[gs-bugs] [Bug 690593] New: PDF in URL field causes mupdf to SEGV on page 36

bugs.ghostscript.com-bugzilla-daemon at ghostscript.com bugs.ghostscript.com-bugzilla-daemon at ghostscript.com
Thu Jul 2 16:50:42 PDT 2009 

http://bugs.ghostscript.com/show_bug.cgi?id=690593

           Summary: PDF in URL field causes mupdf to SEGV on page 36
           Product: MuPDF
           Version: unspecified
          Platform: PC
               URL: ftp://www.unicode.org/Public/5.2.0/charts/CodeCharts-52-
                    Draft20090629-noHan.pdf
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P4
         Component: mupdf
        AssignedTo: tor.andersson at artifex.com
        ReportedBy: cloos at jhcloos.com
         QAContact: gs-bugs at ghostscript.com


The SEGV only occurs when paging through the document from page 1 on via the
space bar.  Jumping around with F and B seems to avoid it.

Backtrace is:

#0  0x08090a7c in fz_optimizetree (tree=0x3fe0) at fitz/node_optimize.c:230
#1  0x0806c93b in pdf_loadpattern (patp=0xbfa058d4, xref=0x8519010, dict=0x8948cc8, 
    stmref=0x8948cc8) at mupdf/pdf_pattern.c:142
#2  0x0805bd68 in preloadpattern (xref=0x8519010, ref=0x8948cc8) at
mupdf/pdf_resources.c:85
#3  0x0805c868 in pdf_loadresources (rdbp=0x87e2488, xref=0x8519010, orig=0x87e7e28)
    at mupdf/pdf_resources.c:357
#4  0x08073a21 in pdf_loadxobject (formp=0xbfa05a20, xref=0x8519010,
dict=0x8896168, 
    ref=0x892f550) at mupdf/pdf_xobject.c:78
#5  0x0805bfc4 in preloadxobject (xref=0x8519010, ref=0x892f550) at
mupdf/pdf_resources.c:137
#6  0x0805c9c4 in pdf_loadresources (rdbp=0xbfa05ad4, xref=0x8519010,
orig=0x8521788)
    at mupdf/pdf_resources.c:391
#7  0x0805ad68 in pdf_loadpage (pagep=0x84fe0c8, xref=0x8519010, dict=0x8521668)
    at mupdf/pdf_page.c:216
#8  0x0804e230 in pdfapp_showpage (app=0x84fe0a0, loadpage=1, drawpage=1)
    at apps/common/pdfapp.c:262
#9  0x0804ee6d in pdfapp_onkey (app=0x84fe0a0, c=32) at apps/common/pdfapp.c:508
#10 0x0804b9b1 in onkey (c=32) at apps/unix/x11pdf.c:443
#11 0x0804bf22 in main (argc=2, argv=0xbfa05ea4) at apps/unix/x11pdf.c:591

At level#0 of the backtrace, I get:

(gdb) p tree
$9 = (fz_tree *) 0x3fe0
(gdb) p *tree
Cannot access memory at address 0x3fe0

Going up a level, the pat->tree does indeed contain 0x3fe0, and there is nothing
at that address.  It looks like pat->tree is somehow clobbered.

I also tried running with DONTOPT=1 in the environment.  In that case the
backtrace looks like:

(gdb) where
#0  0x0809262f in fz_keeptree (tree=0x3fe0) at fitz/node_tree.c:23
#1  0x0808fe4c in fz_newlinknode (nodep=0xbfc29ac4, subtree=0x3fe0) at
fitz/node_misc2.c:174
#2  0x0807c941 in addpatternshape (gs=0x89e76d8, shape=0x873ae08, pat=0x87bea38,
cs=0x84f7540, 
    v=0x89e7828) at mupdf/pdf_build.c:379
#3  0x0807cf8b in pdf_addfillshape (gs=0x89e76d8, shape=0x873ae08) at
mupdf/pdf_build.c:510
#4  0x0807d7cf in pdf_showpath (csi=0x89e72e8, doclose=0, dofill=1, dostroke=0,
evenodd=0)
    at mupdf/pdf_build.c:727
#5  0x08078099 in runkeyword (csi=0x89e72e8, xref=0x8519010, rdb=0x87e8988,
buf=0xbfc29fc0 "f")
    at mupdf/pdf_interpret.c:1124
#6  0x08079786 in pdf_runcsi (csi=0x89e72e8, xref=0x8519010, rdb=0x87e8988,
file=0x88974f8)
    at mupdf/pdf_interpret.c:1381
#7  0x0807453d in runxobject (csi=0x89e72e8, xref=0x8519010, xobj=0x87c8250)
    at mupdf/pdf_interpret.c:213
#8  0x08077566 in runkeyword (csi=0x89e72e8, xref=0x8519010, rdb=0x89afd30, 
    buf=0xbfc3a430 "Do") at mupdf/pdf_interpret.c:933
#9  0x08079786 in pdf_runcsi (csi=0x89e72e8, xref=0x8519010, rdb=0x89afd30,
file=0x88bd758)
    at mupdf/pdf_interpret.c:1381
#10 0x0805a7df in runmany (csi=0x89e72e8, xref=0x8519010, rdb=0x89afd30,
list=0x8896e78)
    at mupdf/pdf_page.c:83
#11 0x0805a93f in loadpagecontents (treep=0xbfc4a518, xref=0x8519010,
rdb=0x89afd30, 
    ref=0x8521750) at mupdf/pdf_page.c:116
#12 0x0805adda in pdf_loadpage (pagep=0x84fe0c8, xref=0x8519010, dict=0x8521668)
    at mupdf/pdf_page.c:226
#13 0x0804e230 in pdfapp_showpage (app=0x84fe0a0, loadpage=1, drawpage=1)
    at apps/common/pdfapp.c:262
#14 0x0804ee6d in pdfapp_onkey (app=0x84fe0a0, c=32) at apps/common/pdfapp.c:508
#15 0x0804b9b1 in onkey (c=32) at apps/unix/x11pdf.c:443
#16 0x0804bf22 in main (argc=2, argv=0xbfc4a8f4) at apps/unix/x11pdf.c:591

As you can see, tree has the same bogus value as w/o DONTOPT.

The segv happens for both release and debug builds.

My compile is with -march=pentium3 -O2 for release and -march=pentirum3 -O0
-ggdb for debug.  (as you can guess, that is -m32).

I am currently at:

Thu Jul  2 17:16:48 EDT 2009  tor at ghostscript.com
  * More reference counting cleanups.


(The file is encrypted with an empty user pass; before today’s commits it failed
 due to the infinite loop bug.)



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the gs-bugs mailing list