The following diff adds a patch to the xpdf xpath code to prevent out-of-bounds array access.
My test case is the following pdf: http://www.tadpole.com/upload/specifications/Sparcle_DataSheet.pdf which second page causes a 100% reproducable crash. Patch below (although I am not sure whether the xpdf-utils version needs to be bumped); xpdf author had been notified so this is likely to get fixed upstream soon as well. Miod Index: Makefile =================================================================== RCS file: /cvs/ports/textproc/xpdf/Makefile,v retrieving revision 1.64 diff -N -u -p Makefile --- Makefile 17 Apr 2009 20:55:46 -0000 1.64 +++ Makefile 30 May 2009 19:54:43 -0000 @@ -4,8 +4,8 @@ COMMENT-main= PDF viewer for X11 COMMENT-utils= PDF conversion tools DISTNAME= xpdf-3.02 -PKGNAME-main= xpdf-3.02.3 -PKGNAME-utils= xpdf-utils-3.02.3 +PKGNAME-main= xpdf-3.02.4 +PKGNAME-utils= xpdf-utils-3.02.4 CATEGORIES= textproc x11 MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \ Index: patches/patch-splash_SplashXPath_cc =================================================================== RCS file: patches/patch-splash_SplashXPath_cc diff -N -u -p patches/patch-splash_SplashXPath_cc --- /dev/null 30 May 2009 19:54:43 -0000 +++ patches/patch-splash_SplashXPath_cc 30 May 2009 19:54:43 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ +--- splash/SplashXPath.cc.orig Tue Feb 27 22:05:52 2007 ++++ splash/SplashXPath.cc Sat May 30 19:51:56 2009 +@@ -77,9 +77,17 @@ SplashXPath::SplashXPath(SplashPath *path, SplashCoord + for (i = 0; i < path->hintsLength; ++i) { + hint = &path->hints[i]; + x0 = pts[hint->ctrl0 ].x; y0 = pts[hint->ctrl0 ].y; +- x1 = pts[hint->ctrl0 + 1].x; y1 = pts[hint->ctrl0 + 1].y; ++ if (hint->ctrl0 + 1 >= path->length) { ++ x1 = x0; y1 = y0; ++ } else { ++ x1 = pts[hint->ctrl0 + 1].x; y1 = pts[hint->ctrl0 + 1].y; ++ } + x2 = pts[hint->ctrl1 ].x; y2 = pts[hint->ctrl1 ].y; +- x3 = pts[hint->ctrl1 + 1].x; y3 = pts[hint->ctrl1 + 1].y; ++ if (hint->ctrl1 + 1 >= path->length) { ++ x3 = x2; y3 = y2; ++ } else { ++ x3 = pts[hint->ctrl1 + 1].x; y3 = pts[hint->ctrl1 + 1].y; ++ } + if (x0 == x1 && x2 == x3) { + adjusts[i].vert = gTrue; + adj0 = x0;
