Attached fuzzed PDF from Sauli Pahlman crashes poppler at or around DCTStream::reset. The reason for the crash is that the file contains a truncated JPEG image which does not contain full image header. jpeg_read_header() called from DCTStream::reset returns JPEG_SUSPENDED and some of the cinfo struct members are not properly set, causing a NULL pointer dereference crash on this specific file. This change avoids the crash on this file: index 78cd59d..e96ec5a 100644 --- a/poppler/DCTStream.cc +++ b/poppler/DCTStream.cc @@ -141,8 +141,7 @@ void DCTStream::reset() { } } - if (!setjmp(err.setjmp_buffer)) { - jpeg_read_header(&cinfo, TRUE); + if (!setjmp(err.setjmp_buffer) && jpeg_read_header(&cinfo, TRUE) != JPEG_SUSPENDED) { // figure out color transform if (colorXform == -1 && !cinfo.saw_Adobe_marker) {
Created attachment 46166 [details] Test case
Thanks for the patch, will be in the next release.
For my future reference: http://cgit.freedesktop.org/poppler/poppler/commit/?id=42c1b1c4af6b07f488d1b2b02a4700f19b0ab0ef TY!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.