Bug 10898 - Crash on fuzzed PDF at Parser.cc:192
Summary: Crash on fuzzed PDF at Parser.cc:192
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-09 15:26 UTC by Victor Stinner
Modified: 2007-05-10 13:51 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
Example of PDF file to crash poppler (137.40 KB, application/octet-stream)
2007-05-09 15:27 UTC, Victor Stinner 		Details
View All

Description Victor Stinner 2007-05-09 15:26:48 UTC 
I tried my fuzzer program on poppler and after few minutes I found a bug. I generated a PDF which crash libpoppler 0.5.4, here is the backtrace (given by Valgrind):

Invalid read of size 4
   at 0x688813A: Parser::makeStream(Object*) (Parser.cc:192)
   by 0x6888576: Parser::getObj(Object*, unsigned char*, int, int, int) (Parser.cc:91)
   by 0x6888298: Parser::getObj(Object*, unsigned char*, int, int, int) (Parser.cc:64)
   by 0x6888298: Parser::getObj(Object*, unsigned char*, int, int, int) (Parser.cc:64)
   by 0x68337B6: Gfx::go(int) (Gfx.cc:642)
   by 0x6833A62: Gfx::display(Object*, int) (Gfx.cc:543)
Comment 1 Victor Stinner 2007-05-09 15:27:18 UTC 
Created attachment 9910 [details]
Example of PDF file to crash poppler
Comment 2 Albert Astals Cid 2007-05-10 13:00:52 UTC 
i don't get any crash nor valgrind problem with CVS, can you try CVS version?
Comment 3 ismail ( cartman ) donmez 2007-05-10 13:03:25 UTC 
FWIW kpdf KDE 3.5 SVN crashes on the file.
Comment 4 Albert Astals Cid 2007-05-10 13:32:15 UTC 
kpdf 3.5 from svn works and is valgrind free too here
Comment 5 Victor Stinner 2007-05-10 13:51:36 UTC 
(In reply to comment #2)
> i don't get any crash nor valgrind problem with CVS, can you try CVS version?

Hi, no I didn't. As I wrote in the bug report, the bug occurs with version  0.5.4. So it looks like the bug has been fixed in trunk.

I may try to find other bugs in svn version ;-)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.