Created attachment 107818 [details] pdf to reproduce SIGABRT Not sure if this is an actual bug, but since it says 'internal error' and doesn't exit gracefully I thought I'd report this: Running pdftotext util from master. Attached 392-fuzz-16.pdf ###################################### utils]$ libtool --mode=execute gdb ./pdftotext GNU gdb (GDB) Fedora 7.7.1-19.fc20 ... Reading symbols from /home/foobar/poppler/utils/.libs/lt-pdftotext...done. ... (gdb) run ~/392-fuzz-16.pdf /dev/null Starting program: /home/foobar/poppler/utils/.libs/lt-pdftotext ~/392-fuzz-16.pdf /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Syntax Error (77470): Illegal character ')' Syntax Error: Couldn't find trailer dictionary Syntax Error: Unknown operator '<9e>W' Syntax Error: Unknown operator '<c0><e8>' Syntax Error: Unknown operator '<c3><d2>' Syntax Error: Unknown operator '<9e>W' Syntax Error: Unknown operator '?<c8>' Syntax Error: Unknown operator '<9e>W' Syntax Error: Unknown operator '<07>I' Internal Error (0): Call to Object where the object was type 10, not the expected type 1, 14 or 2 Program received signal SIGABRT, Aborted. 0x00007ffff5b3a877 in raise () from /lib64/libc.so.6 (gdb)
Created attachment 108176 [details] 392-unfuzzed.pdf Attached unfuzzed file as per request.
Created attachment 111100 [details] [review] Check for invalid matrix in annotation Bad values in an annotation's matrix cause the call to abort(). Attached patch checks the type of the value before pulling it from the Object.
Created attachment 111101 [details] [review] Free BBox object on error While looking at this bug, I also noticed that an annotation's bboxObj isn't freed on error, causing a memory leak. Attached patch adds a call to bboxObj.free().
Pushed, thanks!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.