings).  (I guess it should be simple to write a C analogon, as long as you have poppler installed).  My poppler version is 0.20.5 by the way.

Called "python pdftopdf.py input.pdf output.pdf":

The link to an example input PDF that produces the crash: http://www.saout.de/assets/Kfz-Techniker_Teil_II_11478_print.pdf



#!/usr/bin/env python
import os, sys
import poppler, cairo

d = poppler.document_new_from_file('file://' + os.path.abspath(sys.argv[1]), '')
out = sys.argv[2]

s = None

n = d.get_n_pages()
for i in xrange(n):
        p = d.get_page(i)
        w, h = p.get_size()

        if s is None:
                s = cairo.PDFSurface(out, w, h)

        s.set_size(w, h)

        c = cairo.Context(s)
        p.render(c)
        del c

        s.show_page()
Comment 1 Jana Saout 2013-02-25 20:27:35 UTC 
*** Bug 61450 has been marked as a duplicate of this bug. ***
Comment 2 Adrian Johnson 2013-03-01 09:55:01 UTC 
Patch pushed. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.