| Summary: | [pdftocairo] SIGABRT in cairo-scaled-font.c:459 | ||
|---|---|---|---|
| Product: | cairo | Reporter: | MH <ravdune+bugzilla> |
| Component: | general | Assignee: | Chris Wilson <chris> |
| Status: | RESOLVED FIXED | QA Contact: | cairo-bugs mailing list <cairo-bugs> |
| Severity: | normal | ||
| Priority: | medium | CC: | christopher.m.penalver, fdo-bugs, jason, korobkin+lpad |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: | https://bugs.freedesktop.org/show_bug.cgi?id=78787 | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
abort-pdfs.zip
311-unfuzzed.pdf user-font-abort.c fuzzed-testcase |
||
The pdf uses Type 3 fonts which are rendered using user fonts. The bug is triggered by the user font render function in poppler returning CAIRO_STATUS_USER_FONT_ERROR. This causes _cairo_scaled_glyph_lookup() (which has an assert (scaled_font->cache_frozen)) to call _cairo_scaled_font_free_last_glyph() which calls _cairo_scaled_glyph_page_destroy() which contains a assert(!scaled_font->cache_frozen) I'm not sure what the correct fix is. Created attachment 108188 [details]
311-unfuzzed.pdf
Attached unfuzzed file as per request.
*** Bug 92517 has been marked as a duplicate of this bug. *** Created attachment 120654 [details]
user-font-abort.c
If it helps, the attached C program reproduces this abort.
Created attachment 128058 [details]
fuzzed-testcase
This testcase triggers the assertion error. To run:
pdftocairo pdf2svg-2016-05-14T22-58-38.312292.pdf -svg o.svg
This bug is present in the latest version of cairo (1.15.2). This is a stack trace:
"""
#0 0xb7fdcd40 in __kernel_vsyscall ()
#1 0xb786a367 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb786ba23 in __GI_abort () at abort.c:89
#3 0xb78636c7 in __assert_fail_base (
fmt=0xb799fd14 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0xb7c20f34 "!scaled_font->cache_frozen",
file=file@entry=0xb7c20f16 "cairo-scaled-font.c", line=line@entry=459,
function=function@entry=0xb7c213a0 <__PRETTY_FUNCTION__.10693> "_cairo_scaled_glyph_page_destroy") at assert.c:92
#4 0xb7863777 in __GI___assert_fail (assertion=0xb7c20f34 "!scaled_font->cache_frozen",
file=0xb7c20f16 "cairo-scaled-font.c", line=459,
function=0xb7c213a0 <__PRETTY_FUNCTION__.10693> "_cairo_scaled_glyph_page_destroy")
at assert.c:101
#5 0xb7bc2b3f in _cairo_scaled_glyph_page_destroy (scaled_font=0x80a4190, page=0x80a4ee8)
at cairo-scaled-font.c:459
#6 0xb7bc2cf3 in _cairo_scaled_font_free_last_glyph (scaled_font=0x80a4190, scaled_glyph=0x0)
at cairo-scaled-font.c:2912
#7 0xb7bc5192 in _cairo_scaled_glyph_lookup (scaled_font=0x80a4190, index=0,
info=CAIRO_SCALED_GLYPH_INFO_METRICS, scaled_glyph_ret=0xbfffd39c)
at cairo-scaled-font.c:2993
#8 0xb7bc6295 in _cairo_scaled_font_single_glyph_device_extents (extents=0xbfffd598,
glyph=0xbfffdca8, scaled_font=0x80a4190) at cairo-scaled-font.c:2167
#9 _cairo_scaled_font_glyph_device_extents (scaled_font=0x80a4190, glyphs=0xbfffdca8,
num_glyphs=1, extents=0xbfffd598, overlap_out=0x0) at cairo-scaled-font.c:2219
#10 0xb7b7ced3 in _cairo_composite_rectangles_init_for_glyphs (extents=0xbfffd580,
surface=0x0, op=3221214716, source=0xbfffd598, scaled_font=0x80a4190, glyphs=0xbfffdca8,
num_glyphs=1, clip=0x8090588, overlap=0x0) at cairo-composite-rectangles.c:447
#11 0xb7bbbbb3 in _cairo_recording_surface_show_text_glyphs (abstract_surface=0x808fd30,
op=CAIRO_OPERATOR_OVER, source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8,
num_glyphs=1, clusters=0x0, num_clusters=0, cluster_flags=(unknown: 0),
scaled_font=0x80a4190, clip=0x8090588) at cairo-recording-surface.c:1013
#12 0xb7bce178 in _cairo_surface_show_text_glyphs (surface=0x808fd30, op=CAIRO_OPERATOR_OVER,
source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8, num_glyphs=1, clusters=0x0,
num_clusters=0, cluster_flags=(unknown: 0), scaled_font=0x80a4190, clip=0x8090588)
at cairo-surface.c:2617
#13 0xb7bce178 in _cairo_surface_show_text_glyphs (surface=0x808fc18, op=CAIRO_OPERATOR_OVER,
source=0xbfffd984, utf8=0x0, utf8_len=0, glyphs=0xbfffdca8, num_glyphs=1, clusters=0x0,
num_clusters=0, cluster_flags=(unknown: 0), scaled_font=0x80a4190, clip=0x8090588)
at cairo-surface.c:2617
#14 0xb7b87ad1 in _cairo_gstate_show_text_glyphs (gstate=0x80a34b8, glyphs=0x8091120,
num_glyphs=1, info=0x0) at cairo-gstate.c:2024
#15 0xb7b77e91 in cairo_show_glyphs (cr=0x808fea8, glyphs=0x8091120, num_glyphs=1)
at cairo.c:3319
#16 0x080527fa in CairoOutputDev::endString (this=0x808e110, state=0x6)
at CairoOutputDev.cc:1456
#17 0xb7e36811 in Gfx::doShowText (this=0x80903c8, s=0x80905c0) at Gfx.cc:4125
#18 0xb7e3713f in Gfx::opShowText (this=0x80903c8, args=0xbfffef44, numArgs=1) at Gfx.cc:3825
#19 0xb7e258c0 in Gfx::execOp (this=0x80903c8, cmd=0x0, args=0xbfffef44, numArgs=1)
at Gfx.cc:904
#20 0xb7e2e94e in Gfx::go (this=0x80903c8, topLevel=true) at Gfx.cc:763
#21 0xb7e2eec7 in Gfx::display (this=0x80903c8, obj=0xbffff174, topLevel=true) at Gfx.cc:729
#22 0xb7e75c56 in Page::displaySlice (this=0x808edb0, out=0x808e110, hDPI=72, vDPI=72,
rotate=0, useMediaBox=false, crop=false, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1,
printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0
---Type <return> to continue, or q <return> to quit---
annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:601
#23 0xb7e7dd88 in PDFDoc::displayPageSlice (this=0x808d4f8, out=0x808e110, page=1, hDPI=72,
vDPI=72, rotate=0, useMediaBox=false, crop=false, printing=true, sliceX=-1, sliceY=-1,
sliceW=-1, sliceH=-1, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:528
#24 0x0804eb93 in renderPage (output_h=<optimized out>, output_w=<optimized out>,
page_h=<optimized out>, page_w=<optimized out>, pg=<optimized out>,
cairoOut=<optimized out>, doc=<optimized out>) at pdftocairo.cc:673
#25 main (argc=3, argv=0xbffff414) at pdftocairo.cc:1197
(gdb)
"""
*** Bug 100724 has been marked as a duplicate of this bug. *** Fixed with https://cgit.freedesktop.org/cairo/commit/?id=5fd0b8710f125bb33c55d75fcc8252996b403e2d Jason, would you like turn turn your test program into a cairo test case? Or would you like me to do it under the same license as the cairo test suite? (In reply to Adrian Johnson from comment #8) > Jason, would you like turn turn your test program into a cairo test case? Or > would you like me to do it under the same license as the cairo test suite? That would entail adding a CAIRO_TEST() statement and adding it to the Makefile.sources? I'm not familiar with the cairo test suite so I think it's better if you do it. The cairo test suite license is fine. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 107990 [details] abort-pdfs.zip OS: Fedora 20 (running in virtualbox) Dependencies installed with: yum-builddep poppler Version: GIT Master Command line: master/pdftocairo -svg <attached.pdf> /dev/null Multiple PDFs that cause abort. ########################################################################### GDB output: Reading symbols from /home/foobar/poppler/utils/.libs/lt-pdftocairo...done. Starting program: /home/foobar/poppler/utils/.libs/lt-pdftocairo -svg abort-_cairo_scaled_glyph_page_destroy-311-pdftocairofuzz-9.pdf /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Syntax Error (1936): Dictionary key must be a name object Syntax Error (1938): Dictionary key must be a name object Syntax Error: Missing or invalid CharProcs dictionary in Type 3 font lt-pdftocairo: cairo-scaled-font.c:459: _cairo_scaled_glyph_page_destroy: Assertion `!scaled_font->cache_frozen' failed. Program received signal SIGABRT, Aborted. 0x00007ffff55ff877 in raise () from /lib64/libc.so.6