Bug 16104

Summary: poppler crash in AnnotQuadrilaterals::AnnotQuadrilaterals
Product: poppler Reporter: Tomas Hoger <thoger>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: Linux (All)   
URL: http://www.novell.com/rc/docrepository/public/37/basedocument.2008-03-24.1121868495/Whats_New_in_SLE_10_SP2_white_paper_en.pdf
Whiteboard:
i915 platform: i915 features:

Description Tomas Hoger 2008-05-26 04:20:11 UTC
Following pdf in the URL causes a crash in poppler due to the delete/free being called for an uninitialized pointer.  Verified on poppler 0.8.1 / 0.8.2, versions 0.6.x do not seem to have affected code.

Problem is in the AnnotQuadrilaterals::AnnotQuadrilaterals in Annot.cc.  Whenever the code detects some problem with correctness of the data read from the PDF file, it attempts to free previously allocated members of quads[] and quads itself.  However, for-loop freeing previously allocated members of quads[] seems to be off-by-one, trying to free an uninitialized pointer.

In the loop 'while (i < (quadsLength) && correct)' i is incremented regardless of whether correct or incorrect data were read from the file.  If correct is gFalse after leaving the loop, i is number of initialized quads members + 1 (not number of initialized quads members as code assumes).

Possible solutions:
- use j < i - 1 in the for loop freeing quads[]
- break while loop when incorrect value is detected, skipping i++
Comment 1 Albert Astals Cid 2008-05-26 14:43:17 UTC
Backported fixes from trunk, thanks for reminding they were still not on the 0.8.x branch.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.