Bug 17688 - pdftotext crashes in Goo library (GooString class)
Summary: pdftotext crashes in Goo library (GooString class)
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: high critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-21 01:13 UTC by Mark Kaplan
Modified: 2008-09-22 02:31 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
crash.pdf (385.67 KB, application/pdf)
2008-09-21 01:13 UTC, Mark Kaplan 		Details
GooString.patch (2.87 KB, patch)
2008-09-21 01:25 UTC, Mark Kaplan 		Details | Splinter Review
View All

Description Mark Kaplan 2008-09-21 01:13:01 UTC 
Created attachment 19049 [details]
crash.pdf

pdftotext generates SEGFAULT on the lot of files (one example is attached) as result of the totally unsafe code of GooString class (goo/GooString.cc). This calls methods never make sanity checks of their argument(s) value. As result, passing a zero value pointer is followed by SEGFAULT.

Adding of simple sanity checks solve the problem.

Core was generated by `pdftotext /tmp/crash/Steve Reich-African Polyrhythms.pdf'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7efce05 in GooString (this=0x8084d30, str=0x0) at GooString.cc:183
183       Set(str->getCString(), str->length);
(gdb) bt
#0  0xb7efce05 in GooString (this=0x8084d30, str=0x0) at GooString.cc:183
#1  0xb7ebfa45 in Movie::parseAnnotMovie (this=0x80ab2a8, annot=0x8084c30) at ../goo/GooString.h:46
#2  0xb7e5bf55 in AnnotMovie (this=0x8084c30, xrefA=0x805c718, dict=0x807af00, catalog=0x805c788, obj=0xbf9d5f94) at Annot.cc:3019
#3  0xb7e5f60f in Annots::createAnnot (this=0x80adf60, xref=0x805c718, dict=0x807af00, catalog=0x805c788, obj=0xbf9d5f94)
    at Annot.cc:3392
#4  0xb7e5f971 in Annots (this=0x80adf60, xref=0x805c718, catalog=0x805c788, annotsObj=0xbf9d603c) at Annot.cc:3333
#5  0xb7ec54b6 in Page::displaySlice (this=0x805f378, out=0x805d5e8, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0, sliceX=-1,
    sliceY=-1, sliceW=-1, sliceH=-1, printing=0, catalog=0x805c788, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0,
    annotDisplayDecideCbkData=0x0) at Page.cc:421
#6  0xb7ec5685 in Page::display (this=0x805f378, out=0x805d5e8, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0, printing=0,
    catalog=0x805c788, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:344
#7  0xb7ec824e in PDFDoc::displayPage (this=0x805c438, out=0x805d5e8, page=9, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0,
    printing=0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:373
#8  0xb7ec82ea in PDFDoc::displayPages (this=0x805c438, out=0x805d5e8, firstPage=1, lastPage=20, hDPI=72, vDPI=72, rotate=0,
    useMediaBox=1, crop=0, printing=0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0)
    at PDFDoc.cc:388
#9  0x080497e7 in main (argc=Cannot access memory at address 0x1
) at pdftotext.cc:248
(gdb) bt full
#0  0xb7efce05 in GooString (this=0x8084d30, str=0x0) at GooString.cc:183
No locals.
#1  0xb7ebfa45 in Movie::parseAnnotMovie (this=0x80ab2a8, annot=0x8084c30) at ../goo/GooString.h:46
No locals.
#2  0xb7e5bf55 in AnnotMovie (this=0x8084c30, xrefA=0x805c718, dict=0x807af00, catalog=0x805c788, obj=0xbf9d5f94) at Annot.cc:3019
No locals.
#3  0xb7e5f60f in Annots::createAnnot (this=0x80adf60, xref=0x805c718, dict=0x807af00, catalog=0x805c788, obj=0xbf9d5f94)
    at Annot.cc:3392
        typeName = (GooString *) 0x8079740
        annot = <value optimized out>
        obj1 = {type = objName, {booln = 134604256, intg = 134604256, real = 195.23999406005805, string = 0x805e5e0,
    name = 0x805e5e0 "Movie", array = 0x805e5e0, dict = 0x805e5e0, stream = 0x805e5e0, ref = {num = 134604256, gen = 1080584110},
    cmd = 0x805e5e0 "Movie"}}
#4  0xb7e5f971 in Annots (this=0x80adf60, xref=0x805c718, catalog=0x805c788, annotsObj=0xbf9d603c) at Annot.cc:3333
No locals.
#5  0xb7ec54b6 in Page::displaySlice (this=0x805f378, out=0x805d5e8, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0, sliceX=-1,
    sliceY=-1, sliceW=-1, sliceH=-1, printing=0, catalog=0x805c788, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0,
    annotDisplayDecideCbkData=0x0) at Page.cc:421
        gfx = (Gfx *) 0x805d190
        obj = {type = objArray, {booln = 134719568, intg = 134719568, real = 3.4018492965815731e-313, string = 0x807a850,
    name = 0x807a850 "\030?\005\b@\224\a\b\b", array = 0x807a850, dict = 0x807a850, stream = 0x807a850, ref = {num = 134719568,
      gen = 16}, cmd = 0x807a850 "\030?\005\b@\224\a\b\b"}}
        annotList = (Annots *) 0x80adf60
        i = <value optimized out>
#6  0xb7ec5685 in Page::display (this=0x805f378, out=0x805d5e8, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0, printing=0,
    catalog=0x805c788, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:344
No locals.
#7  0xb7ec824e in PDFDoc::displayPage (this=0x805c438, out=0x805d5e8, page=9, hDPI=72, vDPI=72, rotate=0, useMediaBox=1, crop=0,
    printing=0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:373
No locals.
#8  0xb7ec82ea in PDFDoc::displayPages (this=0x805c438, out=0x805d5e8, firstPage=1, lastPage=20, hDPI=72, vDPI=72, rotate=0,
    useMediaBox=1, crop=0, printing=0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0)
    at PDFDoc.cc:388
        page = 10
#9  0x080497e7 in main (argc=Cannot access memory at address 0x1
) at pdftotext.cc:248
        doc = (PDFDoc *) 0x805c438
        fileName = (GooString *) 0x804c008
        textFileName = (GooString *) 0x80732e0
        ownerPW = (GooString *) 0x0
        userPW = <value optimized out>
        textOut = (class TextOutputDev *) 0x805d5e8
        f = <value optimized out>
        uMap = (UnicodeMap *) 0x805c2b8
        info = {type = objNone, {booln = 0, intg = 0, real = -4.427991043389276e-39, string = 0x0, name = 0x0, array = 0x0, dict = 0x0,
    stream = 0x0, ref = {num = 0, gen = -1208476744}, cmd = 0x0}}
        ok = <value optimized out>
        p = <value optimized out>
        exitCode = <value optimized out>
Comment 1 Mark Kaplan 2008-09-21 01:25:28 UTC 
Created attachment 19050 [details] [review]
GooString.patch
Comment 2 Mark Kaplan 2008-09-21 01:28:57 UTC 
I was unable to set a version number during bug opening, neither I can change/set now, so I put it the here, in bug comment - problematic version is the latest stable 0.8.7 release, released at September,2, 2008.
Comment 3 Albert Astals Cid 2008-09-21 13:41:31 UTC 
The crash does not happen anymore in poppler >= 0.9

We have not used your patch, that's the behaviour of GooString and there's no need to change it, you only have to code correctly.
Comment 4 Mark Kaplan 2008-09-22 02:22:29 UTC 
I'm re-opening the bug fior the following reasons:
1) The problem still exists in stable branch, which means that any product uses poppler is still exploitable for DoS (at least)
2) I think that sanity checks is exactly a way to "code correctly", as you mentioned, Albert, and GooString fails to do it

Please re-consider bug resolution in the stable branch and, also, applying the opretty same patch in the development branch - it will make poppler more stable and less error proven.
Comment 5 Albert Astals Cid 2008-09-22 02:31:23 UTC 
Sorry for you, but it will be fixed in next stable version when its released, that for everyone i know means FIXED, if it does not mean for you, i'm sorry.

And about coding correctly, i've to disagree too. You are free to find any correct poppler code in which the current code of GooString makes it crash.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.