Following pdf in the URL causes a crash in poppler due to the delete/free being called for an uninitialized pointer. Verified on poppler 0.8.1 / 0.8.2, versions 0.6.x do not seem to have affected code. Problem is in the AnnotQuadrilaterals::AnnotQuadrilaterals in Annot.cc. Whenever the code detects some problem with correctness of the data read from the PDF file, it attempts to free previously allocated members of quads[] and quads itself. However, for-loop freeing previously allocated members of quads[] seems to be off-by-one, trying to free an uninitialized pointer. In the loop 'while (i < (quadsLength) && correct)' i is incremented regardless of whether correct or incorrect data were read from the file. If correct is gFalse after leaving the loop, i is number of initialized quads members + 1 (not number of initialized quads members as code assumes). Possible solutions: - use j < i - 1 in the for loop freeing quads[] - break while loop when incorrect value is detected, skipping i++
Backported fixes from trunk, thanks for reminding they were still not on the 0.8.x branch.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.