Bug 76439

Summary: SEGV in StreamPredictor::getChar
Product: poppler Reporter: Antti Husa <a.husa>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Fuzzed PDF file that causes SEGV
New fuzzed file (SEGV)
Base64 encoded file

Description Antti Husa 2014-03-21 10:32:33 UTC
Created attachment 96150 [details]
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==11919== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f97d6271621 sp 0x7fffb285c5e0 bp 0x7fffb285c600 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f97d6271620 (/usr/lib64/libpoppler.so.44.0.0+0x302620)
    #1 0x7f97d6287a1f (/usr/lib64/libpoppler.so.44.0.0+0x318a1f)
    #2 0x7f97d62887fc (/usr/lib64/libpoppler.so.44.0.0+0x3197fc)
    #3 0x7f97d628cacb (/usr/lib64/libpoppler.so.44.0.0+0x31dacb)
    #4 0x7f97d628cf4b (/usr/lib64/libpoppler.so.44.0.0+0x31df4b)
    #5 0x7f97d6261b2f (/usr/lib64/libpoppler.so.44.0.0+0x2f2b2f)
    #6 0x7f97d62621a6 (/usr/lib64/libpoppler.so.44.0.0+0x2f31a6)
    #7 0x7f97d6866f17 (/usr/lib64/libpoppler-glib.so.8.6.0+0x2cf17)
    #8 0x7f97d6ad4d22 (/usr/lib64/zathura/pdf.so+0x2d22)
    #9 0x42aee4 (/usr/bin/zathura+0x42aee4)
    #10 0x411697 (/usr/bin/zathura+0x411697)
    #11 0x412583 (/usr/bin/zathura+0x412583)
    #12 0x7f97df8bba76 (/usr/lib64/libgdk-x11-2.0.so.0.2400.22+0x20a76)
    #13 0x7f97decdea95 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4aa95)
    #14 0x7f97decdede7 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4ade7)
    #15 0x7f97decdf1e9 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4b1e9)
    #16 0x7f97dfc88dd6 (/usr/lib64/libgtk-x11-2.0.so.0.2400.22+0x139dd6)
    #17 0x40dd9a (/usr/bin/zathura+0x40dd9a)
    #18 0x7f97ddfedbf4 (/lib64/libc-2.17.so+0x24bf4)
    #19 0x40e4d4 (/usr/bin/zathura+0x40e4d4)
==11919== ABORTING


gdb backtrace:
615	  return predLine[predIdx++];
gdb$ bt
#0  0x00007fffead20621 in StreamPredictor::getChar (this=0x600c0004e200) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Stream.cc:615
#1  0x00007fffead36a20 in XRef::readXRefStreamSection (this=this@entry=0x60240006f800, xrefStr=xrefStr@entry=0x606200040300, w=w@entry=0x7fffffffcdd0, first=first@entry=0x43, n=n@entry=0x47) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:844
#2  0x00007fffead377fd in XRef::readXRefStream (this=this@entry=0x60240006f800, xrefStr=0x606200040300, pos=pos@entry=0x60240006f898) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:785
#3  0x00007fffead3bacc in XRef::readXRef (this=this@entry=0x60240006f800, pos=0x60240006f898, followedXRefStm=followedXRefStm@entry=0x7fffffffd100, xrefStreamObjsNum=xrefStreamObjsNum@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:560
#4  0x00007fffead3bf4c in XRef::XRef (this=0x60240006f800, strA=<optimized out>, pos=<optimized out>, mainXRefEntriesOffsetA=0x0, wasReconstructed=0x7fffffffd1d0, reconstruct=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:342
#5  0x00007fffead10b30 in PDFDoc::setup (this=this@entry=0x601c00007ac0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:262
#6  0x00007fffead111a7 in PDFDoc::PDFDoc (this=0x601c00007ac0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:167
#7  0x00007fffeb315f18 in poppler_document_new_from_file (uri=<optimized out>, password=<optimized out>, error=0x7fffffffd378) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-document.cc:202
#8  0x00007fffeb583d23 in pdf_document_open () from /usr/lib64/zathura/pdf.so
#9  0x000000000042aee5 in zathura_document_open (plugin_manager=<optimized out>, path=path@entry=0x600c0004ebc0 "/home/anon/tmp/samples/pdf/results/mal-16_zathura.pdf", password=password@entry=0x0, error=error@entry=0x7fffffffd630) at document.c:130
#10 0x0000000000411698 in document_open (zathura=0x60260000f660, path=path@entry=0x600c0004ebc0 "/home/anon/tmp/samples/pdf/results/mal-16_zathura.pdf", password=0x0) at zathura.c:482
#11 0x0000000000412584 in document_info_open (data=0x600600042670) at zathura.c:465
#12 0x00007ffff436aa77 in ?? () from /usr/lib64/libgdk-x11-2.0.so.0
#13 0x00007ffff378da96 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff378dde8 in ?? () from /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff378e1ea in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff4737dd7 in gtk_main () from /usr/lib64/libgtk-x11-2.0.so.0
#17 0x000000000040dd9b in main (argc=0x2, argv=0x7fffffffe098) at main.c:145


--
Antti Husa
Research Assistant, OUSPG
Comment 1 Albert Astals Cid 2014-03-21 22:18:58 UTC
Hi, can you please read http://tsdgeos.blogspot.de/2014/03/asan-and-gcc-how-to-get-line-numbers-in.html and provide line numbers with the asan backtrace?
Comment 2 Antti Husa 2014-03-24 17:29:35 UTC
Fixed ASAN report with line numbers:

==15820== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02626e8b31 sp 0x7fff3b144c50 bp 0x7fff3b144c70 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f02626e8b30 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Stream.cc:615
    #1 0x7f02626fef2f in XRef::readXRefStreamSection(Stream*, int*, int, int) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:844
    #2 0x7f02626ffd0c in XRef::readXRefStream(Stream*, long long*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:785
    #3 0x7f0262703fdb in XRef::readXRef(long long*, std::vector<long long, std::allocator<long long> >*, std::vector<int, std::allocator<int> >*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:560
    #4 0x7f026270445b in XRef::XRef(BaseStream*, long long, long long, bool*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:342
    #5 0x7f02626d903f in PDFDoc::setup(GooString*, GooString*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:262
    #6 0x7f02626d96b6 in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:167
    #7 0x7f0262cdbc97 in poppler_document_new_from_file /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-document.cc:202
    #8 0x7f0262f49853 in pdf_document_open /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:214
    #9 0x429e14 in zathura_document_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/document.c:130
    #10 0x415057 in document_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/zathura.c:482
    #11 0x415f43 in document_info_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/zathura.c:465
    #12 0x7f026bd32a76 (/usr/lib64/libgdk-x11-2.0.so.0+0x20a76)
    #13 0x7f026b155a95 (/usr/lib64/libglib-2.0.so.0+0x4aa95)
    #14 0x7f026b155de7 (/usr/lib64/libglib-2.0.so.0+0x4ade7)
    #15 0x7f026b1561e9 (/usr/lib64/libglib-2.0.so.0+0x4b1e9)
    #16 0x7f026c0ffdd6 (/usr/lib64/libgtk-x11-2.0.so.0+0x139dd6)
    #17 0x40ddea in main /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/main.c:145
    #18 0x7f026a464bf4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/csu/libc-start.c:258
    #19 0x40e544 in _start (/usr/bin/zathura+0x40e544)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Stream.cc:615 StreamPredictor::getChar()
==15820== ABORTING
Comment 3 Albert Astals Cid 2014-03-25 22:29:11 UTC
Can you try to use poppler master from git instead of poppler 0.24.5? With poppler master we simply reject to load the file without ASAN triggering
Comment 4 Antti Husa 2014-03-26 11:17:56 UTC
Yes, I'm able to reproduce it with master branch from git, although it seems to go through FlateStream::getChar() this time.

Here's ASAN report:
==22821== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdfa8c583a3 sp 0x7fff9dc1e790 bp 0x7fff9dc1e7a0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fdfa8c583a2 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615
    #1 0x7fdfa8d9e655 in FlateStream::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/FlateStream.cc:58
    #2 0x7fdfa8c8916d in XRef::readXRefStreamSection(Stream*, int*, int, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/XRef.cc:844
    #3 0x7fdfa8c88ccd in XRef::readXRefStream(Stream*, long long*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/XRef.cc:785
    #4 0x7fdfa8c87759 in XRef::readXRef(long long*, std::vector<long long, std::allocator<long long> >*, std::vector<int, std::allocator<int> >*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/XRef.cc:560
    #5 0x7fdfa8c85571 in XRef::XRef(BaseStream*, long long, long long, bool*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/XRef.cc:342
    #6 0x7fdfa8c412a8 in PDFDoc::setup(GooString*, GooString*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/PDFDoc.cc:260
    #7 0x7fdfa8c40d2c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/PDFDoc.cc:165
    #8 0x7fdfa92b6b57 in poppler_document_new_from_file /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-document.cc:202
    #9 0x7fdfa9543853 in pdf_document_open /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:214
    #10 0x429e14 in zathura_document_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/document.c:130
    #11 0x415057 in document_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/zathura.c:482
    #12 0x415f43 in document_info_open /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/zathura.c:465
    #13 0x7fdfb232ca76 (/usr/lib64/libgdk-x11-2.0.so.0+0x20a76)
    #14 0x7fdfb174fa95 (/usr/lib64/libglib-2.0.so.0+0x4aa95)
    #15 0x7fdfb174fde7 (/usr/lib64/libglib-2.0.so.0+0x4ade7)
    #16 0x7fdfb17501e9 (/usr/lib64/libglib-2.0.so.0+0x4b1e9)
    #17 0x7fdfb26f9dd6 (/usr/lib64/libgtk-x11-2.0.so.0+0x139dd6)
    #18 0x40ddea in main /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/main.c:145
    #19 0x7fdfb0a5ebf4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/csu/libc-start.c:258
    #20 0x40e544 in _start (/usr/bin/zathura+0x40e544)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 StreamPredictor::getChar()
==22821== ABORTING
Comment 5 Albert Astals Cid 2014-03-26 21:06:10 UTC
That is confusing i can't get it to fail. Can you try with any of the command line utils that come with poppler itself? pdftoppm or qt4/tests/test-poppler-qt4 or glib/demo/poppler-glib-demo, etc.
Comment 6 Antti Husa 2014-03-26 21:55:21 UTC
It seems that the file can actually cause two different SEGV bugs. I've added a new file as an attachment that causes the bug in StreamPredictor::getChar, however by removing the 4th line with a text editor, and then opening it causes another SEGV bug in XRef::getNumEntry. And yes pdftoppm also causes these very same bugs. Tests were done with master branch from git.
Comment 7 Antti Husa 2014-03-26 21:57:37 UTC
Created attachment 96429 [details]
New fuzzed file (SEGV)
Comment 8 Antti Husa 2014-03-26 22:10:11 UTC
Weird... The culprit here seems to be the formatting in the attachment. Since the formatting replaces "^M" characters with newlines. That's why simply copying the text from attachment didn't cause the expected bug.
Comment 9 Antti Husa 2014-05-02 10:10:42 UTC
Created attachment 98333 [details]
Base64 encoded file
Comment 10 Antti Husa 2014-05-02 10:12:16 UTC
Attached a new file that is base64 encoded in order to preserve the ^M characters. Also verified that the decoded pdf file causes the bug in question.
Comment 11 Albert Astals Cid 2014-09-30 17:08:43 UTC
With current poppler git. I did this

base64 -d attachment.cgi\?id\=98333 > bug-poppler76439.pdf

And then run utils/pdftoppm, utils/pdftotext, glib/demo/poppler-glib-demo, qt4/tests/test-poppler-qt4 and none of them gives me any asan warning, they just complain the file is not valid.

$ sha256sum bug-poppler76439.pdf
b1688a6806c2a5275aafe6283c24e74ec08dbd82fe1340d0a6f22b0da47c056f

Is that the sha256sum of your file? Can you try with master and any of the poppler standard tools/tests/demos?
Comment 12 Albert Astals Cid 2017-01-16 17:04:45 UTC
No answer, so let's assume we fixed it.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.