xpdf crashes when scrolling a potentially illegal PDF

Hello, and thank you for your bug report. In order to address this problem, we need a few things from you.

The PDF file that caused the crash would be very helpful, but not crucial if we can obtain the other things I'll ask you for. However, the link you supplied currently gives a 503 error code.

Without being able to reproduce the problem ourselves, we'll need a crash report, such as the one that should have been placed in /var/crash/.

It would also be extremely helpful to get a backtrace, which you should be able to provide by following the instructions at http://wiki.ubuntu.com/DebuggingProgramCrash .

Thanks for your help!

The PDF is attached. Just scroll down couple of pages and it crashes.

The backtrace (thanks for the tip for finding the debugging symbols):

#0 0xb79e3dec in free () from /lib/tls/i686/cmov/libc.so.6
#1 0xb7ba2d11 in operator delete () from /usr/lib/libstdc++.so.6
#2 0xb7ba2d6d in operator delete[] () from /usr/lib/libstdc++.so.6
#3 0x0809771f in Object::free (this=0xbfe371e0) at Object.cc:112
#4 0x080598fa in Gfx::go (this=0x8242960, topLevel=1) at Gfx.cc:569
#5 0x08059c97 in Gfx::display (this=0x8242960, obj=0xbfe37334, topLevel=1)
    at Gfx.cc:538
#6 0x08099aad in Page::displaySlice (this=0x81c9560, out=0x81a6580, hDPI=90,
    vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=765,
    sliceH=990, links=0x8234fa8, catalog=0x81c51c8, abortCheckCbk=0,
    abortCheckCbkData=0x0) at Page.cc:317
#7 0x0809d893 in PDFCore::needTile (this=0x81a5f40, page=0x8192560, x=0, y=0)
    at PDFCore.cc:793
#8 0x080a0547 in PDFCore::update (this=0x81a5f40, topPageA=4, scrollXA=0,
    scrollYA=0, zoomA=125, rotateA=0, force=0, addToHist=1) at PDFCore.cc:617
#9 0x080cc8f7 in XPDFCore::update (this=0x81a5f40, topPageA=4, scrollXA=0,
    scrollYA=0, zoomA=125, rotateA=0, force=0, addToHist=1) at XPDFCore.cc:308
#10 0x0809ee9f in PDFCore::gotoNextPage (this=0x1, inc=1, top=1) at PDFCore.cc:829
#11 0x080cc880 in XPDFCore::gotoNextPage (this=0x81a5f40, inc=1, top=1)
    at XPDFCore.cc:335
#12 0x080cf0a8 in XPDFCore::inputCbk (widget=0x81af9d0, ptr=0x81a5f40,
    callData=0xbfe37608) at XPDFCore.cc:1094
#13 0xb7d2140b in XtCallCallbackList () from /usr/lib/libXt.so.6
#14 0xb7dce250 in _XmDrawingAreaInput () from /usr/lib/libXm.so.2
#15 0xb7d58481 in ?? () from /usr/lib/libXt.so.6
#16 0x081af9d0 in ?? ()
#17 0xbfe37ab8 in ?? ()
#18 0x00000000 in ?? ()

Seems like a double free.

> Seems like a double free.

It does indeed.

This happens in upstream also (version 3.02). Quickly looking, I didn't find a bug tracker in Xpdf home page so couldn't report it there. Will do if I find one.

I think I'm seeing a similar problem in Xpdf, using the same PDF I list in https://bugs.launchpad.net/ubuntu/+source/evince/+bug/240044 :

gwern@craft:10578~>xpdf causality.pdf [ 2:48PM]
zsh: segmentation fault xpdf causality.pdf

I scroll to page 5, and as I go to page 6, it crashes. Once it included a backtrace:
gwern@craft:10578~>xpdf causality.pdf [ 2:48PM]
*** glibc detected *** xpdf: corrupted double-linked list: 0x0000000000882080 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f45b844f4b2]
/lib/libc.so.6(__libc_malloc+0x90)[0x7f45b8450360]
/usr/lib/libt1.so.5(t1_Allocate+0x5b)[0x7f45ba6a47db]
/usr/lib/libt1.so.5(t1_Bezier+0x10a)[0x7f45ba6a53ca]
/usr/lib/libt1.so.5[0x7f45ba6afa70]
/usr/lib/libt1.so.5(Type1Char+0x6dc)[0x7f45ba6b4e3c]
/usr/lib/libt1.so.5(fontfcnB+0x1fa)[0x7f45ba6a216a]
/usr/lib/libt1.so.5(T1_SetChar+0x241)[0x7f45ba6c0261]
/usr/lib/libt1.so.5(T1_AASetChar+0x115)[0x7f45ba6c7065]
xpdf[0x4c0afa]
xpdf[0x4c01fe]
xpdf[0x4b37dc]
xpdf[0x47e008]
xpdf[0x41cef1]
xpdf[0x41de2a]
xpdf[0x418ced]
xpdf[0x41904b]
xpdf[0x460a34]
xpdf[0x4638ab]
xpdf[0x466a59]
xpdf[0x497298]
xpdf[0x4619cc]
xpdf[0x4a0355]
xpdf[0x4a1ccd]
xpdf[0x498a50]
/usr/lib/libXt.so.6(XtCallCallbackList+0x12f)[0x7f45b9e3ea8f]
/usr/lib/libXm.so.2(_XmDrawingAreaInput+0x35)[0x7f45ba120065]
/usr/lib/libXt.so.6[0x7f45b9e741ae]
/usr/lib/libXt.so.6[0x7f45b9e745c9]
/usr/lib/libXt.so.6(_XtTranslateEvent+0x6df)[0x7f45b9e74ccf]
/usr/lib/libXt.so.6(XtDispatchEventToWidget+0x43e)[0x7f45b9e4c56e]
/usr/lib/libXt.so.6[0x7f45b9e4cc70]
/usr/lib/libXt.so.6(XtDispatchEvent+0xdb)[0x7f45b9e4bd1b]
/usr/lib/libXt.so.6(XtAppMainLoop+0x45)[0x7f45b9e4be95]
xpdf[0x4a5200]
/lib/libc.so.6(__libc_start_main+0xf4)[0x7f45b83f81c4]
xpdf(__gxx_personality_v0+0x2c1)[0x406369]
======= Memory map: ========
00400000-00519000 r-xp 00000000 08:02 1641380 /usr/bin/xpdf.bin
00719000-00747000 rw-p 00119000 08:02 1641380 /usr/bin/xpdf.bin
00747000-02b36000 rw-p 00747000 00:00 0 [heap]
7f45b0000000-7f45b0021000 rw-p 7f45b0000000 00:00 0
7f45b0021000-7f45b4000000 ---p 7f45b0021000 00:00 0
7f45b696a000-7f45b69aa000 rw-p 7f45b696a000 00:00 0
7f45b7184000-7f45b7189000 r-xp 00000000 08:02 1639784 /usr/lib/libXfixes.so.3.1.0
7f45b7189000-7f45b7388000 ---p 00005000 08:02 1639784 /usr/lib/libXfixes.so.3.1.0
7f45b7388000-7f45b7389000 rw-p 00004000 08:02 1639784 /usr/lib/libXfixes.so.3.1.0
7f45b7389000-7f45b7392000 r-xp 00000000 08:02 1639751 /usr/lib/libXrender.so.1.3.0
7f45b7392000-7f45b7591000 ---p 00009000 08:02 1639751 /usr/lib/libXrender.so.1.3.0
7f45b7591000-7f45b7592000 rw-p 00008000 08:02 1639751 /usr/lib/libXrender.so.1.3.0
7f45b7592000-7f45b759b000 r-xp 00000000 08:02 1639788 /usr/lib/libXcursor.so.1.0.2
7f45b759b000-7f45b779b000 ---p 00009000 08:02 1639788 /usr/lib/libXcursor.so.1.0.2
7f45b779b000-7f45b779c000 rw-p 000...