84555 – reproducible crash with some PDF files

Bug 84555 - reproducible crash with some PDF files

Summary: reproducible crash with some PDF files

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium major
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-01 13:48 UTC by Laurent Bonnaud
Modified:	2015-04-28 18:20 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Here is one file to reproduce the crash (look around page #79). (1.92 MB, application/forcedownload) 2014-10-01 13:54 UTC, Laurent Bonnaud	Details
Move array reallocation from visitLine to startLine (1.25 KB, patch) 2014-12-20 05:26 UTC, Jason Crain	Details \| Splinter Review
View All

Description Laurent Bonnaud 2014-10-01 13:48:55 UTC

Several applications (evince, tracker) crash while processing the attached PDF files.

To trigger the crash you may need the following environment variables:

MALLOC_CHECK_=3
MALLOC_PERTURB_=117

The crash occurs with version 0.26.5, both in Debian sid and Ubuntu 14.10.

Comment 1 Laurent Bonnaud 2014-10-01 13:54:00 UTC

Created attachment 107190 [details]
Here is one file to reproduce the crash (look around page #79).

Here is one file to reproduce the crash (look around page #79).

Comment 2 Laurent Bonnaud 2014-10-01 13:59:40 UTC

Here is another file (go to the last page):

https://bugs.launchpad.net/debian/+source/poppler/+bug/1319185/+attachment/4112677/+files/117740fo.pdf

Comment 3 Laurent Bonnaud 2014-10-01 14:06:05 UTC

More details are here:

https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1376265

Comment 4 Albert Astals Cid 2014-10-01 14:33:15 UTC

Valgrind trace when getting text of page 64 using poppler-glib-demo

==17036== Invalid write of size 8
==17036==    at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076)
==17036==    by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132)
==17036==    by 0x70C6A42: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4760)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==  Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036== 
==17036== Invalid read of size 8
==17036==    at 0x70C41D7: TextSelectionDumper::getText() (TextOutputDev.cc:4152)
==17036==    by 0x70C6A4E: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4762)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==  Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036== 
==17036== Invalid read of size 8
==17036==    at 0x70C3D65: TextSelectionDumper::~TextSelectionDumper() (TextOutputDev.cc:4063)
==17036==    by 0x70C6A5D: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4762)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==  Address 0x10aeec60 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6A1F: TextPage::getSelectionText(PDFRectangle*, SelectionStyle) (TextOutputDev.cc:4757)
==17036==    by 0x4E6AB6B: poppler_page_get_selected_text (poppler-page.cc:824)
==17036==    by 0x4E6ADAA: poppler_page_get_text_for_area (poppler-page.cc:871)
==17036==    by 0x417224: pgd_text_get_text (text.c:107)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036== 
==17036== Invalid write of size 8
==17036==    at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076)
==17036==    by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132)
==17036==    by 0x70C6AD8: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4772)
==17036==    by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==  Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769)
==17036==    by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036== 
==17036== Invalid read of size 8
==17036==    at 0x4E6D874: poppler_page_get_text_layout_for_area (poppler-page.cc:2194)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x5188410: gtk_button_button_release (gtkbutton.c:1940)
==17036==  Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769)
==17036==    by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036== 
==17036== Invalid read of size 8
==17036==    at 0x4E6D966: poppler_page_get_text_layout_for_area (poppler-page.cc:2208)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x5188410: gtk_button_button_release (gtkbutton.c:1940)
==17036==  Address 0x142d2290 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769)
==17036==    by 0x4E6D81F: poppler_page_get_text_layout_for_area (poppler-page.cc:2187)
==17036==    by 0x41729C: pgd_text_get_text (text.c:117)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036== 
==17036== Invalid write of size 8
==17036==    at 0x70C3EDB: TextSelectionDumper::finishLine() (TextOutputDev.cc:4076)
==17036==    by 0x70C4119: TextSelectionDumper::endPage() (TextOutputDev.cc:4132)
==17036==    by 0x70C6AD8: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4772)
==17036==    by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372)
==17036==    by 0x4172F4: pgd_text_get_text (text.c:123)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==  Address 0x14027570 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769)
==17036==    by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372)
==17036==    by 0x4172F4: pgd_text_get_text (text.c:123)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036== 
==17036== Invalid read of size 8
==17036==    at 0x4E6E0D4: poppler_page_get_text_attributes_for_area (poppler-page.cc:2378)
==17036==    by 0x4172F4: pgd_text_get_text (text.c:123)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==    by 0x5189A54: gtk_real_button_released (gtkbutton.c:2103)
==17036==    by 0x6363244: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637480A: signal_emit_unlocked_R (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D747: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x5188410: gtk_button_button_release (gtkbutton.c:1940)
==17036==  Address 0x14027570 is 0 bytes after a block of size 2,048 alloc'd
==17036==    at 0x4C2ABA0: malloc (vg_replace_malloc.c:296)
==17036==    by 0x6F9A756: gmalloc(unsigned long, bool) (gmem.cc:110)
==17036==    by 0x6F9A976: gmallocn(int, int, bool) (gmem.cc:192)
==17036==    by 0x6F9A99A: gmallocn (gmem.cc:196)
==17036==    by 0x70C3CEC: TextSelectionDumper::TextSelectionDumper(TextPage*) (TextOutputDev.cc:4052)
==17036==    by 0x70C6AB5: TextPage::getSelectionWords(PDFRectangle*, SelectionStyle, int*) (TextOutputDev.cc:4769)
==17036==    by 0x4E6E098: poppler_page_get_text_attributes_for_area (poppler-page.cc:2372)
==17036==    by 0x4172F4: pgd_text_get_text (text.c:123)
==17036==    by 0x6363473: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D056: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x637D9AE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4105.0)
==17036==    by 0x51899FC: gtk_button_do_release (gtkbutton.c:1985)
==17036==

Comment 5 Laurent Bonnaud 2014-11-12 13:09:53 UTC

This crash still occurs with the following software versions (from Debian sid+experimental):

Package: evince
Version: 3.14.1-1

Package: libpoppler47
Version: 0.28.1-1

Comment 6 Jason Crain 2014-12-20 05:26:24 UTC

Created attachment 111069 [details] [review]
Move array reallocation from visitLine to startLine

If TextSelectionDumper finds exactly 257 lines of text (or probably also 513, 1025, etc) it will write past the end of the lines array without triggering a reallocation.

Attached patch moves the array size check into TextSelectionDumper::finishLine so it's always run when an item is added to the lines array.

Comment 7 Carlos Garcia Campos 2014-12-20 10:09:17 UTC

(In reply to Jason Crain from comment #6)
> Created attachment 111069 [details] [review] [review]
> Move array reallocation from visitLine to startLine
> 
> If TextSelectionDumper finds exactly 257 lines of text (or probably also
> 513, 1025, etc) it will write past the end of the lines array without
> triggering a reallocation.
> 
> Attached patch moves the array size check into
> TextSelectionDumper::finishLine so it's always run when an item is added to
> the lines array.

Good catch! I've just pushed it, thanks!

Comment 8 Laurent Bonnaud 2015-04-28 18:20:40 UTC

The fix works for me in Ubuntu 15.04 with poppler 0.30.
Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.