Bug 101366

Summary: [PATCH] Fix null pointer dereference in SplashOutputDev::type3D1()
Product: poppler Reporter: dudul04
Component: splash backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Crasher PDF file
Proposed patch to fix the issue

Description dudul04 2017-06-09 23:06:06 UTC 
Created attachment 131834 [details]
Crasher PDF file

Rendering of attached PDF file crashes with :

{{{
$ LD_LIBRARY_PATH=poppler/.libs/ valgrind --leak-check=full --num-callers=40 utils/.libs/pdftoppm /home/even/oss-fuzz/build/out/gdal/./crash-cb4ddf1ecdfa9bac053d787a512499147f6a62bf  > out.ppm
==10141== Memcheck, a memory error detector
==10141== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10141== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10141== Command: utils/.libs/pdftoppm /home/even/oss-fuzz/build/out/gdal/./crash-cb4ddf1ecdfa9bac053d787a512499147f6a62bf
==10141== 
Syntax Error (88311): Dictionary key must be a name object
Syntax Error (88317): Dictionary key must be a name object
Syntax Error (88319): Dictionary key must be a name object
Syntax Error (88331): Dictionary key must be a name object
Syntax Error (88337): Dictionary key must be a name object
Syntax Error (88339): Dictionary key must be a name object
Syntax Error (88351): Dictionary key must be a name object
Syntax Error (88353): Dictionary key must be a name object
Syntax Error (88355): Dictionary key must be a name object
Syntax Error (88358): Dictionary key must be a name object
Syntax Error (3938): Unknown operator 'm5'
Syntax Error (4027): Unknown operator 'm2'
Syntax Error (4076): No current point in lineto
Syntax Error (4131): No current point in lineto
Syntax Error (4131): No current point in lineto
Syntax Error (4168): Unknown operator 'T'
Syntax Error (4168): Unknown operator 'm2'
Syntax Error (4197): Illegal character ')'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4225): Unknown operator 'D2'
Syntax Error (4240): Unknown operator 'TQ23m'
Syntax Error (4333): Unknown operator 'C'
Syntax Error (4340): Illegal character ')'
Syntax Error (4342): Unknown operator 'D2'
Syntax Error (4345): Unknown operator 'D2'
Syntax Error (4353): Unknown operator 'D2'
Syntax Error (4356): Unknown operator 'D2'
Syntax Error (4361): Unknown operator 'D2'
Syntax Error (4363): Unknown operator 'D'
Syntax Error (4364): Unknown operator 'D2'
Syntax Error (4367): Unknown operator 'D'
Syntax Error (4369): Unknown operator 'D2'
Syntax Error (4385): Unknown operator 'i.D2'
Syntax Error (4391): Unknown operator 'i.D2'
Syntax Error (4393): Unknown operator 'TQ23m'
==10141== Invalid read of size 1
==10141==    at 0x4EFB9C3: SplashOutputDev::type3D1(GfxState*, double, double, double, double, double, double) (SplashOutputDev.cc:2728)
==10141==    by 0x4F4CCF8: Gfx::go(bool) (Gfx.cc:767)
==10141==    by 0x4F4D1FF: Gfx::display(Object*, bool) (Gfx.cc:729)
==10141==    by 0x4F967D4: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:601)
==10141==    by 0x401B25: savePageSlice (pdftoppm.cc:225)
==10141==    by 0x401B25: main (pdftoppm.cc:532)
==10141==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==10141== 
==10141== 
==10141== Process terminating with default action of signal 11 (SIGSEGV)
==10141==  Access not within mapped region at address 0x2
==10141==    at 0x4EFB9C3: SplashOutputDev::type3D1(GfxState*, double, double, double, double, double, double) (SplashOutputDev.cc:2728)
==10141==    by 0x4F4CCF8: Gfx::go(bool) (Gfx.cc:767)
==10141==    by 0x4F4D1FF: Gfx::display(Object*, bool) (Gfx.cc:729)
==10141==    by 0x4F967D4: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:601)
==10141==    by 0x401B25: savePageSlice (pdftoppm.cc:225)
==10141==    by 0x401B25: main (pdftoppm.cc:532)

}}}

Credit to OSS Fuzz
Comment 1 dudul04 2017-06-09 23:07:16 UTC 
Created attachment 131835 [details] [review]
Proposed patch to fix the issue
Comment 2 Albert Astals Cid 2017-06-15 22:22:50 UTC 
Pushed, thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.