Created attachment 8055 [details] A page from the leverage RPG that crashes MuPDF MuPDF 0.9 crashes when opening the Leverage RPG corebook (http://rpg.drivethrustuff.com/product_info.php?products_id=85727), after page 4. I first saw that crash in the application "ebookdroid" for Android, but I've since been able to reproduce it in MuPDF for Windows. I have attached a page of the PDF that randomly exhibits the problem. When opening it, I crashed around half the time. The page was extracted through PDF cleaner.
I may have also seen this problem on the iOS version. Most of the time it works on my iPad after about a minute delay. When it fails on my iPad (which I have seen twice), it fails in the following location (trying not to add too much stack dump spew): line 152 in fz_paint_span_with_color_N: dp[k] = FZ_BLEND(255, dp[k], ma); (k=0, ma=154, and the others are below) #0 0x0002a08a in fz_paint_span_with_color_N (dp=0x42ec000 <Address 0x42ec000 out of bounds>, mp=0x7852b1 '\231' <repeats 30 times>, "6", n=1, w=31, color=0x2ff5d4e8 "\377\254\357\377\375?xD((8\304\365TtD") at draw_paint.c:152 #1 0x00029e44 in fz_paint_span_with_color (dp=0x1 <Address 0x1 out of bounds>, mp=0x1f <Address 0x1f out of bounds>, n=804639976, w=0, color=0x100 <Address 0x100 out of bounds>) at draw_paint.c:164 #2 0x0002659c in blit_aa (dst=0x785210, x=-768, y=977, mp=0x7852b0 '\231' <repeats 31 times>, "6", w=32, color=0x2ff5d4e8 "\377\254\357\377\375?xD((8\304\365TtD") at draw_edge.c:568 #3 0x00025dfe in fz_scan_convert_aa (gel=0x7c5da0, eofill=0, clip={x0 = -768, y0 = 977, x1 = -736, y1 = 978}, dst=0x785210, color=0x2ff5d4e8 "\377\254\357\377\375?xD((8\304\365TtD") at draw_edge.c:640
I've ran the program in Visual Studio, and when the sample page crashes, it's in fz_insert_gel (on the last line), and when it doesn't crash, it triggers an assert when exitting the program, in a free (in pdfapp_close, freeing app->doctitle). Here's the call stack of the crash: ntdll.dll!774815ee() Unknown [Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll] ntdll.dll!774815ee() Unknown ntdll.dll!7747015e() Unknown > mupdf.exe!fz_insert_gel(fz_gel_s * gel, float fx0, float fy0, float fx1, float fy1) Line 352 C mupdf.exe!fz_stroke_path(fz_device_s * dev, fz_path_s * path, fz_stroke_state_s * stroke, fz_matrix_s ctm, fz_colorspace_s * colorspace, float * color, float alpha) Line 35 C mupdf.exe!fz_execute_display_list(fz_display_list_s * list, fz_device_s * dev, fz_matrix_s top_ctm, fz_bbox_s scissor) Line 579 C mupdf.exe!pdfapp_showpage(pdfapp_s * app, int loadpage, int drawpage, int repaint) Line 415 C mupdf.exe!pdfapp_open(pdfapp_s * app, char * filename, int fd, int reload) Line 208 C mupdf.exe!WinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, char * lpCmdLine, int nShowCmd) Line 884 C mupdf.exe!__tmainCRTStartup() Line 235 C mupdf.exe!WinMainCRTStartup() Line 168 C kernel32.dll!759d339a() Unknown ntdll.dll!77499ed2() Unknown ntdll.dll!77499ea5() Unknown and Here's the call stack of the assert, when mupdf doesn't crash: ntdll.dll!77530474() Unknown [Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll] ntdll.dll!774f29c0() Unknown ntdll.dll!774acd77() Unknown KernelBase.dll!74cd4bf9() Unknown mupdf.exe!_CrtIsValidHeapPointer(const void * pUserData) Line 2036 C++ mupdf.exe!_free_dbg_nolock(void * pUserData, int nBlockUse) Line 1322 C++ mupdf.exe!_free_dbg(void * pUserData, int nBlockUse) Line 1265 C++ mupdf.exe!free(void * pUserData) Line 49 C++ mupdf.exe!fz_free(void * p) Line 67 C > mupdf.exe!pdfapp_close(pdfapp_s * app) Line 226 C mupdf.exe!WinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, char * lpCmdLine, int nShowCmd) Line 892 C mupdf.exe!__tmainCRTStartup() Line 235 C mupdf.exe!WinMainCRTStartup() Line 168 C kernel32.dll!759d339a() Unknown ntdll.dll!77499ed2() Unknown ntdll.dll!77499ea5() Unknown
Does not crash with the latest code, and runs clean through Valgrind.