Summary: | reproducible crash with some PDF files | ||
---|---|---|---|
Product: | poppler | Reporter: | Laurent Bonnaud <L.Bonnaud> |
Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
Status: | RESOLVED FIXED | QA Contact: | |
Severity: | major | ||
Priority: | medium | ||
Version: | unspecified | ||
Hardware: | x86-64 (AMD64) | ||
OS: | Linux (All) | ||
Whiteboard: | |||
i915 platform: | i915 features: | ||
Attachments: |
Here is one file to reproduce the crash (look around page #79).
Move array reallocation from visitLine to startLine |
Description
Laurent Bonnaud
2014-10-01 13:48:55 UTC
Created attachment 107190 [details]
Here is one file to reproduce the crash (look around page #79).
Here is one file to reproduce the crash (look around page #79).
Here is another file (go to the last page): https://bugs.launchpad.net/debian/+source/poppler/+bug/1319185/+attachment/4112677/+files/117740fo.pdf More details are here: https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1376265 Valgrind trace when getting text of page 64 using poppler-glib-demo ==17036== Invalid write of size 8 ==17036== at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076) ==17036== by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132) ==17036== by 0x70C6A42: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4760) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== ==17036== Invalid read of size 8 ==17036== at 0x70C41D7: TextSelectionDumper::getText() (TextOutputDev.cc:4152) ==17036== by 0x70C6A4E: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4762) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== ==17036== Invalid read of size 8 ==17036== at 0x70C3D65: TextSelectionDumper::~TextSelectionDumper() (TextOutputDev.cc:4063) ==17036== by 0x70C6A5D: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4762) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757) ==17036== by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824) ==17036== by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871) ==17036== by 0x417224: pgd_text_get_text (text.c:107) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== ==17036== Invalid write of size 8 ==17036== at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076) ==17036== by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132) ==17036== by 0x70C6AD8: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4772) ==17036== by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769) ==17036== by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== ==17036== Invalid read of size 8 ==17036== at 0x4E6D874: poppler_page_get_text_layout_for_area (poppler-page.cc:2194) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x5188410: gtk_button_button_release (gtkbutton.c:1940) ==17036== Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769) ==17036== by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== ==17036== Invalid read of size 8 ==17036== at 0x4E6D966: poppler_page_get_text_layout_for_area (poppler-page.cc:2208) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x5188410: gtk_button_button_release (gtkbutton.c:1940) ==17036== Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769) ==17036== by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187) ==17036== by 0x41729C: pgd_text_get_text (text.c:117) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== ==17036== Invalid write of size 8 ==17036== at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076) ==17036== by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132) ==17036== by 0x70C6AD8: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4772) ==17036== by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372) ==17036== by 0x4172F4: pgd_text_get_text (text.c:123) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== Address 0x14027570 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769) ==17036== by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372) ==17036== by 0x4172F4: pgd_text_get_text (text.c:123) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== ==17036== Invalid read of size 8 ==17036== at 0x4E6E0D4: poppler_page_get_text_attributes_for_area (poppler-page.cc:2378) ==17036== by 0x4172F4: pgd_text_get_text (text.c:123) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103) ==17036== by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x5188410: gtk_button_button_release (gtkbutton.c:1940) ==17036== Address 0x14027570 is 0 bytes after a block of size 2,048 alloc'd ==17036== at 0x4C2ABA0: malloc (vg_replace_malloc.c:296) ==17036== by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110) ==17036== by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192) ==17036== by 0x6F9A99A: gmallocn (gmem.cc:196) ==17036== by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052) ==17036== by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769) ==17036== by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372) ==17036== by 0x4172F4: pgd_text_get_text (text.c:123) ==17036== by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0) ==17036== by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985) ==17036== This crash still occurs with the following software versions (from Debian sid+experimental): Package: evince Version: 3.14.1-1 Package: libpoppler47 Version: 0.28.1-1 Created attachment 111069 [details] [review] Move array reallocation from visitLine to startLine If TextSelectionDumper finds exactly 257 lines of text (or probably also 513, 1025, etc) it will write past the end of the lines array without triggering a reallocation. Attached patch moves the array size check into TextSelectionDumper::finishLine so it's always run when an item is added to the lines array. (In reply to Jason Crain from comment #6) > Created attachment 111069 [details] [review] [review] > Move array reallocation from visitLine to startLine > > If TextSelectionDumper finds exactly 257 lines of text (or probably also > 513, 1025, etc) it will write past the end of the lines array without > triggering a reallocation. > > Attached patch moves the array size check into > TextSelectionDumper::finishLine so it's always run when an item is added to > the lines array. Good catch! I've just pushed it, thanks! The fix works for me in Ubuntu 15.04 with poppler 0.30. Thanks! |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.