We've been getting reports about crashes in fz_free_text_span for a while, but so far couldn't believe that such overlong text span lists actually occurred in the wild. Apparently they do: http://www.ochaopt.org/documents/ocha_opt_wb_access_and_closure_map_august_2011_web.pdf
Created attachment 8087 [details] ocha_otp_...11_web.pdf
Fixed in my repo in commit: commit ce74d32a4c8cdebc0d7b495d727ffd8b5f93f311 Author: Robin Watts <robin.watts@artifex.com> Date: Tue Nov 15 17:04:46 2011 +0000 Fix bug 692627: stack overflows in text handling. The existing code uses recursion for text span handling. With sufficiently many chained spans we get stack overflow. Simple fixes to use a loop. Subsidiary problem with the same file found and fixed in: commit 819aed16c190263a853fabe07870f9da98070f80 Author: Robin Watts <robin.watts@artifex.com> Date: Tue Nov 15 16:40:18 2011 +0000 Allow draw device to use a dynamic stack. Previously, we had a hardwired 96 element stack for clipping/group nesting etc. If this was exceeeded during rendering we would give an error. Now we allow for that stack to be extended dynamically at runtime. If the stack extension fails, we will give an error and die. I'll close the bug when it hits the main repo.
In the main repo these appear as: commit 37b1af3eeae78cfe312d81eb616d98158445cae6 Author: Robin Watts <robin.watts@artifex.com> Date: Tue Nov 15 17:04:46 2011 +0000 Fix bug 692627: stack overflows in text handling. The existing code uses recursion for text span handling. With sufficiently many chained spans we get stack overflow. Simple fixes to use a loop. commit 819aed16c190263a853fabe07870f9da98070f80 Author: Robin Watts <robin.watts@artifex.com> Date: Tue Nov 15 16:40:18 2011 +0000 Allow draw device to use a dynamic stack. Previously, we had a hardwired 96 element stack for clipping/group nesting etc. If this was exceeeded during rendering we would give an error. Now we allow for that stack to be extended dynamically at runtime. If the stack extension fails, we will give an error and die. Thanks.