[Poppler-bugs] [Bug 97870] New: Crash when calling cmsGetColorSpace

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Sep 20 09:04:41 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=97870

            Bug ID: 97870
           Summary: Crash when calling cmsGetColorSpace
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: mkasik at redhat.com

Created attachment 126644
  --> https://bugs.freedesktop.org/attachment.cgi?id=126644&action=edit
reproducer

Evince sometimes crashes in cmsGetColorSpace() because it gets NULL as an
argument. I was able to reproduce this with the attached file. The crash
happens only in evince's recent view mode so the file has to be opened before
that.

Steps to reproduce:
1) run "evince postscript_un_linguaggio_per_la_composizione_finale.pdf"
2) close evince
3) run evince

Backtrace:
#0  0x00007fffe007c210 in cmsGetColorSpace (hProfile=0x0) at cmsio0.c:952
#1  0x00007fffc98b69be in GfxICCBasedColorSpace::parse(Array*, OutputDev*,
GfxState*, int) (arr=0x7fffb82255b0, out=0x0, state=0x0, recursion=1) at
GfxState.cc:2055
#2  0x00007fffc98b0506 in GfxColorSpace::parse(GfxResources*, Object*,
OutputDev*, GfxState*, int) (res=0x0, csObj=0x7fffca7fb7a0, out=0x0, state=0x0,
recursion=1) at GfxState.cc:406
#3  0x00007fffc98b906f in GfxIndexedColorSpace::parse(GfxResources*, Array*,
OutputDev*, GfxState*, int) (res=0x0, arr=0x7fffb81ebea0, out=0x0, state=0x0,
recursion=0) at GfxState.cc:2590
#4  0x00007fffc98b0588 in GfxColorSpace::parse(GfxResources*, Object*,
OutputDev*, GfxState*, int) (res=0x0, csObj=0x7fffca7fb990, out=0x0, state=0x0,
recursion=0) at GfxState.cc:408
#5  0x00007fffc98f2042 in Page::loadThumb(unsigned char**, int*, int*, int*)
(this=0x7fffb80625f0, data_out=0x7fffca7fba58, width_out=0x7fffca7fba54,
height_out=0x7fffca7fba50, rowstride_out=0x7fffca7fba4c) at Page.cc:691
#6  0x00007fffe02f85b0 in poppler_page_get_thumbnail(PopplerPage*)
(page=0x7fffb8060040) at poppler-page.cc:491
#7  0x00007fffe05450bf in pdf_document_get_thumbnail_surface(EvDocument*,
EvRenderContext*) (document=0x7fffd8003730, rc=0xc61940) at ev-poppler.cc:538
#8  0x00007ffff7bacced in ev_document_get_thumbnail_surface
(document=0x7fffd8003730, rc=0xc61940) at ev-document.c:777
#9  0x00007ffff7948889 in ev_job_thumbnail_run (job=0xe58980) at ev-jobs.c:885
#10 0x00007ffff79468f4 in ev_job_run (job=0xe58980) at ev-jobs.c:216
#11 0x00007ffff794b92b in ev_job_thread (job=0xe58980) at
ev-job-scheduler.c:184
#12 0x00007ffff794ba17 in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#13 0x00007ffff4238ae3 in g_thread_proxy () at /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff3a916ca in start_thread (arg=0x7fffca7fc700) at
pthread_create.c:333
#15 0x00007ffff37cbf6f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:105


Here are downstream reports for this crash:
https://retrace.fedoraproject.org/faf/reports/1219994/
https://bugzilla.redhat.com/show_bug.cgi?id=1363669
https://bugzilla.redhat.com/show_bug.cgi?id=1293445
https://retrace.fedoraproject.org/faf/reports/896435/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20160920/aff3f5c3/attachment.html>

More information about the Poppler-bugs mailing list