Bug 158387

Summary: KPDF foult down if tried open specific pdf document
Product: [Unmaintained] kpdf Reporter: Ladislav Nesnera <nesnera>
Component: generalAssignee: Albert Astals Cid <aacid>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: 0.5.7   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Ladislav Nesnera 2008-02-25 11:02:05 UTC 
Version:           0.5.7 (using 3.5.7 "release 72.6" , openSUSE 10.3)
Compiler:          Target: x86_64-suse-linux
OS:                Linux (x86_64) release 2.6.22.17-0.1-default

i tried open pda which have no problem under Win XP and Acrobat Reader. KPDF crashes :-(
log:
Kontrola nastavení systému při startu vypnuta.

[?1034h(no debugging symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0x2afacf2f0340 (LWP 5942)]
[New Thread 0x40800950 (LWP 5943)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
0x00002afacac19088 in ?? () from /lib64/libc.so.6
#0  0x00002afacac19088 in ?? () from /lib64/libc.so.6
#1  0x00002afacabbbf5e in ?? () from /lib64/libc.so.6
#2  0x00002afacabb8f6b in free () from /lib64/libc.so.6
#3  0x00002afaca3c1698 in QGList::take () from /usr/lib/qt3/lib64/libqt-mt.so.3
#4  0x00002afaca0f0b4a in QEventLoop::activateTimers ()
   from /usr/lib/qt3/lib64/libqt-mt.so.3
#5  0x00002afaca0b09e5 in QEventLoop::processEvents ()
   from /usr/lib/qt3/lib64/libqt-mt.so.3
#6  0x00002afaca10ef83 in QEventLoop::enterLoop ()
   from /usr/lib/qt3/lib64/libqt-mt.so.3
#7  0x00002afaca10ee32 in QEventLoop::exec ()
   from /usr/lib/qt3/lib64/libqt-mt.so.3
#8  0x000000000040a53f in QWidget::setUpdatesEnabled ()
#9  0x00002afacab66b54 in __libc_start_main () from /lib64/libc.so.6
#10 0x0000000000409059 in QWidget::setUpdatesEnabled ()
#11 0x00007fffe2150e08 in ?? ()
#12 0x0000000000000000 in ?? ()
Comment 1 Ladislav Nesnera 2008-02-25 11:05:26 UTC 
Is there some way to upload problematic file?
Comment 2 Pino Toscano 2008-02-25 11:17:20 UTC 
Yes, add a new attachment to the bug report (how big is the document?)

Also, please provide a more useful backtrace, as explained in http://techbase.kde.org/index.php?title=Development/Tutorials/Debugging/How_to_create_useful_crash_reports

Possibly, trying a newer KPDF version would be also a good thing...
Comment 3 Ladislav Nesnera 2008-02-26 12:33:49 UTC 
Problematic pdf is available at http://nesnera.webgarden.cz/file/6868759
Comment 4 Pino Toscano 2008-02-26 12:47:46 UTC 
Can confirm the crash with KPDF 0.5.8 (KDE 3.5.8):

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 0x2b5f0d007420 (LWP 20580)]
[KCrash handler]
#5  0x00002b5f06f12d3d in _int_free () from /lib/libc.so.6
#6  0x00002b5f06f16bbc in free () from /lib/libc.so.6
#7  0x00002b5f0da0236b in Object::free (this=0x7fffa4823700)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Object.cc:129
#8  0x00002b5f0da66ddb in Gfx::opSetExtGState (this=0x919d50, 
    args=<value optimized out>)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:979
#9  0x00002b5f0da58d85 in Gfx::go (this=0x919d50, topLevel=0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:581
#10 0x00002b5f0da590dc in Gfx::display (this=0x919d50, obj=0x7fffa4823c80, 
    topLevel=0) at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:553
#11 0x00002b5f0da63aac in Gfx::doForm1 (this=0x919d50, str=0x7fffa4823c80, 
    resDict=<value optimized out>, matrix=<value optimized out>, 
    bbox=0x7fffa4823b90, transpGroup=1, softMask=0, 
    blendingColorSpace=0x9a71d0, isolated=0, knockout=0, alpha=0, 
    transferFunc=0x0, backdropColor=0x0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:3841
#12 0x00002b5f0da64c85 in Gfx::doForm (this=0x919d50, str=0x7fffa4823c80)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:3769
#13 0x00002b5f0da64e55 in Gfx::opXObject (this=0x919d50, 
    args=<value optimized out>)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:3338
#14 0x00002b5f0da58d85 in Gfx::go (this=0x919d50, topLevel=1)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:581
#15 0x00002b5f0da590dc in Gfx::display (this=0x919d50, obj=0x7fffa4824000, 
    topLevel=1) at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Gfx.cc:553
#16 0x00002b5f0da6d52a in Page::displaySlice (this=0x985340, out=0x987e30, 
    hDPI=137.28927469697166, vDPI=137.26133909287256, rotate=0, 
    useMediaBox=<value optimized out>, crop=0, sliceX=<value optimized out>, 
    sliceY=-1, sliceW=-1, sliceH=-1, printing=0, catalog=0x985290, 
    abortCheckCbk=0, abortCheckCbkData=0x0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Page.cc:434
#17 0x00002b5f0da6e0a9 in Page::display (this=0x2b5f071f89c0, out=0xa19230, 
    hDPI=0, vDPI=0, rotate=0, useMediaBox=1, crop=10588720, 
    printing=<value optimized out>, catalog=0x985290, abortCheckCbk=0, 
    abortCheckCbkData=0x0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/xpdf/xpdf/Page.cc:383
#18 0x00002b5f0dabcf26 in PDFGenerator::generatePixmap (this=0x985bc0, 
    request=0x9921c0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/core/generator_pdf/generator_pdf.cpp:319
#19 0x00002b5f0dab4e5a in KPDFDocument::sendGeneratorRequest (this=0x75b600)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/core/document.cpp:1169
#20 0x00002b5f0dab540f in KPDFDocument::requestPixmaps (this=0x75b600, 
    requests=@0x75b658)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/core/document.cpp:504
#21 0x00002b5f0dacbf4b in PageView::slotRequestVisiblePixmaps (this=0x825050, 
    newLeft=<value optimized out>, newTop=<value optimized out>)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/ui/pageview.cpp:1927
#22 0x00002b5f0daccadc in PageView::slotRelayoutPages (this=0x825050)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/ui/pageview.cpp:1817
#23 0x00002b5f0dad7728 in PageView::qt_invoke (this=0x825050, _id=64, 
    _o=0x7fffa4824570) at ./pageview.moc:193
#24 0x00002b5f086b5186 in QObject::activate_signal (this=0x828400, 
    clist=0x751ba0, o=0x7fffa4824570) at kernel/qobject.cpp:2356
#25 0x00002b5f08a2ce05 in QSignal::signal (this=0x828400, t0=@0x828450)
    at .moc/debug-shared-mt/moc_qsignal.cpp:100
#26 0x00002b5f086d33c7 in QSignal::activate (this=0x828400)
    at kernel/qsignal.cpp:212
#27 0x00002b5f086dac0c in QSingleShotTimer::event (this=0x8283b0)
    at kernel/qtimer.cpp:286
#28 0x00002b5f0864d3aa in QApplication::internalNotify (this=0x7fffa4824e40, 
    receiver=0x8283b0, e=0x7fffa4824a60) at kernel/qapplication.cpp:2635
#29 0x00002b5f0864f158 in QApplication::notify (this=0x7fffa4824e40, 
    receiver=0x8283b0, e=0x7fffa4824a60) at kernel/qapplication.cpp:2358
#30 0x00002b5f07fafaad in KApplication::notify (this=0x7fffa4824e40, 
    receiver=0x8283b0, event=0x7fffa4824a60)
    at /tmp/buildd/kdelibs-3.5.8.dfsg.1/./kdecore/kapplication.cpp:550
#31 0x00002b5f085deabe in QApplication::sendEvent (receiver=0x8283b0, 
    event=0x7fffa4824a60) at ../include/qapplication.h:520
#32 0x00002b5f08640b04 in QEventLoop::activateTimers (this=0x6536f0)
    at kernel/qeventloop_unix.cpp:556
#33 0x00002b5f085f3185 in QEventLoop::processEvents (this=0x6536f0, flags=4)
    at kernel/qeventloop_x11.cpp:389
#34 0x00002b5f08667673 in QEventLoop::enterLoop (this=0x6536f0)
    at kernel/qeventloop.cpp:198
#35 0x00002b5f0866735f in QEventLoop::exec (this=0x6536f0)
    at kernel/qeventloop.cpp:145
#36 0x00002b5f0864ee8c in QApplication::exec (this=0x7fffa4824e40)
    at kernel/qapplication.cpp:2758
#37 0x000000000040a3ec in main (argc=<value optimized out>, argv=0x6fc8b0)
    at /build/buildd/kdegraphics-3.5.8/./kpdf/shell/main.cpp:79
#38 0x00002b5f06ebd1c4 in __libc_start_main () from /lib/libc.so.6
#39 0x0000000000408f59 in _start ()
Comment 5 Pino Toscano 2008-02-26 12:49:05 UTC 
... but I can confirm also that with KPDF 0.5.9 (KDE 3.5.9) it works (no crashes).
Comment 6 Albert Astals Cid 2008-02-26 19:36:35 UTC 
0.5.9 does not crash here either but i can see a wrong write with valgrind

==11116== Invalid read of size 1
==11116==    at 0xDFCF02E: SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int) (SplashXPathScanner.cc:424)
==11116==    by 0xDFC1BBB: SplashClip::clipAALine(SplashBitmap*, int*, int*, int) (SplashClip.cc:380)
==11116==    by 0xDFC0C21: Splash::drawAAPixel(SplashPipe*, int, int) (Splash.cc:640)
==11116==    by 0xDFBB9C6: Splash::drawImage(int (*)(void*, unsigned char*, unsigned char*), void*, SplashColorMode, int, int, int, double*) (Splash.cc:2680)
==11116==    by 0xDF6165D: SplashOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (SplashOutputDev.cc:2422)
==11116==    by 0xDEF2DDE: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3656)
==11116==    by 0xDEFE3EC: Gfx::opXObject(Object*, int) (Gfx.cc:3330)
==11116==    by 0xDEFAF37: Gfx::execOp(Object*, Object*, int) (Gfx.cc:690)
==11116==    by 0xDEFB0AC: Gfx::go(int) (Gfx.cc:581)
==11116==    by 0xDEFB4EE: Gfx::display(Object*, int) (Gfx.cc:553)
==11116==    by 0xDEFCD30: Gfx::doForm1(Object*, Dict*, double*, double*, int, int, GfxColorSpace*, int, int, int, Function*, GfxColor*) (Gfx.cc:3841)
==11116==    by 0xDEFE265: Gfx::doForm(Object*) (Gfx.cc:3769)
==11116==  Address 0xEB7A7A4 is 0 bytes after a block of size 396 alloc'd
==11116==    at 0x4C21C16: malloc (vg_replace_malloc.c:149)
==11116==    by 0xDF9C91D: gmalloc (gmem.cc:97)
==11116==    by 0xDFC1615: SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, int, int) (SplashBitmap.cc:47)
==11116==    by 0xDFBE9BA: Splash::Splash(SplashBitmap*, int, SplashScreen*) (Splash.cc:804)
==11116==    by 0xDF60DF2: SplashOutputDev::beginTransparencyGroup(GfxState*, double*, GfxColorSpace*, int, int, int) (SplashOutputDev.cc:2522)
==11116==    by 0xDEFCCC3: Gfx::doForm1(Object*, Dict*, double*, double*, int, int, GfxColorSpace*, int, int, int, Function*, GfxColor*) (Gfx.cc:3831)
==11116==    by 0xDEFE265: Gfx::doForm(Object*) (Gfx.cc:3769)
==11116==    by 0xDEFE4AD: Gfx::opXObject(Object*, int) (Gfx.cc:3338)
==11116==    by 0xDEFAF37: Gfx::execOp(Object*, Object*, int) (Gfx.cc:690)
==11116==    by 0xDEFB0AC: Gfx::go(int) (Gfx.cc:581)
==11116==    by 0xDEFB4EE: Gfx::display(Object*, int) (Gfx.cc:553)
==11116==    by 0xDF43986: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, Catalog*, int (*)(void*), void*) (Page.cc:434)
==11116==
==11116== Invalid write of size 1
==11116==    at 0xDFCF048: SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int) (SplashXPathScanner.cc:424)
==11116==    by 0xDFC1BBB: SplashClip::clipAALine(SplashBitmap*, int*, int*, int) (SplashClip.cc:380)
==11116==    by 0xDFC0C21: Splash::drawAAPixel(SplashPipe*, int, int) (Splash.cc:640)
==11116==    by 0xDFBB9C6: Splash::drawImage(int (*)(void*, unsigned char*, unsigned char*), void*, SplashColorMode, int, int, int, double*) (Splash.cc:2680)
==11116==    by 0xDF6165D: SplashOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, Stream*, int, int, GfxImageColorMap*) (SplashOutputDev.cc:2422)
==11116==    by 0xDEF2DDE: Gfx::doImage(Object*, Stream*, int) (Gfx.cc:3656)
==11116==    by 0xDEFE3EC: Gfx::opXObject(Object*, int) (Gfx.cc:3330)
==11116==    by 0xDEFAF37: Gfx::execOp(Object*, Object*, int) (Gfx.cc:690)
==11116==    by 0xDEFB0AC: Gfx::go(int) (Gfx.cc:581)
==11116==    by 0xDEFB4EE: Gfx::display(Object*, int) (Gfx.cc:553)
==11116==    by 0xDEFCD30: Gfx::doForm1(Object*, Dict*, double*, double*, int, int, GfxColorSpace*, int, int, int, Function*, GfxColor*) (Gfx.cc:3841)
==11116==    by 0xDEFE265: Gfx::doForm(Object*) (Gfx.cc:3769)
==11116==  Address 0xEB7A7A4 is 0 bytes after a block of size 396 alloc'd
==11116==    at 0x4C21C16: malloc (vg_replace_malloc.c:149)
==11116==    by 0xDF9C91D: gmalloc (gmem.cc:97)
==11116==    by 0xDFC1615: SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, int, int) (SplashBitmap.cc:47)
==11116==    by 0xDFBE9BA: Splash::Splash(SplashBitmap*, int, SplashScreen*) (Splash.cc:804)
==11116==    by 0xDF60DF2: SplashOutputDev::beginTransparencyGroup(GfxState*, double*, GfxColorSpace*, int, int, int) (SplashOutputDev.cc:2522)
==11116==    by 0xDEFCCC3: Gfx::doForm1(Object*, Dict*, double*, double*, int, int, GfxColorSpace*, int, int, int, Function*, GfxColor*) (Gfx.cc:3831)
==11116==    by 0xDEFE265: Gfx::doForm(Object*) (Gfx.cc:3769)
==11116==    by 0xDEFE4AD: Gfx::opXObject(Object*, int) (Gfx.cc:3338)
==11116==    by 0xDEFAF37: Gfx::execOp(Object*, Object*, int) (Gfx.cc:690)
==11116==    by 0xDEFB0AC: Gfx::go(int) (Gfx.cc:581)
==11116==    by 0xDEFB4EE: Gfx::display(Object*, int) (Gfx.cc:553)
==11116==    by 0xDF43986: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, Catalog*, int (*)(void*), void*) (Page.cc:434)
Comment 7 Albert Astals Cid 2008-03-14 20:48:17 UTC 
SVN commit 785716 by aacid:

xx0 is set as maximum to buffer width so we need < not <= here

Fixes some crashes due to write out of bounds

BUGS: 158387, 158549


 M  +3 -2      SplashXPathScanner.cc  


WebSVN link: http://websvn.kde.org/?view=rev&revision=785716