[cairo-bugs] [Bug 61451] New: crash in cairo PDF writer when rendering certain PDFs to PDFs using poppler

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Feb 25 08:13:26 PST 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=61451

          Priority: medium
            Bug ID: 61451
          Assignee: ajohnson at redneon.com
           Summary: crash in cairo PDF writer when rendering certain PDFs
                    to PDFs using poppler
        QA Contact: cairo-bugs at cairographics.org
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: jana at saout.de
          Hardware: Other
            Status: NEW
           Version: 1.12.12
         Component: pdf backend
           Product: cairo

We are using a simple PDF-to-PDF converter (the main reason is to simplify the
PDFs).  For this we are using a small python script (simplified version
attached below) that uses poppler to render into a cairo surface, which writes
to a PDF.

During this, certain PDF files crash the PDF writer. At some point a NULL
pointer is passed down which later crashes a function.

I "fixed" this bug by replacing the NULL pointer by another pointer somewhere
up the call chain - not knowing if this is the correct fix. (the PDF looks
right though, and the crash is gone)

I am getting the following crash:

Program received signal SIGSEGV, Segmentation fault.
_cairo_box_from_rectangle (box=box at entry=0x7fffffffd240, rect=rect at entry=0x0)
    at cairo-rectangle.c:77
77        box->p1.x = _cairo_fixed_from_int (rect->x);
(gdb) bt
#0  _cairo_box_from_rectangle (box=box at entry=0x7fffffffd240, 
    rect=rect at entry=0x0) at cairo-rectangle.c:77
#1  0x00007ffff7a007a2 in _cairo_pdf_surface_add_padded_image_surface (
    surface=surface at entry=0xa24580, source=source at entry=0xb47910, extents=0x0, 
    surface_res=surface_res at entry=0x7fffffffd380, 
    width=width at entry=0x7fffffffd3a0, height=height at entry=0x7fffffffd3c0, 
    x_offset=x_offset at entry=0x7fffffffd400, 
    y_offset=y_offset at entry=0x7fffffffd408) at cairo-pdf-surface.c:2123
#2  0x00007ffff7a00d77 in _cairo_pdf_surface_paint_surface_pattern (
    surface=0xa24580, source=0xb47910, extents=<optimized out>, stencil_mask=1)
    at cairo-pdf-surface.c:3925
#3  0x00007ffff7a01252 in _cairo_pdf_surface_emit_stencil_mask (
    extents=0x7fffffffd56c, mask=<optimized out>, source=<optimized out>, 
    surface=0xa24580) at cairo-pdf-surface.c:6378
#4  _cairo_pdf_surface_mask (abstract_surface=0xa24580, op=<optimized out>, 
    source=0xb477f8, mask=0xb47910, clip=<optimized out>)
    at cairo-pdf-surface.c:6608
#5  0x00007ffff79a3c24 in _cairo_surface_mask (surface=0xa24580, 
    op=CAIRO_OPERATOR_OVER, source=0xb477f8, mask=0xb47910, clip=0xa27f10)
    at cairo-surface.c:2054
#6  0x00007ffff79a9fb6 in _cairo_surface_wrapper_mask (
    wrapper=wrapper at entry=0x7fffffffdc20, op=CAIRO_OPERATOR_OVER, 
    source=<optimized out>, source at entry=0xb477f8, mask=mask at entry=0xb47910, 
    clip=<optimized out>) at cairo-surface-wrapper.c:206
#7  0x00007ffff7995587 in _cairo_recording_surface_replay_internal (
    surface=<optimized out>, surface_extents=<optimized out>, 
    surface_transform=<optimized out>, target=<optimized out>, 
    target_clip=<optimized out>, type=CAIRO_RECORDING_REPLAY, 
    region=CAIRO_RECORDING_REGION_NATIVE) at cairo-recording-surface.c:1678
#8  0x00007ffff79966a7 in _cairo_recording_surface_replay_region (
    surface=<optimized out>, surface_extents=surface_extents at entry=0x0, 
    target=<optimized out>, region=region at entry=CAIRO_RECORDING_REGION_NATIVE)
    at cairo-recording-surface.c:1934
#9  0x00007ffff7977861 in _paint_page (surface=0xa26510)
    at cairo-paginated-surface.c:406
#10 0x00007ffff7977adc in _cairo_paginated_surface_show_page (
    abstract_surface=0xa26510) at cairo-paginated-surface.c:509
#11 0x00007ffff79a413b in INT_cairo_surface_show_page (surface=0xa26510)
    at cairo-surface.c:2305
#12 0x00007ffff7a712ea in surface_show_page ()
   from /usr/lib64/python2.7/site-packages/cairo/_cairo.so
[...]



and I "fixed" the NULL pointer issue using this:



--- cairo-1.12.12/src/cairo-pdf-surface.c.orig    2013-02-25 17:01:27.130438874
+0100
+++ cairo-1.12.12/src/cairo-pdf-surface.c    2013-02-25 17:01:33.217105734
+0100
@@ -6375,7 +6375,7 @@ _cairo_pdf_surface_emit_stencil_mask (ca
     return status;

     _cairo_output_stream_printf (surface->output, "q\n");
-    status = _cairo_pdf_surface_paint_surface_pattern (surface, mask, NULL,
TRUE);
+    status = _cairo_pdf_surface_paint_surface_pattern (surface, mask, extents,
TRUE);
     if (unlikely (status))
     return status;





The script used: (needs cairo python bindings, poppler and poppler-python
bindings).  (I guess it should be simple to write a C analogon, as long as you
have poppler installed).  My poppler version is 0.20.5 by the way.

Called "python pdftopdf.py input.pdf output.pdf":

The link to an example input PDF that produces the crash:
http://www.saout.de/assets/Kfz-Techniker_Teil_II_11478_print.pdf



#!/usr/bin/env python
import os, sys
import poppler, cairo

d = poppler.document_new_from_file('file://' + os.path.abspath(sys.argv[1]),
'')
out = sys.argv[2]

s = None

n = d.get_n_pages()
for i in xrange(n):
        p = d.get_page(i)
        w, h = p.get_size()

        if s is None:
                s = cairo.PDFSurface(out, w, h)

        s.set_size(w, h)

        c = cairo.Context(s)
        p.render(c)
        del c

        s.show_page()

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20130225/8d161a46/attachment.html>

More information about the cairo-bugs mailing list