Transfering this bug from GNOME Bugzilla: http://bugzilla.gnome.org/show_bug.cgi?id=340265 On my Dapper, evince crashs when i try to open this file: http://www.ulb.ac.be/catalogue/polytech/pdf/polytech-r.pdf Evince 0.5.2 Poppler 0.5.1 Starting program: /usr/bin/evince /tmp/polytech-r.pdf [Thread debugging using libthread_db enabled] [New Thread -1229183296 (LWP 29847)] [New Thread -1231025232 (LWP 29853)] Error (481274): Missing 'endstream' Error (475592): Unexpected end of file in flate stream Error (523795): Missing 'endstream' Error (528568): Unexpected end of file in flate stream Error (633617): Illegal character '>' Error (633617): Missing 'endstream' Error (638608): Unexpected end of file in flate stream Error (577440): Missing 'endstream' Error (582086): Unexpected end of file in flate stream Error (481274): Missing 'endstream' Error (475592): Unexpected end of file in flate stream Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1231025232 (LWP 29853)] 0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6 (gdb) thread apply all bt Thread 2 (Thread -1231025232 (LWP 29853)): #0 0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0xb6ff3f40 in FT_Stream_OpenLZW () from /usr/lib/libfreetype.so.6 #2 0xb701230a in TT_RunIns () from /usr/lib/libfreetype.so.6 #3 0xb7012a74 in TT_RunIns () from /usr/lib/libfreetype.so.6 #4 0xb7013cfa in TT_RunIns () from /usr/lib/libfreetype.so.6 #5 0xb6fcd854 in FT_Get_Char_Index () from /usr/lib/libfreetype.so.6 #6 0xb6fce205 in FT_Open_Face () from /usr/lib/libfreetype.so.6 #7 0xb6fcec73 in FT_New_Memory_Face () from /usr/lib/libfreetype.so.6 #8 0xb79ded2b in SplashFTFontFile::loadType1Font (engineA=0x83d2cc8, idA=0x8424088, src=0x84073d0, encA=0x84299ac) at SplashFTFontFile.cc:38 #9 0xb79de838 in SplashFTFontEngine::loadType1Font (this=0x83d2cc8, idA=0x8424088, src=0x84073d0, enc=0x84299ac) at SplashFTFontEngine.cc:69 #10 0xb79dfdb0 in SplashFontEngine::loadType1Font (this=0x83dc878, idA=0x8424088, src=0x84073d0, enc=0x84299ac) at SplashFontEngine.cc:120 #11 0xb7906fcf in SplashOutputDev::updateFont (this=0x83dc8f8, state=0x843c4a8) at SplashOutputDev.cc:1025 #12 0xb792f947 in Gfx::opShowSpaceText (this=0x8429210, args=0xb6a00068, numArgs=1) at Gfx.cc:2673 #13 0xb792488e in Gfx::execOp (this=0x8429210, cmd=0xb6a000c8, args=0xb6a00068, numArgs=1) at Gfx.cc:712 #14 0xb7924a71 in Gfx::go (this=0x8429210, topLevel=1) at Gfx.cc:580 #15 0xb792503d in Gfx::display (this=0x8429210, obj=0xb6a001c0, topLevel=1) at Gfx.cc:543 #16 0xb798062a in Page::displaySlice (this=0x83e3908, out=0x83dc8f8, hDPI=72, vDPI=72, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=595, sliceH=842, links=0x0, catalog=0x83e37a0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:375 #17 0xb7a3bf10 in poppler_page_render_to_pixbuf (page=0x82d8880, src_x=0, src_y=0, src_width=595, src_height=842, scale=1, rotation=0, pixbuf=0x83b2288) at poppler-page.cc:324 #18 0x0809d0c2 in pdf_document_render_pixbuf (document=0x8310400, rc=0x82e0590) at ev-poppler.cc:350 #19 0x0809ad91 in ev_document_render_pixbuf (document=0x8310400, rc=0x82e0590) at ev-document.c:215 #20 0x08065f3e in ev_job_render_run (job=0x818f750) at ev-jobs.c:298 #21 0x08064237 in handle_job (job=0x818f750) at ev-job-queue.c:104 #22 0x08064515 in ev_render_thread (data=0x0) at ev-job-queue.c:187 #23 0xb6e22582 in g_thread_create_proxy (data=0x8154960) at gthread.c:582 #24 0xb7a47341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #25 0xb778b4ee in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 1 (Thread -1229183296 (LWP 29847)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb77818c4 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb6e09788 in g_main_context_iterate (context=0x8115e00, block=1, dispatch=1, self=0x80e0a80) at gmain.c:2849 #3 0xb6e09c58 in IA__g_main_loop_run (loop=0x8384ac8) at gmain.c:2751 #4 0xb7322495 in IA__gtk_main () at gtkmain.c:1026 #5 0x08087f90 in main (argc=2, argv=0xbfcd9ee4) at main.c:295 #0 0xb772d9dc in memcpy () from /lib/tls/i686/cmov/libc.so.6
Created attachment 6893 [details] [review] Check length before doing memcpy This patch in freetype avoids the crash but I think it could be catched earlier.
That example works fine in acroread 8.1.1, and although it no longer crashes, poppler master branch still has problems with this file.
The problem appears to be in the handling of some quite large font files. In the example http://www.ulb.ac.be/catalogue/polytech/pdf/polytech-r.pdf there are four font files (obj 279, obj 284, obj 289 and obj 293) and we aren't parsing those correctly.
Will be fixed in poppler 0.12.1
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.