Dan Rosenberg reported an issue in xpdf/poppler code base: http://thread.gmane.org/gmane.comp.security.oss.general/4109 Malformed commands may cause corruption of the internal stack used to maintain graphics contexts, leading to potentially exploitable memory corruption. Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Upstream poppler git commit that adds stack guards: http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9 This fix changes API and ABI of the Gfx class. This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6. poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance. While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance: http://cgit.freedesktop.org/poppler/poppler/commit/?id=17345173 This fix is included in RHEL-6 poppler. RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.