120310 – KPDF crashes as underlying xpdf cannot load pdf properly

Bug 120310 - KPDF crashes as underlying xpdf cannot load pdf properly

Summary: KPDF crashes as underlying xpdf cannot load pdf properly

Status:	RESOLVED FIXED

Alias:	None

Product:	kpdf
Classification:	Applications
Component:	general (show other bugs)
Version:	0.5
Platform:	Gentoo Packages Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Albert Astals Cid

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-01-17 14:57 UTC by Thomas Fischer
Modified:	2006-01-17 21:02 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Fischer 2006-01-17 14:57:59 UTC

Version:           0.5 (using KDE KDE 3.5.0)
Installed from:    Gentoo Packages
Compiler:          gcc 3.4.4 
OS:                Linux

KPDF crashes both as standalone and embedded into Konqueror when opening http://www4.wiwi.uni-karlsruhe.de/ORTage/flyer.pdf
Backtrace is not very informative:

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
(no debugging symbols found)
<< cut >>
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 9250)]
[New Thread 32769 (LWP 9251)]
[New Thread 16386 (LWP 9252)]
0xb6c5e80b in waitpid () from /lib/libpthread.so.0
#0  0xb6c5e80b in waitpid () from /lib/libpthread.so.0
#1  0xb79252fc in ?? () from /usr/kde/3.4/lib/libkdecore.so.4
#2  0x00000000 in ?? ()

The file can be openend and viewed without problems with kghostview. Converting the pdf file to postscript using pdftops (from xpdf) brings a large number of lines with this content:
Error: Illegal entry in bfchar block in ToUnicode CMap

So, even if the pdf file is broken and xpdf cannot render it, kpdf should not crash in this case. The same problem can be reproduced on Gentoo Linux systems with a stable KDE 3.4 and an unstable KDE 3.5 (kpdf 0.4.3 and 0.5).

Comment 1 Tommi Tervo 2006-01-17 16:17:26 UTC

Program received signal SIGSEGV, Segmentation fault.
SplashPath::offset (this=0x0, dx=0, dy=1130.1678867440774) at SplashPath.cc:165
165       for (i = 0; i < length; ++i) {
(gdb) bt
#0  SplashPath::offset (this=0x0, dx=0, dy=1130.1678867440774)
    at SplashPath.cc:165
#1  0xb698be1f in SplashOutputDev::drawChar (this=0x80912d8, state=0x825e3d0,
    x=0.98360999999999998, y=0.70146979030000012, originX=0, originY=0,
    code=70) at SplashOutputDev.cc:1363
#2  0xb693dcb8 in Gfx::doShowText (this=0x828f110, s=0x826c918) at Gfx.cc:2788
#3  0xb693eafa in Gfx::opShowText (this=0x828f110, args=0x0) at Gfx.cc:2576
#4  0xb693a80d in Gfx::execOp (this=0x828f110, cmd=0x0, args=0xb66040a0,
    numArgs=<value optimized out>) at Gfx.cc:676
#5  0xb693aa9d in Gfx::go (this=0x828f110, topLevel=1) at Gfx.cc:567
#6  0xb693b563 in Gfx::display (this=0x828f110, obj=0xb66041e4, topLevel=1)
    at Gfx.cc:539
#7  0xb697b206 in Page::displaySlice (this=0x8181e20, out=0x80912d8,
    hDPI=97.621070237028349, vDPI=97.523968000416005, rotate=0, useMediaBox=0,
    crop=0, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, links=0x8089310,
    catalog=0x8238c88, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:421
#8  0xb697b644 in Page::display (this=0x8181e20, out=0x80912d8,
    hDPI=97.621070237028349, vDPI=97.523968000416005, rotate=0, useMediaBox=0,
    crop=1, links=0x8089310, catalog=0x8238c88, abortCheckCbk=0,
    abortCheckCbkData=0x0) at Page.cc:327
#9  0xb6978236 in PDFDoc::displayPage (this=0x8269538, out=0x80912d8, page=2,

Comment 2 Albert Astals Cid 2006-01-17 21:02:30 UTC

SVN commit 499428 by aacid:

Fix for 120310
The check that was checking the length of some strings was not having into account \n or \r that can be there
BUGS: 120310


 M  +27 -4     CharCodeToUnicode.cc   [POSSIBLY UNSAFE: scanf]


--- branches/KDE/3.5/kdegraphics/kpdf/xpdf/xpdf/CharCodeToUnicode.cc #499427:499428
@@ -243,8 +243,18 @@
 	}
 	if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
 	      tok2[0] == '<' && tok2[n2 - 1] == '>')) {
-	  error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
-	  continue;
+	  
+	  // check there was no line jump inside the token and so the length is 
+	  // longer than it should be
+	  int countAux = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok1[k] != '\n' && tok1[k] != '\r') countAux++;
+	
+	  if (!(countAux == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+	      tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+	    error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+	    continue;
+	  }
 	}
 	tok1[n1 - 1] = tok2[n2 - 1] = '\0';
 	if (sscanf(tok1 + 1, "%x", &code1) != 1) {
@@ -268,8 +278,21 @@
 	}
 	if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
 	      n2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
-	  error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
-	  continue;
+	  // check there was no line jump inside the token and so the length is 
+	  // longer than it should be
+	  int countAux = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok1[k] != '\n' && tok1[k] != '\r') countAux++;
+	  
+	  int countAux2 = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok2[k] != '\n' && tok2[k] != '\r') countAux++;
+	  
+	  if (!(countAux == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+	      countAux2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+	    error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+	    continue;
+	  }
 	}
 	tok1[n1 - 1] = tok2[n2 - 1] = '\0';
 	if (sscanf(tok1 + 1, "%x", &code1) != 1 ||