[Poppler-bugs] [Bug 6923] characters change when selecting text

Sat Sep 1 08:10:29 PDT 2012

https://bugs.freedesktop.org/show_bug.cgi?id=6923

--- Comment #45 from Jason Crain <jason at aquaticape.us> 2012-09-01 15:10:29 UTC ---
Created attachment 66450
  --> https://bugs.freedesktop.org/attachment.cgi?id=66450
Check for NaN in TextPage::addChar

I don't think this is related to my earlier patch. For me, this pdf crashes
both with and without it.  This document is doing very strange things with the
current transformation matrix (CTM) and inline images.  Pages 6 and 15 are
filled with lines like this:

    q 18 0 0 -1 2782 6350 cm
    q BI
    <IMAGE DICT>
    ID <IMAGE DATA>
    EI Q
    q 19 0 0 -1 2782 6350 cm
    q BI
    <IMAGE DICT>
    ID <IMAGE DATA>
    EI Q

Note the unbalanced q/Q for saving/restoring the graphics state.  This means
that the graphics state is not ever being properly restored and the `cm'
operator is scaling the CTM until its components become NaN.  This leads to
TextWord::base being NaN.  This breaks calculations in TextPool::addWord,
causing wordBaseIdx to be INT_MIN, causing the text pool to not be initialized
to NULLs, which causes a crash when an invalid pointer is read and dereferenced
from the pool.

As a test, adding a call to restoreState() in Gfx::opBeginImage allows the page
to render properly and without crashing.  Otherwise, poppler either crashes or
places text in an invalid location.

The attached patch adds a check for NaN to TextPage::addChar and throws away
chars with invalid positions.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.