[gs-bugs] [Bug 690183] New: mupdftool draw segfaults on IA3Z1758.pdf

bugs.ghostscript.com-bugzilla-daemon at ghostscript.com bugs.ghostscript.com-bugzilla-daemon at ghostscript.com
Tue Nov 25 18:32:45 PST 2008 

http://bugs.ghostscript.com/show_bug.cgi?id=690183

           Summary: mupdftool draw segfaults on IA3Z1758.pdf
           Product: MuPDF
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P4
         Component: apps
        AssignedTo: tor.andersson at artifex.com
        ReportedBy: ralph.giles at artifex.com
         QAContact: gs-bugs at ghostscript.com


The command

  mupdftool draw ../tests_private/pdf/PDFIA1.7_SUBSET/IA3Z1758.pdf

segfaults on the second page. glibc complains of a corrupt double-linked list
inside freetype. The file displays without complaint in mupdf.

gdb backtrace on x86_64 linux:

#0  0x00007f37af0d4095 in raise () from /lib/libc.so.6
#1  0x00007f37af0d5af0 in abort () from /lib/libc.so.6
#2  0x00007f37af10ea7b in ?? () from /lib/libc.so.6
#3  0x00007f37af11628c in ?? () from /lib/libc.so.6
#4  0x00007f37af119c1c in free () from /lib/libc.so.6
#5  0x00007f37afae8ffa in ?? () from /usr/lib/libfreetype.so.6
#6  0x00007f37aface80c in ?? () from /usr/lib/libfreetype.so.6
#7  0x00007f37aface8e0 in FT_Done_Face () from /usr/lib/libfreetype.so.6
#8  0x000000000041ced4 in ftdropfont (font=0x77c890) at mupdf/pdf_font.c:269
#9  0x000000000044f6dd in fz_dropfont (font=0x77c890) at world/res_font.c:48
#10 0x0000000000416b9c in dropitem (kind=PDF_KFONT, val=0x77c890)
    at mupdf/pdf_store.c:61
#11 0x0000000000416bef in pdf_emptystore (store=0x7043d0)
    at mupdf/pdf_store.c:79
#12 0x000000000040355f in drawfreepage () at apps/pdftool.c:589
#13 0x0000000000403d72 in drawpnm (pagenum=2, loadtimes=0x7fffb7f5a220, 
    drawtimes=0x7fffb7f5a1f0) at apps/pdftool.c:692
#14 0x000000000040417a in drawpages (pagelist=0x0) at apps/pdftool.c:799
#15 0x00000000004044d5 in drawmain (argc=3, argv=0x7fffb7f5a3c8)
    at apps/pdftool.c:880
#16 0x0000000000404df5 in main (argc=3, argv=0x7fffb7f5a3c8)
    at apps/pdftool.c:1205

valgrind reports a number of uninitialized variables in the glyph cache for both
pages before a number of invalid frees in the page cleanup. The segfault happens
after the second page's md5 is printed, which may explain why the file works
with mupdf x11. Here is the first one:

==6700== Invalid read of size 4
==6700==    at 0x44F1CC: fz_dropcolorspace (res_colorspace.c:28)
==6700==    by 0x4500E9: fz_dropimage (res_image.c:19)
==6700==    by 0x416B6F: dropitem (pdf_store.c:57)
==6700==    by 0x416BEE: pdf_emptystore (pdf_store.c:79)
==6700==    by 0x40355E: drawfreepage (pdftool.c:589)
==6700==    by 0x403D71: drawpnm (pdftool.c:692)
==6700==    by 0x404179: drawpages (pdftool.c:799)
==6700==    by 0x4044D4: drawmain (pdftool.c:880)
==6700==    by 0x404DF4: main (pdftool.c:1205)
==6700==  Address 0x5e1d370 is 0 bytes inside a block of size 80 free'd
==6700==    at 0x4C22B2E: free (vg_replace_malloc.c:323)
==6700==    by 0x43B584: stdfree (base_memory.c:17)
==6700==    by 0x43B666: fz_free (base_memory.c:67)
==6700==    by 0x44F215: fz_dropcolorspace (res_colorspace.c:34)
==6700==    by 0x4500E9: fz_dropimage (res_image.c:19)
==6700==    by 0x416B6F: dropitem (pdf_store.c:57)
==6700==    by 0x416BEE: pdf_emptystore (pdf_store.c:79)
==6700==    by 0x40355E: drawfreepage (pdftool.c:589)
==6700==    by 0x403D71: drawpnm (pdftool.c:692)
==6700==    by 0x404179: drawpages (pdftool.c:799)
==6700==    by 0x4044D4: drawmain (pdftool.c:880)
==6700==    by 0x404DF4: main (pdftool.c:1205)



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the gs-bugs mailing list