Comment 72 for bug 39890

Created attachment 66450
Check for NaN in TextPage::addChar

I don't think this is related to my earlier patch. For me, this pdf crashes both with and without it. This document is doing very strange things with the current transformation matrix (CTM) and inline images. Pages 6 and 15 are filled with lines like this:

    q 18 0 0 -1 2782 6350 cm
    q BI
    <IMAGE DICT>
    ID <IMAGE DATA>
    EI Q
    q 19 0 0 -1 2782 6350 cm
    q BI
    <IMAGE DICT>
    ID <IMAGE DATA>
    EI Q

Note the unbalanced q/Q for saving/restoring the graphics state. This means that the graphics state is not ever being properly restored and the `cm' operator is scaling the CTM until its components become NaN. This leads to TextWord::base being NaN. This breaks calculations in TextPool::addWord, causing wordBaseIdx to be INT_MIN, causing the text pool to not be initialized to NULLs, which causes a crash when an invalid pointer is read and dereferenced from the pool.

As a test, adding a call to restoreState() in Gfx::opBeginImage allows the page to render properly and without crashing. Otherwise, poppler either crashes or places text in an invalid location.

The attached patch adds a check for NaN to TextPage::addChar and throws away chars with invalid positions.