Sigh... What happens there is that
a) on at least some boxen we somehow get /var/lib/dhelp/tmp gone; cron.weekly
dhelp script Is Not Amused. Still happens at least sometimes - I've observed
that on a freshly installed squeeze/i386 box (netinst cd + aptitude install
a lot of stuff; hard to reconstruct the exact sequence)
b) libpoppler is a 1001st proof that syntax sugar does not help with OOP;
with exact same logics done in plain C the bug would be easier to spot.
Observe:
TextOutputDev::TextOutputDev(char *fileName, GBool physLayoutA,
GBool rawOrderA, GBool append) {
text = NULL;
physLayout = physLayoutA;
rawOrder = rawOrderA;
doHTML = gFalse;
ok = gTrue;
// open file
needClose = gFalse;
if (fileName) {
if (!strcmp(fileName, "-")) {
outputStream = stdout;
#ifdef _WIN32
// keep DOS from munging the end-of-line characters
setmode(fileno(stdout), O_BINARY);
#endif
} else if ((outputStream = fopen(fileName, append ? "ab" : "wb"))) {
needClose = gTrue;
} else {
error(-1, "Couldn't open text file '%s'", fileName);
ok = gFalse;
return;
... and this->actualText is left uninitialized. Then comes the destructor
and we hit
TextOutputDev::~TextOutputDev() {
if (needClose) {
#ifdef MACOS
ICS_MapRefNumAndAssign((short)((FILE *)outputStream)->handle);
#endif
fclose((FILE *)outputStream);
}
if (text) {
text->decRefCnt();
}
delete actualText;
^^^^^^^^^^^^^^^^^
and we are buggered when ~ActualText() is called on a random pointer that had
been in that place in memory.
That's the segfault we'd been seeing in there; I don't know if it's possible
to exploit, but since pdftotext has to deal with PDF files grabbed from
hell-knows-where...
Fortunately, the fix is easy: failure cases that leave ->actualText
uninitialized are exactly the ones that have ->ok false. IOW, the
patch below fixes it (reproducing is _very_ easy - just saying
pdftotext some_existing_pdf_file.pdf /tmp/no/such/directory/out.txt
will do).
diff -urN poppler-0.12.4/poppler/TextOutputDev.cc
poppler-0.12.4.fix/poppler/TextOutputDev.cc
--- poppler-0.12.4/poppler/TextOutputDev.cc 2010-01-16 19:06:57.000000000
-0500
+++ poppler-0.12.4.fix/poppler/TextOutputDev.cc 2011-11-27 01:05:31.000000000
-0500
@@ -4676,7 +4676,9 @@
if (text) {
text->decRefCnt();
}
- delete actualText;
+ if (ok) {
+ delete actualText;
+ }
}
void TextOutputDev::startPage(int pageNum, GfxState *state) {
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
