Bug 106072

Summary: use-of-uninitialized-value in GfxDeviceRGBColorSpace::getRGB
Product: poppler Reporter: pdknsk <pdknsk>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: minor    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: PDF

Description pdknsk 2018-04-16 09:31:25 UTC
The code is as follows.

  double c[gfxColorMaxComps]; // 32

  ...

    func->transform(&x, c); // sets c[0] only
    for (i = 0; i < alt->getNComps(); ++i) { // 3
      color2.c[i] = dblToCol(c[i]); // reads c[1], c[2]
    }
    alt->getRGB(&color2, rgb); // uses c[1]

And the report.

==10363==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x1525417 in clip01(int) poppler/poppler/GfxState_helpers.h:26:10
    #1 0x153286c in GfxDeviceRGBColorSpace::getRGB(GfxColor*, GfxRGB*) poppler/poppler/GfxState.cc:984:12
    #2 0x1571f27 in GfxSeparationColorSpace::getRGB(GfxColor*, GfxRGB*) poppler/poppler/GfxState.cc:2818:10
    #3 0x18788b0 in GfxState::getStrokeRGB(GfxRGB*) poppler/poppler/GfxState.h:1471:25
    #4 0x1b7105b in SplashOutputDev::updateStrokeColor(GfxState*) poppler/poppler/SplashOutputDev.cc:1727:12
    #5 0x13dd6ec in Gfx::opSetStrokeColorSpace(Object*, int) poppler/poppler/Gfx.cc:1550:10
    #6 0x144079a in Gfx::execOp(Object*, Object*, int) poppler/poppler/Gfx.cc:884:3
    #7 0x143c5bf in Gfx::go(bool) poppler/poppler/Gfx.cc:747:7
    #8 0x143ab18 in Gfx::display(Object*, bool) poppler/poppler/Gfx.cc:709:3
    #9 0x16e5ff1 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/Page.cc:560:10
    #10 0x110f743 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/PDFDoc.cc:550:20
    #11 0x1b4b1ab in poppler::page_renderer::render_page(poppler::page const*, double, double, int, int, int, int, poppler::rotation_enum) const poppler/cpp/poppler-page-renderer.cpp:180:13

  Uninitialized value was stored to memory at
    #0 0x152e951 in dblToCol(double) poppler/poppler/GfxState.h:107
    #1 0x1571c16 in GfxSeparationColorSpace::getRGB(GfxColor*, GfxRGB*) poppler/poppler/GfxState.cc:2816:21
    #2 0x18788b0 in GfxState::getStrokeRGB(GfxRGB*) poppler/poppler/GfxState.h:1471:25
    #3 0x1b7105b in SplashOutputDev::updateStrokeColor(GfxState*) poppler/poppler/SplashOutputDev.cc:1727:12
    #4 0x13dd6ec in Gfx::opSetStrokeColorSpace(Object*, int) poppler/poppler/Gfx.cc:1550:10
    #5 0x144079a in Gfx::execOp(Object*, Object*, int) poppler/poppler/Gfx.cc:884:3
    #6 0x143c5bf in Gfx::go(bool) poppler/poppler/Gfx.cc:747:7
    #7 0x143ab18 in Gfx::display(Object*, bool) poppler/poppler/Gfx.cc:709:3
    #8 0x16e5ff1 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/Page.cc:560:10
    #9 0x110f743 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/PDFDoc.cc:550:20
    #10 0x1b4b1ab in poppler::page_renderer::render_page(poppler::page const*, double, double, int, int, int, int, poppler::rotation_enum) const poppler/cpp/poppler-page-renderer.cpp:180:13

  Uninitialized value was created by an allocation of 'c' in the stack frame of function '_ZN23GfxSeparationColorSpace6getRGBEP8GfxColorP6GfxRGB'
    #0 0x1570840 in GfxSeparationColorSpace::getRGB(GfxColor*, GfxRGB*) poppler/poppler/GfxState.cc:2802
Comment 1 pdknsk 2018-04-16 09:34:35 UTC
Created attachment 138862 [details]
PDF
Comment 2 Albert Astals Cid 2018-04-16 21:25:26 UTC
I can't reproduce this, which clang version and which compile flags are you using?
Comment 3 pdknsk 2018-04-17 16:20:54 UTC
I'm using clang SVN, but it'll show with clang 6 too. (I can verify if necessary.) Are you using MSAN (MemorySanitizer)? It won't show with other sanitizers. Please note that setting-up MSAN correctly is quite difficult. (Which is why I filed the false positive some days ago.)

https://clang.llvm.org/docs/MemorySanitizer.html#handling-external-code

However I have confirmed manually that the code runs as I've mentioned in the code comments. It's a harmless bug really, but perhaps still worthwhile fixing, and might point to some logic error somewhere else in the code.
Comment 4 pdknsk 2018-04-17 16:48:47 UTC
Also I'm linking with libc++, but I doubt it makes a difference.
Comment 5 pdknsk 2018-04-18 01:38:40 UTC
There are quite a few more of these, in related functions.
Comment 6 Albert Astals Cid 2018-07-20 22:07:33 UTC
Can you please reproduce with the latest verison? Lots of fixes in this regard have gone in
Comment 7 GitLab Migration User 2018-08-21 11:13:40 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/573.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.