Bug#504489: xpdf: "Bogus memory allocation size" while trying to read "full circle magazine"

[Timo Juhani Lindfors]

Package: xpdf-reader
Version: 3.02-1.3
Severity: normal

Steps to reproduce:
1) wget http://iki.fi/lindi/fullcircle-issue18eng.pdf
2) xpdf fullcircle-issue18eng.pdf 19

Expected results:
2) xpdf shows page 19 of the "full circle magazine"

Actual results:
2) xpdf exits and prints "Bogus memory allocation size"

More info:
1) page 19 fails also in xpdf 3.01-9.1+etch5 (stable)
2) page 19 works fine in evince 2.22.2-4 (unstable)
3) page 19 causes evince 0.4.0-5 (stable) to print "Out of memory"
4) md5sum of the pdf is 35c9aaef97cd9d485c6aac3554d926cd and size is
5612632 bytes.

-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-k7 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages xpdf depends on:
ii poppler-utils [xpdf-utils] 0.8.2-2 PDF utilitites (based on libpopple
ii xpdf-common 3.02-1.3 Portable Document Format (PDF) sui
ii xpdf-reader 3.02-1.3 Portable Document Format (PDF) sui

xpdf recommends no packages.

Versions of packages xpdf-reader depends on:
ii gsfonts 1:8.11+urwcyr1.0.7~pre43-2 Fonts for the Ghostscript interpre
ii lesstif2 1:0.95.0-2.1 OSF/Motif 2.1 implementation relea
ii libc6 2.7-12 GNU C Library: Shared libraries
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.3.1-2 GCC support library
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libpaper1 1.1.23 library for handling paper charact
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libstdc++6 4.3.1-2 The GNU Standard C++ Library v3
ii libt1-5 5.1.2-2 Type 1 font rasterizer library - r
ii libx11-6 2:1.1.4-2 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxp6 1:1.0.0.xsf1-1 X Printing Extension (Xprint) clie
ii libxpm4 1:3.5.7-1 X11 pixmap library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
ii xpdf-common 3.02-1.3 Portable Document Format (PDF) sui

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

[Timo Juhani Lindfors]

package xpdf
reopen 504489
thanks

Reopening, this bug is still reproducible with 3.02-9:

$ wget http://iki.fi/lindi/fullcircle-issue18eng.pdf
--2010-07-18 15:22:19-- http://iki.fi/lindi/fullcircle-issue18eng.pdf
Resolving iki.fi... 212.16.100.2, 212.16.100.1
Connecting to iki.fi|212.16.100.2|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://lindi.iki.fi/lindi/fullcircle-issue18eng.pdf [following]
--2010-07-18 15:22:19-- http://lindi.iki.fi/lindi/fullcircle-issue18eng.pdf
Resolving lindi.iki.fi... 193.166.42.10
Connecting to lindi.iki.fi|193.166.42.10|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5612632 (5.4M) [application/pdf]
Saving to: `fullcircle-issue18eng.pdf'

100%[==========================================================================================================================================================================>] 5,612,632 108K/s in 49s

2010-07-18 15:23:08 (111 KB/s) - `fullcircle-issue18eng.pdf' saved [5612632/5612632]

(sid)lindi@sauna:~$ xpdf fullcircle-issue18eng.pdf 19
Bogus memory allocation size
(sid)lindi@sauna:~$ dpkg -l xpdf
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-===============================================-===============================================-==============================================================================================================
ii xpdf 3.02-9 Portable Document Format (PDF) reader
(sid)lindi@sauna:~$ md5sum fullcircle-issue18eng.pdf
35c9aaef97cd9d485c6aac3554d926cd fullcircle-issue18eng.pdf

[Timo Juhani Lindfors]

package xpdf
reopen 504489
found 504489 3.03-4
thanks

> version: 3.03-1
>
> Seems to work with latest upstream version.

I still see the error message in 3.03-4

$ xpdf fullcircle-issue18eng.pdf 19
Bogus memory allocation size

$ dpkg-query -W xpdf
xpdf 3.03-4
$ md5sum fullcircle-issue18eng.pdf
35c9aaef97cd9d485c6aac3554d926cd fullcircle-issue18eng.pdf

[Michael Gilbert]

retitle 504489 user-specific crash with fullcircle pdf file
severity 504489 minor
tag 504489 moreinfo, unreproducible
thanks

Timo Juhani Lindfors wrote:
> I still see the error message in 3.03-4
>
> $ xpdf fullcircle-issue18eng.pdf 19
> Bogus memory allocation size

I do get the "Bogus memory allocation size" message, but I just don't
get a crash afterward (tested on amd64 and i386). Can you capture a
backtrace? Also, can you send updated system information for your
machine (easiest to generate with reportbug)?

Best wishes,
Mike

[Timo Juhani Lindfors]

Michael Gilbert <michael....@gmail.com> writes:
> I do get the "Bogus memory allocation size" message, but I just don't
> get a crash afterward (tested on amd64 and i386). Can you capture a
> backtrace? Also, can you send updated system information for your
> machine (easiest to generate with reportbug)?

Ah that's true, it only prints the error message but does not actually
crash.

-Timo

[Michael Gilbert]

Timo Juhani Lindfors wrote:

> Michael Gilbert <michael....@gmail.com> writes:
> > I do get the "Bogus memory allocation size" message, but I just don't
> > get a crash afterward (tested on amd64 and i386). Can you capture a
> > backtrace? Also, can you send updated system information for your
> > machine (easiest to generate with reportbug)?
>
> Ah that's true, it only prints the error message but does not actually
> crash.

Is there any reason to keep this bug open just for an innocuous message?

Thanks,
Mike

[Timo Juhani Lindfors]

Michael Gilbert <michael....@gmail.com> writes:
> Is there any reason to keep this bug open just for an innocuous
> message?

Not sure but hmm, what makes you think this is innocuous? Now that I
grep the code I find only two fragments that mention it but both have
exit(1) after them:

void *gmallocn(int nObjs, int objSize) GMEM_EXCEP {
int n;

if (nObjs == 0) {
return NULL;
}
n = nObjs * objSize;
if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
#if USE_EXCEPTIONS
throw GMemException();
#else
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
#endif
}
return gmalloc(n);
}

void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP {
int n;

if (nObjs == 0) {
if (p) {
gfree(p);
}
return NULL;
}
n = nObjs * objSize;
if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
#if USE_EXCEPTIONS
throw GMemException();
#else
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
#endif
}
return grealloc(p, n);
}

strace does not show exit(1) so this warning must be coming from
something else?

-Timo

[Michael Gilbert]

poppler.

[Timo Juhani Lindfors]

Michael Gilbert <michael....@gmail.com> writes:
> poppler.

Ah indeed they have a slightly modified version:

inline static void *gmallocn(int nObjs, int objSize, bool checkoverflow)
{
int n;

if (nObjs == 0) {
return NULL;
}
n = nObjs * objSize;
if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {

fprintf(stderr, "Bogus memory allocation size\n");

if (checkoverflow) return NULL;
else exit(1);
}
return gmalloc(n, checkoverflow);
}

Wouldn't it be better to write this as

inline static void *gmallocn(int nObjs, int objSize, bool checkoverflow)
{
int n;

if (nObjs == 0) {
return NULL;
}
n = nObjs * objSize;
if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {

if (checkoverflow) {
return NULL;
} else {

fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
}

return gmalloc(n, checkoverflow);
}

if it is not an error when checkoverflow is set?

-Timo