Bug 120310

Summary:	KPDF crashes as underlying xpdf cannot load pdf properly
Product:	[Unmaintained] kpdf	Reporter:	Thomas Fischer <fischer>
Component:	general	Assignee:	Albert Astals Cid <aacid>
Status:	RESOLVED FIXED
Severity:	crash
Priority:	NOR
Version First Reported In:	0.5
Target Milestone:	---
Platform:	Gentoo Packages
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:

Description Thomas Fischer 2006-01-17 14:57:59 UTC

Version:           0.5 (using KDE KDE 3.5.0)
Installed from:    Gentoo Packages
Compiler:          gcc 3.4.4 
OS:                Linux

KPDF crashes both as standalone and embedded into Konqueror when opening http://www4.wiwi.uni-karlsruhe.de/ORTage/flyer.pdf
Backtrace is not very informative:

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
(no debugging symbols found)
<< cut >>
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 9250)]
[New Thread 32769 (LWP 9251)]
[New Thread 16386 (LWP 9252)]
0xb6c5e80b in waitpid () from /lib/libpthread.so.0
#0  0xb6c5e80b in waitpid () from /lib/libpthread.so.0
#1  0xb79252fc in ?? () from /usr/kde/3.4/lib/libkdecore.so.4
#2  0x00000000 in ?? ()

The file can be openend and viewed without problems with kghostview. Converting the pdf file to postscript using pdftops (from xpdf) brings a large number of lines with this content:
Error: Illegal entry in bfchar block in ToUnicode CMap

So, even if the pdf file is broken and xpdf cannot render it, kpdf should not crash in this case. The same problem can be reproduced on Gentoo Linux systems with a stable KDE 3.4 and an unstable KDE 3.5 (kpdf 0.4.3 and 0.5).

Comment 1 Tommi Tervo 2006-01-17 16:17:26 UTC

Program received signal SIGSEGV, Segmentation fault.
SplashPath::offset (this=0x0, dx=0, dy=1130.1678867440774) at SplashPath.cc:165
165       for (i = 0; i < length; ++i) {
(gdb) bt
#0  SplashPath::offset (this=0x0, dx=0, dy=1130.1678867440774)
    at SplashPath.cc:165
#1  0xb698be1f in SplashOutputDev::drawChar (this=0x80912d8, state=0x825e3d0,
    x=0.98360999999999998, y=0.70146979030000012, originX=0, originY=0,
    code=70) at SplashOutputDev.cc:1363
#2  0xb693dcb8 in Gfx::doShowText (this=0x828f110, s=0x826c918) at Gfx.cc:2788
#3  0xb693eafa in Gfx::opShowText (this=0x828f110, args=0x0) at Gfx.cc:2576
#4  0xb693a80d in Gfx::execOp (this=0x828f110, cmd=0x0, args=0xb66040a0,
    numArgs=<value optimized out>) at Gfx.cc:676
#5  0xb693aa9d in Gfx::go (this=0x828f110, topLevel=1) at Gfx.cc:567
#6  0xb693b563 in Gfx::display (this=0x828f110, obj=0xb66041e4, topLevel=1)
    at Gfx.cc:539
#7  0xb697b206 in Page::displaySlice (this=0x8181e20, out=0x80912d8,
    hDPI=97.621070237028349, vDPI=97.523968000416005, rotate=0, useMediaBox=0,
    crop=0, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, links=0x8089310,
    catalog=0x8238c88, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:421
#8  0xb697b644 in Page::display (this=0x8181e20, out=0x80912d8,
    hDPI=97.621070237028349, vDPI=97.523968000416005, rotate=0, useMediaBox=0,
    crop=1, links=0x8089310, catalog=0x8238c88, abortCheckCbk=0,
    abortCheckCbkData=0x0) at Page.cc:327
#9  0xb6978236 in PDFDoc::displayPage (this=0x8269538, out=0x80912d8, page=2,

Comment 2 Albert Astals Cid 2006-01-17 21:02:30 UTC

SVN commit 499428 by aacid:

Fix for 120310
The check that was checking the length of some strings was not having into account \n or \r that can be there
BUGS: 120310


 M  +27 -4     CharCodeToUnicode.cc   [POSSIBLY UNSAFE: scanf]


--- branches/KDE/3.5/kdegraphics/kpdf/xpdf/xpdf/CharCodeToUnicode.cc #499427:499428
@@ -243,8 +243,18 @@
 	}
 	if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
 	      tok2[0] == '<' && tok2[n2 - 1] == '>')) {
-	  error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
-	  continue;
+	  
+	  // check there was no line jump inside the token and so the length is 
+	  // longer than it should be
+	  int countAux = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok1[k] != '\n' && tok1[k] != '\r') countAux++;
+	
+	  if (!(countAux == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+	      tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+	    error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+	    continue;
+	  }
 	}
 	tok1[n1 - 1] = tok2[n2 - 1] = '\0';
 	if (sscanf(tok1 + 1, "%x", &code1) != 1) {
@@ -268,8 +278,21 @@
 	}
 	if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
 	      n2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
-	  error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
-	  continue;
+	  // check there was no line jump inside the token and so the length is 
+	  // longer than it should be
+	  int countAux = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok1[k] != '\n' && tok1[k] != '\r') countAux++;
+	  
+	  int countAux2 = 0;
+	  for (int k = 0; k < n1; k++)
+	    if (tok2[k] != '\n' && tok2[k] != '\r') countAux++;
+	  
+	  if (!(countAux == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+	      countAux2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+	    error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+	    continue;
+	  }
 	}
 	tok1[n1 - 1] = tok2[n2 - 1] = '\0';
 	if (sscanf(tok1 + 1, "%x", &code1) != 1 ||