Hi,
I just ran across a pdf document that is causing xpdf to segfault in
splash/SplashXPathScanner.cc:424 in SplashXPathScanner::clipAALine()
409 // set [xx, xx0) to 0
410 if (xx < xx0) {
411 p = aaBuf->getDataPtr() + yy * aaBuf->getRowSize() + (xx >> 3);
412 if (xx & 7) {
413 mask = (Guchar)(0xff00 >> (xx & 7));
414 if ((xx & ~7) == (xx0 & ~7)) {
415 mask &= 0xff >> (xx0 & 7);
416 }
417 *p++ &= mask;
418 xx = (xx & ~7) + 8;
419 }
420 for (; xx + 7 <= xx0; xx += 8) {
421 *p++ = 0x00;
422 }
423 if (xx <= xx0) {
424 *p &= 0xff >> (xx0 & 7);
425 }
426 }
#0 0x00000000005073a4 in SplashXPathScanner::clipAALine (this=0x20ef78e00,
aaBuf=0x2074f09e0, x0=0x7f7ffffe02a0, x1=0x7f7ffffe029c, y=243)
at SplashXPathScanner.cc:424
424 *p &= 0xff >> (xx0 & 7);
(gdb) p p
$1 = 0x200cd9000 <Address 0x200cd9000 out of bounds>
(gdb) p p-1
$2 = (Guchar *) 0x200cd8fff ""
so it seems to be a buffer overrun issue.
This diff seems to fix the issue:
--- splash/SplashXPathScanner.cc.orig Fri Feb 25 00:31:37 2011
+++ splash/SplashXPathScanner.cc Fri Feb 25 00:24:17 2011
@@ -420,7 +420,7 @@
for (; xx + 7 <= xx0; xx += 8) {
*p++ = 0x00;
}
- if (xx <= xx0) {
+ if (xx < xx0) {
*p &= 0xff >> (xx0 & 7);
}
}
Not sure if this is a correct fix as I don't seem to quite fully
understand what SplashXPathScanner::clipAALine() is doing after having
looked at it for about 20 minutes.
The pdf document can be found here: http://www.dinosburbank.com/menu.pdf
To reproduce it, open the file and try to zoom-in (using + key:
Shift+-). If it doesn't crash, try another zoom-in. It is reproducible
for me about 90% of the time on (amd64 -current-ish).
--patrick
