Bug 77921

Summary: Incompatible pointer cast in _poppler_attachment_new
Product: poppler Reporter: Jason Crain <jason>
Component: glib frontendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: major    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Don't cast GTime* to time_t*
Use time_t instead of GTime in PopplerAttachment

Description Jason Crain 2014-04-25 11:06:58 UTC
Created attachment 97950 [details] [review]
Don't cast GTime* to time_t*

Coverity CIDs 16825 and 16826

The glib frontend casts a GTime* to time_t* in _poppler_attachment_new.  These are different sizes on x86_64, so it can result in junk being written to the succeeding bytes of the PopplerAttachment struct if a PDF's EmbeddedFile dates do not fit in 32 bits.  It's possible to crash Evince when it tries to free an invalid attachment->checksum pointer.

Attached patch replaces the pointer cast with an assignment.
Comment 1 Jose Aliste 2014-04-25 13:02:19 UTC
Jason, your patch fixes the crash and it's the recommended thing to do in GLib reference if you can't replace GTime, but wouldn't we want to change PopplerAttachment struct now to use time_t (we need to do it at some point as the GTime are going to overflow...) if we don't want to do it now to not break API, we could put some comment about it in the code.
Comment 2 Jason Crain 2014-04-26 23:33:35 UTC
Created attachment 98061 [details] [review]
Use time_t instead of GTime in PopplerAttachment

I didn't change it to time_t at first because as you say, it would break compatibility, and I don't know what all needs to be done for an API break.  This patch changes PopplerAttachment to use time_t instead of GTime and renames _poppler_convert_pdf_date_to_gtime function to _poppler_convert_pdf_date_to_time_t.  I'll leave the old patch visible in case someone wants to apply that to a released version, and this one to an unreleased version.
Comment 3 GitLab Migration User 2018-08-21 11:16:37 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/599.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.