Bug 84990

Summary: [pdftotext] aborts with Internal Error+SIGABRT
Product: poppler Reporter: MH <ravdune+bugzilla>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: pdf to reproduce SIGABRT
392-unfuzzed.pdf
Check for invalid matrix in annotation
Free BBox object on error

Description MH 2014-10-14 11:40:23 UTC
Created attachment 107818 [details]
pdf to reproduce SIGABRT

Not sure if this is an actual bug, but since it says 'internal error' and doesn't exit gracefully I thought I'd report this:

Running pdftotext util from master. Attached 392-fuzz-16.pdf

######################################

utils]$ libtool --mode=execute gdb ./pdftotext
GNU gdb (GDB) Fedora 7.7.1-19.fc20
...
Reading symbols from /home/foobar/poppler/utils/.libs/lt-pdftotext...done.
...

(gdb) run ~/392-fuzz-16.pdf /dev/null

Starting program: /home/foobar/poppler/utils/.libs/lt-pdftotext ~/392-fuzz-16.pdf /dev/null

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Syntax Error (77470): Illegal character ')'
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Unknown operator '<9e>W'
Syntax Error: Unknown operator '<c0><e8>'
Syntax Error: Unknown operator '<c3><d2>'
Syntax Error: Unknown operator '<9e>W'
Syntax Error: Unknown operator '?<c8>'
Syntax Error: Unknown operator '<9e>W'
Syntax Error: Unknown operator '<07>I'
Internal Error (0): Call to Object where the object was type 10, not the expected type 1, 14 or 2

Program received signal SIGABRT, Aborted.
0x00007ffff5b3a877 in raise () from /lib64/libc.so.6
(gdb)
Comment 1 MH 2014-10-21 13:41:28 UTC
Created attachment 108176 [details]
392-unfuzzed.pdf

Attached unfuzzed file as per request.
Comment 2 Jason Crain 2014-12-21 06:25:16 UTC
Created attachment 111100 [details] [review]
Check for invalid matrix in annotation

Bad values in an annotation's matrix cause the call to abort().  Attached patch checks the type of the value before pulling it from the Object.
Comment 3 Jason Crain 2014-12-21 06:35:53 UTC
Created attachment 111101 [details] [review]
Free BBox object on error

While looking at this bug, I also noticed that an annotation's bboxObj isn't freed on error, causing a memory leak.  Attached patch adds a call to bboxObj.free().
Comment 4 Albert Astals Cid 2014-12-23 15:36:51 UTC
Pushed, thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.