Bug 102718

Summary: Gfx::display infinite loop and stack memory exhaustion in pdftops, poppler 0.59
Product: poppler Reporter: junchao luan <luanjunchao>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: pdftops crash

Description junchao luan 2017-09-14 02:20:00 UTC
Created attachment 134209 [details]
pdftops crash

When I run pdftops with a specific pdf, it crashes with stack memory exhaustion.

root@c116349c2d78:/work/down/poppler-0.59.0# ./utils/pdftops crash_pdftops.pdf 1                                                                                                                                    
ASAN:SIGSEGV                                                       
=================================================================  
==12400==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7a61eff8 (pc 0x7f86dfc0480b bp 0x7ffe7a61f900 sp 0x7ffe7a61eff0 T0)  
    #0 0x7f86dfc0480a  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2280a)                                                                
    #1 0x7f86dfc7a5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)                                                       
    #2 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110                                                                   
    #3 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120                                                                   
    #4 0x4af864 in copyString /work/down/poppler-0.59.0/goo/gmem.cc:316
    #5 0x45f9c6 in Object::Object(ObjType, char const*) /work/down/poppler-0.59.0/poppler/Object.h:157
    #6 0x610a77 in Lexer::getObj(int) /work/down/poppler-0.59.0/poppler/Lexer.cc:573
    #7 0x62866f in Parser::shift(int) /work/down/poppler-0.59.0/poppler/Parser.cc:291
    #8 0x6276e2 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:149
    #9 0x627490 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:120
    #10 0x45a345 in XRef::fetch(int, int, int) /work/down/poppler-0.59.0/poppler/XRef.cc:1166
    #11 0x415b32 in Object::fetch(XRef*, int) const /work/down/poppler-0.59.0/poppler/Object.cc:125
    #12 0x540925 in Dict::lookup(char const*, int) /work/down/poppler-0.59.0/poppler/Dict.cc:259
    #13 0x429892 in Object::dictLookup(char const*, int) /work/down/poppler-0.59.0/poppler/Object.h:362
    #14 0x598572 in Gfx8BitFont::getCharProc(int) /work/down/poppler-0.59.0/poppler/GfxFont.cc:1756
    #15 0x57c8a2 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3956
    #16 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #17 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #18 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #19 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #20 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #21 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #22 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #23 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #24 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #25 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #26 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #27 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #28 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #29 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706
   .....
  #245 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #246 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #247 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #248 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #249 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #250 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #251 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    ......

It just goes into an infinite loop. The result of gdb:


gdb -q ./utils/pdftops
Reading symbols from ./utils/pdftops...done.
(gdb) run crash_pdftops.pdf 1
Starting program: /work/down/poppler-0.59.0/utils/pdftops crash_pdftops.pdf 1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
(gdb) bt
#0  0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#1  0x00007ffff6f02627 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#2  0x00000000004af2f4 in gmalloc (size=2, checkoverflow=false) at gmem.cc:110
#3  0x00000000004af38a in gmalloc (size=2) at gmem.cc:120
#4  0x00000000004af865 in copyString (s=0x610000595669 "]") at gmem.cc:316
#5  0x000000000045f9c7 in Object::Object (this=0x7fffff7ffa50, typeA=objCmd, stringA=0x610000595669 "]") at Object.h:157
#6  0x00000000006100a4 in Lexer::getObj (this=0x610000595640, objNum=-1) at Lexer.cc:467
#7  0x0000000000628670 in Parser::shift (this=0x60600015e1e0, objNum=-1) at Parser.cc:291
#8  0x0000000000627abb in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=2, strict=false) at Parser.cc:180
#9  0x000000000062717a in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=1, strict=false) at Parser.cc:93
#10 0x0000000000627491 in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=0, strict=false) at Parser.cc:120
#11 0x000000000045a346 in XRef::fetch (this=0x611000009f00, num=13, gen=0, recursion=0) at XRef.cc:1166
#12 0x0000000000415b33 in Object::fetch (this=0x60c00000b2d0, xref=0x611000009f00, recursion=0) at Object.cc:125
#13 0x0000000000512b3d in Array::get (this=0x60700000d290, i=1, recursion=0) at Array.cc:125
#14 0x00000000005a6437 in GfxCalGrayColorSpace::parse (arr=0x60700000d290, state=0x6170004d4a00) at GfxState.cc:815
#15 0x00000000005a474b in GfxColorSpace::parse (res=0x60c000009340, csObj=0x7fffff8004a0, out=0x60d00000cc30, state=0x6170004d4a00, recursion=0) at GfxState.cc:389
#16 0x000000000055faae in Gfx::opSetFillColorSpace (this=0x611000009b40, args=0x7fffff8006f0, numArgs=1) at Gfx.cc:1516
#17 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff8006b0, args=0x7fffff8006f0, numArgs=1) at Gfx.cc:880
#18 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744
#19 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffff800ff0, topLevel=false) at Gfx.cc:706
#20 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x6030000b5ed0) at Gfx.cc:3961
#21 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffff801280, numArgs=1) at Gfx.cc:3756
#22 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801240, args=0x7fffff801280, numArgs=1) at Gfx.cc:880
#23 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744
#24 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffff801b80, topLevel=false) at Gfx.cc:706
#25 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x6030000b5fc0) at Gfx.cc:3961
#26 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffff801e10, numArgs=1) at Gfx.cc:3756
#27 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801dd0, args=0x7fffff801e10, numArgs=1) at Gfx.cc:880
#28 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744
......
#14163 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744                                        
#14164 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffffffd640, topLevel=false) at Gfx.cc:706               
#14165 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x60300001c330) at Gfx.cc:3961                             
#14166 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:3756               
#14167 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffffffd890, args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:880
#14168 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=true) at Gfx.cc:744                                         
#14169 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffffffdd10, topLevel=true) at Gfx.cc:706                
#14170 0x0000000000624568 in Page::displaySlice (this=0x611000009dc0, out=0x60d00000cc30, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560                                    
#14171 0x0000000000475255 in PSOutputDev::checkPageSlice (this=0x61800000fc80, page=0x611000009dc0, rotateA=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
    annotDisplayDecideCbkData=0x0) at PSOutputDev.cc:3255                                                                       
#14172 0x00000000006243a6 in Page::displaySlice (this=0x611000009dc0, out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:539                                    
#14173 0x0000000000623a3c in Page::display (this=0x611000009dc0, out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0,
    copyXRef=false) at Page.cc:483                                                                                                                                                                   
#14174 0x00000000004195af in PDFDoc::displayPage (this=0x60f00000ef50, out=0x61800000fc80, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
    annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:488                                                             
#14175 0x0000000000408084 in main (argc=3, argv=0x7fffffffe658) at pdftops.cc:423  

So I think there is lack of verification in some function.
Comment 1 Albert Astals Cid 2017-09-14 07:03:43 UTC

*** This bug has been marked as a duplicate of bug 102701 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.