Package: xpdf-reader Version: 3.00-13 Severity: normal File: /usr/bin/xpdf Tags: patch
xpdf crashes on this (large) PDF document: http://www.getboulder.com/sports/Master_Bike_map.pdf The problem appears to be due to JPXStream.cc:2213 which looks like this: if (y0+y1 > cb->y0) { diag += (coeff[-tileComp->cbW + 1].flags >> jpxCoeffSignificantB) & 1; } The problem here is that tileComp->cbW is of type Guint (unsigned integer). When the program crashes, tileCompb->cbW happens to be 32, so (unsigned) -tileComp->cbW == 4294967264 which causes an array index overflow. The patch below fixes the problem but since I'm not familiar with xpdf internals, this may or may not be the best fix (and there may be similar issues in other portions of the code; I didn't check). --- JPXStream.cc~ 2004-01-21 17:26:45.000000000 -0800 +++ JPXStream.cc 2005-03-29 17:06:51.000000000 -0800 @@ -1995,7 +1995,7 @@ horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW - 1].flags + diag += (coeff[-(int) tileComp->cbW - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2009,7 +2009,7 @@ horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW + 1].flags + diag += (coeff[-(int) tileComp->cbW + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2018,9 +2018,9 @@ } } if (y0+y1 > cb->y0) { - if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) { + if (coeff[-(int) tileComp->cbW].flags & jpxCoeffSignificant) { ++vert; - vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign) + vertSign += (coeff[-(int) tileComp->cbW].flags & jpxCoeffSign) ? -1 : 1; } } @@ -2070,7 +2070,7 @@ if (x > cb->x0) { all += (coeff[-1].flags >> jpxCoeffSignificantB) & 1; if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW - 1].flags + all += (coeff[-(int) tileComp->cbW - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2081,7 +2081,7 @@ if (x < cb->x1 - 1) { all += (coeff[1].flags >> jpxCoeffSignificantB) & 1; if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW + 1].flags + all += (coeff[-(int) tileComp->cbW + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2090,7 +2090,7 @@ } } if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW].flags + all += (coeff[-(int) tileComp->cbW].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2128,12 +2128,12 @@ !(coeff1[2 * tileComp->cbW].flags & jpxCoeffTouched) && !(coeff1[3 * tileComp->cbW].flags & jpxCoeffTouched) && (x == cb->x0 || y0 == cb->y0 || - !(coeff1[-tileComp->cbW - 1].flags + !(coeff1[-(int)tileComp->cbW - 1].flags & jpxCoeffSignificant)) && (y0 == cb->y0 || - !(coeff1[-tileComp->cbW].flags & jpxCoeffSignificant)) && + !(coeff1[-(int)tileComp->cbW].flags & jpxCoeffSignificant)) && (x == cb->x1 - 1 || y0 == cb->y0 || - !(coeff1[-tileComp->cbW + 1].flags & jpxCoeffSignificant)) && + !(coeff1[-(int)tileComp->cbW + 1].flags & jpxCoeffSignificant)) && (x == cb->x0 || (!(coeff1[-1].flags & jpxCoeffSignificant) && !(coeff1[tileComp->cbW - 1].flags @@ -2196,7 +2196,7 @@ horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW - 1].flags + diag += (coeff[-(int)tileComp->cbW - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2210,7 +2210,7 @@ horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW + 1].flags + diag += (coeff[-(int) tileComp->cbW + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2219,9 +2219,9 @@ } } if (y0+y1 > cb->y0) { - if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) { + if (coeff[-(int) tileComp->cbW].flags & jpxCoeffSignificant) { ++vert; - vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign) + vertSign += (coeff[-(int) tileComp->cbW].flags & jpxCoeffSign) ? -1 : 1; } } -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: ia64 Kernel: Linux 2.6.11 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xpdf-reader depends on: ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript interpre ii lesstif2 1:0.93.94-11.1 OSF/Motif 2.1 implementation relea ii libc6.1 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-6 GCC support library ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library ii libpaper1 1.1.14-3 Library for handling paper charact ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3 ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension ii libxpm4 4.3.0.dfsg.1-10 X pixmap library ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu ii xpdf-common 3.00-13 Portable Document Format (PDF) sui ii zlib1g 1:1.2.2-3 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
