I presume the crash mentioned in 2fe825deac commit message is OBJECT_TYPE_CHECK abort when /BBox array contains non-numeric value. Close to the /BBox reading code, there's also /Matrix array reading code affected by the similar problem: http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=aa0fd32a#n4261 Additionally, there's one additional instance of BBox/Matrix reading code in Gfx::doSoftMask that's likely to be affected by the same issue and have not been changed in 2fe825deac: http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=aa0fd32a#n1245
Created attachment 39146 [details] Reproducer Triggers abort in Gfx::doForm.
Fixed. There are tons of these, feel free to search them and open new bugs with pdf reproducers.
Sorry, my report was probably confusing. There are 3 instanced of /BBox and /Matrix reading code in Gfx.cc. 2 BBox instances were fixed in 2fe825deac, this one remains without checks: http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=d690bea9#n1253 2 Matrix instances were fixed in d690bea929, one was missed: http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=d690bea9#n4703 I don't have reproducers for these, sorry.
To be fair, without reproducers i prefer to focus my little time in poppler to develop actual features
(In reply to comment #3) > 2 BBox instances were fixed in 2fe825deac, this one remains without checks: > http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=d690bea9#n1253 This one is now fixed via: http://cgit.freedesktop.org/poppler/poppler/commit/?id=bcb13ed582 http://lists.freedesktop.org/archives/poppler/2010-October/006565.html
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.