Bug 34357 - Crash when scrolling through a pdf
Summary: Crash when scrolling through a pdf
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-16 12:58 UTC by Pascal Wittmann
Modified: 2011-02-26 17:38 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
The pdf that throws the error (876.00 KB, application/x-pdf)
2011-02-16 12:58 UTC, Pascal Wittmann 		Details
Error message form evince and epdfview (6.81 KB, text/plain)
2011-02-16 13:00 UTC, Pascal Wittmann 		Details
Error Message form zathura (13.90 KB, text/plain)
2011-02-16 13:00 UTC, Pascal Wittmann 		Details
View All

Description Pascal Wittmann 2011-02-16 12:58:52 UTC 
Created attachment 43451 [details]
The pdf that throws the error

First I'm using poppler-version 0.16.2 on Archlinux.

When I'm scrolling in the attached pdf to slide 4 every pdfreader using poppler crashes. Using evince and epdfview I get the error message attached in file error1.txt and using zathura I get the the message in file error2.txt.
Comment 1 Pascal Wittmann 2011-02-16 13:00:16 UTC 
Created attachment 43452 [details]
Error message form evince and epdfview
Comment 2 Pascal Wittmann 2011-02-16 13:00:48 UTC 
Created attachment 43453 [details]
Error Message form zathura
Comment 3 Pascal Wittmann 2011-02-16 13:04:05 UTC 
I forgot to mention that viewing this pdf with a pdfviewer not based on poppler (e.g. mupdf) the pdf is correctly shown.
Comment 4 Albert Astals Cid 2011-02-16 13:29:59 UTC 
Cairo backend specific. Works with the splash backend. Problem is actually on page 6.
Comment 5 Carlos Garcia Campos 2011-02-26 04:09:19 UTC 
(In reply to comment #4)
> Cairo backend specific. Works with the splash backend. Problem is actually on
> page 6.

The problem is not actually in the cairo backend, but in GfxICCBasedColorSpace::getRGBLine(). It doesn't crash with splash because it doesn't use getRGBline(). 
The problem is when using libcms, there's a line transform and getRGBLine() is called when nComps = 0. First, it allocates memory depending on nComps:

Guchar* tmp = (Guchar *)gmallocn(nComps * length, sizeof(Guchar));

but it writes to the out buffer assuming nComps = 3:

for (int i = 0; i < length; ++i) {
        Guchar *current = tmp + (i * 3);
	out[i] = (current[0] << 16) | (current[1] << 8) | current[2];
}

Allocating enough memory fixes the crash, but I'm not sure it's the right fix though:

-    Guchar* tmp = (Guchar *)gmallocn(nComps * length, sizeof(Guchar));
+    Guchar* tmp = (Guchar *)gmallocn(3 * length, sizeof(Guchar));
Comment 6 Albert Astals Cid 2011-02-26 07:02:28 UTC 
Right Splash uses getRBGLine but never when nComps is 1 so we were not hitting that crash. As far as i know your patch is correct since the transform we use is always for rgb, but if you want to make sure i can run a regtest to see if anything breaks.
Comment 7 Carlos Garcia Campos 2011-02-26 07:10:39 UTC 
(In reply to comment #6)
> Right Splash uses getRBGLine but never when nComps is 1 so we were not hitting
> that crash.

I'll try to implement that optimization in cairo too, we already have it for some drawImage() methods indeed.

> As far as i know your patch is correct since the transform we use
> is always for rgb, but if you want to make sure i can run a regtest to see if
> anything breaks.

Ok, thanks
Comment 8 Albert Astals Cid 2011-02-26 17:38:09 UTC 
Will be fixed in poppler 0.16.3

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.