Hi, My bug #10898 was specific to version 0.5.4, but I found another bug in latest version of poppler. I generated a fuzzed file which create recursive call of Parser::getObj(). Valgrind detect thread stack overflow (before all stack is used by the recursive calls...). Each call to getObj() create a new objet: dict=0xbf476460 dict=0xbf476840 dict=0xbf476650 dict=0xbf476a30 ... pdftotext finally crash with a SIGSEGV signal. Backtrace: --- malloc --- #0 0xb7b26ad9 in _int_malloc (av=0xb7bdf120, bytes=96) at malloc.c:3865 #1 0xb7b28996 in *__GI___libc_malloc (bytes=96) at malloc.c:3382 #2 0xb7e3992c in grealloc (p=0x0, size=96) at gmem.cc:143 #3 0xb7e39a1c in greallocn (p=0x0, nObjs=8, objSize=12) at gmem.cc:193 --- call N --- #4 0xb7d84e69 in Array::add (this=0x8face60, elem=0xbf476114) at Array.cc:47 #5 0xb7deb34d in Lexer (this=0x8facdb8, xrefA=0x80a8038, str=0x8facc78) at Lexer.cc:58 #6 0xb7e0a2b5 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476270) at XRef.cc:893 #7 0xb7df14e8 in Object::fetch (this=0x8facbd4, xref=0x80a8038, obj=0xbf476270) at Object.cc:106 #8 0xb7d8fecf in Dict::lookup (this=0x8facba8, key=0xb7e734ff "Length", obj=0xbf476270) at Dict.cc:108 #9 0xb7d84a9a in Object::dictLookup (this=0xbf476460, key=0xb7e734ff "Length", obj=0xbf476270) at Object.h:259 #10 0xb7df71df in Parser::makeStream (this=0x8facb48, dict=0xbf476460, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:160 #11 0xb7df7848 in Parser::getObj (this=0x8facb48, obj=0xbf476460, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:94 --- call N-1 --- #12 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476460) at XRef.cc:907 #13 0xb7df14e8 in Object::fetch (this=0x8fac83c, xref=0x80a8038, obj=0xbf476460) at Object.cc:106 #14 0xb7d8fecf in Dict::lookup (this=0x8fac810, key=0xb7e734ff "Length", obj=0xbf476460) at Dict.cc:108 #15 0xb7d84a9a in Object::dictLookup (this=0xbf476650, key=0xb7e734ff "Length", obj=0xbf476460) at Object.h:259 #16 0xb7df71df in Parser::makeStream (this=0x8fac7b0, dict=0xbf476650, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:160 #17 0xb7df7848 in Parser::getObj (this=0x8fac7b0, obj=0xbf476650, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:94 ---call N-2 --- #18 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476650) at XRef.cc:907 #19 0xb7df14e8 in Object::fetch (this=0x8fac4a4, xref=0x80a8038, obj=0xbf476650) at Object.cc:106 #20 0xb7d8fecf in Dict::lookup (this=0x8fac478, key=0xb7e734ff "Length", obj=0xbf476650) at Dict.cc:108 #21 0xb7d84a9a in Object::dictLookup (this=0xbf476840, key=0xb7e734ff "Length", obj=0xbf476650) at Object.h:259 #22 0xb7df71df in Parser::makeStream (this=0x8fac418, dict=0xbf476840, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:160 #23 0xb7df7848 in Parser::getObj (this=0x8fac418, obj=0xbf476840, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:94 --- call N-3 --- #24 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476840) at XRef.cc:907 #25 0xb7df14e8 in Object::fetch (this=0x8fac10c, xref=0x80a8038, obj=0xbf476840) at Object.cc:106 #26 0xb7d8fecf in Dict::lookup (this=0x8fac0e0, key=0xb7e734ff "Length", obj=0xbf476840) at Dict.cc:108 #27 0xb7d84a9a in Object::dictLookup (this=0xbf476a30, key=0xb7e734ff "Length", obj=0xbf476840) at Object.h:259 #28 0xb7df71df in Parser::makeStream (this=0x8fac080, dict=0xbf476a30, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:160 #29 0xb7df7848 in Parser::getObj (this=0x8fac080, obj=0xbf476a30, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:94 --- call N-4 --- #30 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476a30) at XRef.cc:907 #31 0xb7df14e8 in Object::fetch (this=0x8fabd74, xref=0x80a8038, obj=0xbf476a30) at Object.cc:106 #32 0xb7d8fecf in Dict::lookup (this=0x8fabd48, key=0xb7e734ff "Length", obj=0xbf476a30) at Dict.cc:108 #33 0xb7d84a9a in Object::dictLookup (this=0xbf476c20, key=0xb7e734ff "Length", obj=0xbf476a30) at Object.h:259 #34 0xb7df71df in Parser::makeStream (this=0x8fabce8, dict=0xbf476c20, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:160 #35 0xb7df7848 in Parser::getObj (this=0x8fabce8, obj=0xbf476c20, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32, objGen=0) at Parser.cc:94 --- call N-... --- etc.
Created attachment 9919 [details] Fuzzed PDF file (contains a lot of errors)
Fixed on master
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.