Bug 103116

Summary:	Valgrind: Invalid Read (24 bytes after block in arena)
Product:	poppler	Reporter:	Jason Crain <jason>
Component:	general	Assignee:	poppler-bugs <poppler-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	critical
Priority:	medium
Version:	unspecified
Hardware:	Other
OS:	All
Whiteboard:
i915 platform:		i915 features:
Attachments:	0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault Fix-crash-in-fuzzed-file.patch

Description Jason Crain 2017-10-05 20:37:05 UTC

Created attachment 134690 [details]
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault

Forwarding from https://bugzilla.gnome.org/show_bug.cgi?id=786444

------------------------------

while fuzzing I found a pdf document that leads to the following valgrind messages:

==9190== Invalid read of size 8                                                                                                                                                                                     
==9190==    at 0x174C89B0: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                          
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                   
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                    
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                         
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0
)                                                                                                                                                                                                                   
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                                                                                                                               
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                                                                                                                                    
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==  Address 0x10cf4818 is 24 bytes after a block of size 96 in arena "client"  


And then crashes by:

==9190== Process terminating with default action of signal 11 (SIGSEGV): dumping core                     
==9190==  Access not within mapped region at address 0xA8                                                 
==9190==    at 0x174C8A29: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                         
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)          
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                               
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                    
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                     
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)

Comment 1 Jason Crain 2017-10-05 20:40:47 UTC

Created attachment 134691 [details] [review]
Fix-crash-in-fuzzed-file.patch

This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. This patch fixes the overflow check in TextPool::addWord.

Comment 2 Albert Astals Cid 2017-10-12 22:43:28 UTC

fix pushed

Comment 3 oggyjack 2019-06-24 07:54:39 UTC

Just now connected the website and visit here http://freeimvucreditshacker.com/ for the best information here you fully guide any where and any time forever.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.