[Poppler-bugs] [Bug 67296] New: evince crashed with SIGSEGV in TextPool::addWord

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jul 25 04:09:07 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=67296

          Priority: medium
            Bug ID: 67296
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: evince crashed with SIGSEGV  in TextPool::addWord
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: hoffmeister.pierre at web.de
          Hardware: x86 (IA32)
            Status: NEW
           Version: unspecified
         Component: general
           Product: poppler

Created attachment 82990
  --> https://bugs.freedesktop.org/attachment.cgi?id=82990&action=edit
large mediabox pdf

evince crashes with attached pdf

there is a problem handling a mediabox with values larger than int range.

poppler/poppler/TextOutputDec.cc
void TextPool::addWord(TextWord *word){
...
wordBaseIdx = (int)(word->base / textPoolStep);
...
}

that cast to int makes wordBaseIdx = INT_MIN

a possible fix is:
wordBaseIdx = ((word->base / textPoolStep) > INT_MAX ? (INT_MAX - 129) : ((int)
(word->base / textPoolStep)) );

#0  0x00007fffded4f379 in primaryCmp (word=0xd048bbe420445220,
this=0x7fffd805da60) at TextOutputDev.cc:477
#1  TextPool::addWord (this=0x7fffd80542a0, word=0x7fffd805da60) at
TextOutputDev.cc:664
#2  0x00007fffded52766 in endWord (this=0x7fffd8054160) at
TextOutputDev.cc:2415
#3  TextPage::endWord (this=0x7fffd8054160) at TextOutputDev.cc:2405
#4  0x00007fffdf3d4265 in CairoOutputDev::endPage (this=0x7fffd8048150) at
CairoOutputDev.cc:262
#5  0x00007fffdecde40f in Gfx::~Gfx (this=0x7fffd8050600, __in_chrg=<optimized
out>) at Gfx.cc:648
#6  0x00007fffded227b0 in Page::displaySlice (this=0x7fffd804eba0,
out=out at entry=0x7fffd8048150, hDPI=hDPI at entry=72, vDPI=vDPI at entry=72,
rotate=rotate at entry=0, useMediaBox=useMediaBox at entry=false,
crop=crop at entry=true, sliceX=sliceX at entry=-1, sliceY=sliceY at entry=-1,
sliceW=sliceW at entry=-1, sliceH=sliceH at entry=-1, printing=printing at entry=false,
abortCheckCbk=abortCheckCbk at entry=0x0,
abortCheckCbkData=abortCheckCbkData at entry=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=annotDisplayDecideCbkData at entry=0x0,
copyXRef=copyXRef at entry=false) at Page.cc:607
#7  0x00007fffdf3c9a5b in _poppler_page_render (page=0xa09b80, cairo=0xa205a0,
printing=<optimized out>, print_flags=<optimized out>)at poppler-page.cc:362
#8  0x00007fffdf5f62c0 in pdf_page_render (page=page at entry=0xa09b80, width=569,
height=569, rc=rc at entry=0x7fffd8001240) at ev-poppler.cc:412
#9  0x00007fffdf5f63f7 in pdf_document_render (document=<optimized out>,
rc=0x7fffd8001240) at ev-poppler.cc:445
#10 0x00007ffff75536c8 in ev_job_render_run (job=0x7fffd8009e00) at
ev-jobs.c:634
#11 0x00007ffff75548f2 in ev_job_thread (job=0x7fffd8009e00) at
ev-job-scheduler.c:184
#12 ev_job_thread_proxy (data=<optimized out>) at ev-job-scheduler.c:217
#13 0x00007ffff57421f5 in g_thread_proxy (data=0x9ba230) at gthread.c:798
#14 0x00007ffff7322f8e in start_thread (arg=0x7fffdffff700) at
pthread_create.c:311
#15 0x00007ffff5101e1d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20130725/9fb7577b/attachment-0001.html>

More information about the Poppler-bugs mailing list