[gs-bugs] [Bug 690591] New: Infinite loop processing a stream

bugs.ghostscript.com-bugzilla-daemon at ghostscript.com bugs.ghostscript.com-bugzilla-daemon at ghostscript.com
Thu Jul 2 11:21:07 PDT 2009 

http://bugs.ghostscript.com/show_bug.cgi?id=690591

           Summary: Infinite loop processing a stream
           Product: MuPDF
           Version: unspecified
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: normal
          Priority: P4
         Component: mupdf
        AssignedTo: tor.andersson at artifex.com
        ReportedBy: kkowalczyk at gmail.com
         QAContact: gs-bugs at ghostscript.com


This is from: http://code.google.com/p/sumatrapdf/issues/detail?id=554

In http://www.un.org/Depts/Cartographic/map/profile/world.pdf, there's an
infinite loop (e.g. when using pdfshow).

This is a recent regression. 

Most likely caused by incorrect refcounting on a filter. This seems to fix it:

--- mupdf/mupdf/pdf_stream.c    (revision 1186)
+++ mupdf/mupdf/pdf_stream.c    (working copy)
@@ -334,7 +334,6 @@
                               fz_dropfilter(base);
                               return fz_rethrow(error, "cannot create filter
chain");
                       }
-                       fz_dropfilter(base);
               }

               *filterp = pipe;


This is what valgraind says. You can see invalid reads caused most likely by
accessing freed object.

kjkmaclap:mupdf kkowalczyk$ valgrind obj-dbg/pdfdraw ~/Downloads/world.pdf 
==19735== Memcheck, a memory error detector.
==19735== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==19735== Using LibVEX rev 1899, a library for dynamic binary translation.
==19735== Copyright (C) 2004-2009, and GNU GPL'd, by OpenWorks LLP.
==19735== Using valgrind-3.5.0.SVN, a dynamic binary instrumentation framework.
==19735== Copyright (C) 2000-2009, and GNU GPL'd, by Julian Seward et al.
==19735== For more details, rerun with: -v
==19735== 
--19735-- obj-dbg/pdfdraw:
--19735-- dSYM directory is missing; consider using --auto-run-dsymutil=yes
Drawing pages 1-1...
draw bug-554.pdf:001 ==19735== Invalid read of size 4
==19735==    at 0x220EE: fz_processpipeline (in obj-dbg/pdfdraw)
==19735==    by 0x28F22: fz_process (in obj-dbg/pdfdraw)
==19735==    by 0x22117: fz_processpipeline (in obj-dbg/pdfdraw)
==19735==    by 0x28F22: fz_process (in obj-dbg/pdfdraw)
==19735==    by 0x29BCC: fz_readimp (in obj-dbg/pdfdraw)
==19735==    by 0x2A4CF: fz_peekbytex (in obj-dbg/pdfdraw)
==19735==    by 0x4B7DD: fz_peekbyte (in obj-dbg/pdfdraw)
==19735==    by 0x4C089: pdf_lex (in obj-dbg/pdfdraw)
==19735==    by 0x4AC10: pdf_runcsi (in obj-dbg/pdfdraw)
==19735==    by 0x4F7AD: runone (in obj-dbg/pdfdraw)
==19735==    by 0x4FC7E: loadpagecontents (in obj-dbg/pdfdraw)
==19735==    by 0x5018F: pdf_loadpage (in obj-dbg/pdfdraw)
==19735==  Address 0xa199a0 is 16 bytes inside a block of size 36 free'd
==19735==    at 0x54D7FB: free (vg_replace_malloc.c:323)
==19735==    by 0x11A56: fz_free (in obj-dbg/pdfdraw)
==19735==    by 0x290B4: fz_dropfilter (in obj-dbg/pdfdraw)
==19735==    by 0x5EBEE: pdf_buildfilter (in obj-dbg/pdfdraw)
==19735==    by 0x5EF92: pdf_openstream (in obj-dbg/pdfdraw)
==19735==    by 0x4F72B: runone (in obj-dbg/pdfdraw)
==19735==    by 0x4FC7E: loadpagecontents (in obj-dbg/pdfdraw)
==19735==    by 0x5018F: pdf_loadpage (in obj-dbg/pdfdraw)
==19735==    by 0x62706: drawloadpage (in obj-dbg/pdfdraw)
==19735==    by 0x6287D: drawpnm (in obj-dbg/pdfdraw)
==19735==    by 0x6372C: drawpages (in obj-dbg/pdfdraw)
==19735==    by 0x63B7C: main (in obj-dbg/pdfdraw)
==19735== 
==19735== Invalid read of size 4
==19735==    at 0x28EF4: fz_process (in obj-dbg/pdfdraw)
==19735==    by 0x22117: fz_processpipeline (in obj-dbg/pdfdraw)
==19735==    by 0x28F22: fz_process (in obj-dbg/pdfdraw)
==19735==    by 0x22117: fz_processpipeline (in obj-dbg/pdfdraw)
==19735==    by 0x28F22: fz_process (in obj-dbg/pdfdraw)
==19735==    by 0x29BCC: fz_readimp (in obj-dbg/pdfdraw)
==19735==    by 0x2A4CF: fz_peekbytex (in obj-dbg/pdfdraw)
==19735==    by 0x4B7DD: fz_peekbyte (in obj-dbg/pdfdraw)
==19735==    by 0x4C089: pdf_lex (in obj-dbg/pdfdraw)
==19735==    by 0x4AC10: pdf_runcsi (in obj-dbg/pdfdraw)
==19735==    by 0x4F7AD: runone (in obj-dbg/pdfdraw)
==19735==    by 0x4FC7E: loadpagecontents (in obj-dbg/pdfdraw)

... and more



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the gs-bugs mailing list