Bug 692282 - pdf_show_string can overwrite xref's scratch buffer when called from pdf_run_stream
Summary: pdf_show_string can overwrite xref's scratch buffer when called from pdf_run_...
Status: RESOLVED FIXED
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: unspecified
Hardware: PC Windows 7
: P4 normal
Assignee: Tor Andersson
URL: http://code.google.com/p/sumatrapdf/i...
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-16 15:18 UTC by zeniko
Modified: 2011-08-06 00:30 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zeniko 2011-06-16 15:18:38 UTC 
When drawing Type 3 glyphs, pdf_show_string can lead to a call to pdf_run_stream for each glyph. Since this is for the same xref, xref->scratch is reused and thus the string to show overwritten. For the two documents from the URL, this occasionally leads to glyphs being omitted or drawn in the wrong location.

Note: This issue only occurs if no intermediary display list is used for drawing.

Our fix: http://code.google.com/p/sumatrapdf/source/detail?r=3911
Comment 1 Elias Pipping 2011-06-29 08:32:19 UTC 
Something like

--- a/pdf/pdf_interpret.c
+++ b/pdf/pdf_interpret.c
@@ -2138,8 +2138,10 @@ pdf_run_stream(pdf_csi *csi, fz_obj *rdb, fz_stream *file, char *buf, int buflen
                                pdf_show_space(csi, -fz_atof(buf) * gstate->size * 0.001f);
                        }
                        else if (tok == PDF_TOK_STRING)
-                       {
+                       {       /* cf. http://bugs.ghostscript.com/show_bug.cgi?id=692312 */
+                               csi->in_array = 0;
                                pdf_show_string(csi, (unsigned char *)buf, len);
+                               csi->in_array = 1;
                        }
                        else if (tok == PDF_TOK_KEYWORD)
                        {

indeed fixes the issue for me, thanks. I still get

+ pdf/pdf_xref.c:335: pdf_read_new_xref(): object id (37226 0 R) out of range (0..37225)
| pdf/pdf_xref.c:411: pdf_read_xref(): cannot read xref (ofs=5260639)
| pdf/pdf_xref.c:431: pdf_read_xref_sections(): cannot read xref section
| pdf/pdf_xref.c:491: pdf_load_xref(): cannot read xref
\ pdf/pdf_xref.c:532: pdf_open_xref_with_stream(): trying to repair

on startup. I this related?
Comment 2 Elias Pipping 2011-06-29 08:34:54 UTC 
(In reply to comment #1)
> Something like
> 
> --- a/pdf/pdf_interpret.c
> +++ b/pdf/pdf_interpret.c
> @@ -2138,8 +2138,10 @@ pdf_run_stream(pdf_csi *csi, fz_obj *rdb, fz_stream
> *file, char *buf, int buflen
>                                 pdf_show_space(csi, -fz_atof(buf) *
> gstate->size * 0.001f);
>                         }
>                         else if (tok == PDF_TOK_STRING)
> -                       {
> +                       {       /* cf.
> http://bugs.ghostscript.com/show_bug.cgi?id=692312 */
> +                               csi->in_array = 0;
>                                 pdf_show_string(csi, (unsigned char *)buf,
> len);
> +                               csi->in_array = 1;
>                         }
>                         else if (tok == PDF_TOK_KEYWORD)
>                         {
> 
> indeed fixes the issue for me, thanks. I still get
> 
> + pdf/pdf_xref.c:335: pdf_read_new_xref(): object id (37226 0 R) out of range
> (0..37225)
> | pdf/pdf_xref.c:411: pdf_read_xref(): cannot read xref (ofs=5260639)
> | pdf/pdf_xref.c:431: pdf_read_xref_sections(): cannot read xref section
> | pdf/pdf_xref.c:491: pdf_load_xref(): cannot read xref
> \ pdf/pdf_xref.c:532: pdf_open_xref_with_stream(): trying to repair
> 
> on startup. I this related?

oops. it's still early, so please ignore the above completely because I meant to post it on another bug :)
Comment 3 Tor Andersson 2011-08-06 00:30:05 UTC 
Fixed in commit 7926d3cbd583e45e59532fa473713e7d54424811.