| Summary: |
SEGV in StreamPredictor::getChar (cairo backend) |
| Product: |
poppler
|
Reporter: |
Antti Husa <a.husa> |
| Component: |
cairo backend | Assignee: |
poppler-bugs <poppler-bugs> |
| Status: |
RESOLVED
MOVED
|
QA Contact: |
|
| Severity: |
normal
|
|
|
| Priority: |
medium
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
x86-64 (AMD64) | |
|
| OS: |
Linux (All) | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Attachments: |
Fuzzed PDF file that causes SEGV
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 96408 [details] Fuzzed PDF file that causes SEGV Segfault when malformed PDF file is opened. Reproduced on Evince and Zathura with Poppler version 0.25.1 (git master branch). Distrubution: Gentoo Linux 64bit Evince version: 3.10.3 Zathura version: 0.2.1 Zathura-pdf-poppler version: 0.2.3 Malformed file is given as an attachment. ASAN report: ==9396== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7effa86af3a3 sp 0x7effa5c9d810 bp 0x7effa5c9d820 T3) AddressSanitizer can not provide additional info. #0 0x7effa86af3a2 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 #1 0x7effa87f5655 in FlateStream::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/FlateStream.cc:58 #2 0x7effa856bf60 in Stream::doGetChars(int, unsigned char*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:126 #3 0x7effa86ae19f in ImageStream::getLine() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:517 #4 0x7effa8d5c301 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2836 #5 0x7effa8d5d674 in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoRescaleBox.cc:338 #6 0x7effa8d5c121 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2817 #7 0x7effa8d56fe8 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2896 #8 0x7effa85d9840 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4653 #9 0x7effa85d68f2 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4179 #10 0x7effa85b049c in Gfx::execOp(Object*, Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:903 #11 0x7effa85af685 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:762 #12 0x7effa85af2d9 in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:728 #13 0x7effa86928cd in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Page.cc:585 #14 0x7effa8d17f53 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:362 #15 0x7effa8d1807a in poppler_page_render /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:385 #16 0x7effa8f9cf2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809 #17 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183 #18 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37 #19 0x7effb11cbea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5) #20 0x7effb11cb4e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4) #21 0x7effb287ec07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99 #22 0x7effb0b41f39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308 #23 0x7effb057ec3c (/lib64/libc.so.6+0xedc3c) SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 StreamPredictor::getChar() Thread T3 (pool) created by T0 here: #0 0x7effb2870c5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122 #1 0x7effb11e6941 (/usr/lib64/libglib-2.0.so.0+0x8a941) ==9396== ABORTING -- Antti Husa Research Assistant, OUSPG