<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Crash when setting dash pattern"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=62905">62905</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Crash when setting dash pattern
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mkasik@redhat.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>cairo backend
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=77209" name="attach_77209" title="pdf which crashes poppler">attachment 77209</a> <a href="attachment.cgi?id=77209&action=edit" title="pdf which crashes poppler">[details]</a></span>
pdf which crashes poppler

Attached PDF crashes poppler. It crashes because fillToStrokePathClip() tries
to to call cairo_set_dash() with non-zero "num_dashes" but with NULL "dashes".

The code of fillToStrokePathClip() relies on consistency of cairo's dash
pattern with the dash pattern stored in strokePathClip->dashes and length of
cairo's dash pattern with strokePathClip->dash_count.

But the attached PDF breaks this consistency, it makes poppler to call
fillToStrokePathClip() after change of cairo's dash pattern but without update
of strokePathClip->dashes.

There are 2 possible solutions for this:

1) don't update strokePathClip->dash_count just before cairo_set_dash() in
fillToStrokePathClip()
    - honour what we already have in strokePathClip->dash*

2) don't set dash pattern by cairo_set_dash() in fillToStrokePathClip() at all
    - honour what we already have in cairo



The PDF doesn't have correct xref and lengths of streams because it was edited
manually but this doesn't cause the crash.

This was originally reported here:
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=928231">https://bugzilla.redhat.com/show_bug.cgi?id=928231</a> (contains link to the
original PDF)</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>