<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW --- - evince crashed with SIGSEGV in TextPool::addWord" href="https://bugs.freedesktop.org/show_bug.cgi?id=67296">67296</a> </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Summary</th> <td>evince crashed with SIGSEGV in TextPool::addWord </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Classification</th> <td>Unclassified </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Reporter</th> <td>hoffmeister.pierre@web.de </td> </tr> <tr> <th>Hardware</th> <td>x86 (IA32) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=82990" name="attach_82990" title="large mediabox pdf">attachment 82990</a> <a href="attachment.cgi?id=82990&action=edit" title="large mediabox pdf">[details]</a></span> large mediabox pdf evince crashes with attached pdf there is a problem handling a mediabox with values larger than int range. poppler/poppler/TextOutputDec.cc void TextPool::addWord(TextWord *word){ ... wordBaseIdx = (int)(word->base / textPoolStep); ... } that cast to int makes wordBaseIdx = INT_MIN a possible fix is: wordBaseIdx = ((word->base / textPoolStep) > INT_MAX ? (INT_MAX - 129) : ((int) (word->base / textPoolStep)) ); #0 0x00007fffded4f379 in primaryCmp (word=0xd048bbe420445220, this=0x7fffd805da60) at TextOutputDev.cc:477 #1 TextPool::addWord (this=0x7fffd80542a0, word=0x7fffd805da60) at TextOutputDev.cc:664 #2 0x00007fffded52766 in endWord (this=0x7fffd8054160) at TextOutputDev.cc:2415 #3 TextPage::endWord (this=0x7fffd8054160) at TextOutputDev.cc:2405 #4 0x00007fffdf3d4265 in CairoOutputDev::endPage (this=0x7fffd8048150) at CairoOutputDev.cc:262 #5 0x00007fffdecde40f in Gfx::~Gfx (this=0x7fffd8050600, __in_chrg=<optimized out>) at Gfx.cc:648 #6 0x00007fffded227b0 in Page::displaySlice (this=0x7fffd804eba0, out=out@entry=0x7fffd8048150, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0, useMediaBox=useMediaBox@entry=false, crop=crop@entry=true, sliceX=sliceX@entry=-1, sliceY=sliceY@entry=-1, sliceW=sliceW@entry=-1, sliceH=sliceH@entry=-1, printing=printing@entry=false, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=false) at Page.cc:607 #7 0x00007fffdf3c9a5b in _poppler_page_render (page=0xa09b80, cairo=0xa205a0, printing=<optimized out>, print_flags=<optimized out>)at poppler-page.cc:362 #8 0x00007fffdf5f62c0 in pdf_page_render (page=page@entry=0xa09b80, width=569, height=569, rc=rc@entry=0x7fffd8001240) at ev-poppler.cc:412 #9 0x00007fffdf5f63f7 in pdf_document_render (document=<optimized out>, rc=0x7fffd8001240) at ev-poppler.cc:445 #10 0x00007ffff75536c8 in ev_job_render_run (job=0x7fffd8009e00) at ev-jobs.c:634 #11 0x00007ffff75548f2 in ev_job_thread (job=0x7fffd8009e00) at ev-job-scheduler.c:184 #12 ev_job_thread_proxy (data=<optimized out>) at ev-job-scheduler.c:217 #13 0x00007ffff57421f5 in g_thread_proxy (data=0x9ba230) at gthread.c:798 #14 0x00007ffff7322f8e in start_thread (arg=0x7fffdffff700) at pthread_create.c:311 #15 0x00007ffff5101e1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>