Comment 21 for bug 943195

I guess, I have an explanation for the bug and why it is emerging again now and then.

...
The memory location 0x80(%rdi) is written only once, that revealed that the libpoppler GlobalParams class constructor did not write it. In fact, the constructor is never called. Instead of that, the xpdf program brings an own and divergent version of the GlobalParams class, handling that over to libpoppler. Comparing the different definitions (xpdf/GlobalParams.h and poppler/GlobalParams.h) reveals, that xpdf class definition will copy boolean configuration values to that location, used by libpoppler to store textEncoding.
...

See http://www.halfdog.net/Security/2012/XpdfCrashAnalysisUbuntuPrecise/ for full analysis.