| Summary: | SIGABRT in getString at Object.h:202 | ||
|---|---|---|---|
| Product: | poppler | Reporter: | Henri Salo <henri+freedesktop> |
| Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | CC: | henri+freedesktop |
| Version: | unspecified | ||
| Hardware: | x86-64 (AMD64) | ||
| OS: | Linux (All) | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | fuzzed sample file | ||
|
Description
Henri Salo
2015-03-04 10:44:09 UTC
Attached sample file crashes e.g. pdfinfo. Sample file is fuzzed with AFL http://lcamtuf.coredump.cx/afl/ (gdb) bt #0 0x00007ffff60d0165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff60d33e0 in *__GI_abort () at abort.c:92 #2 0x00000000006c8d62 in getString (this=<optimized out>) at Object.h:202 #3 StandardSecurityHandler::StandardSecurityHandler (this=0xac33e0, docA=<optimized out>, encryptDictA=<optimized out>) at SecurityHandler.cc:292 #4 0x00000000006c9ee3 in SecurityHandler::make (docA=0xac2ea0, encryptDictA=0x7fffffffe160) at SecurityHandler.cc:56 #5 0x0000000000609afd in PDFDoc::checkEncryption (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:425 #6 0x0000000000617016 in PDFDoc::setup (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:276 #7 0x00000000006177c0 in PDFDoc::PDFDoc (this=0xac2ea0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at PDFDoc.cc:166 #8 0x00000000007e2a89 in LocalPDFDocBuilder::buildPDFDoc (this=<optimized out>, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at LocalPDFDocBuilder.cc:31 #9 0x0000000000409476 in main (argc=2, argv=0x7fffffffe588) at pdfinfo.cc:185 #10 0x00007ffff60bcead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe578) at libc-start.c:244 #11 0x000000000040bcc5 in _start () frame 2 (gdb) list 197 198 // Note: integers larger than 2^53 can not be exactly represented by a double. 199 // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64(). 200 double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal); 201 return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; } 202 GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; } 203 // After takeString() the only method that should be called for the object is free() 204 // because the object it's not expected to have a NULL string. 205 GooString *takeString() { 206 OBJECT_TYPE_CHECK(objString); GooString *s = string; string = NULL; return s; } Created attachment 113986 [details]
fuzzed sample file
Tested with version: 0.31.0 Not major at all Good to know. List of "Importance" was not obvious. Crashing PDF-library is major in my books :) It's not crashing, it's aborting controlledly, and the fact it's a doctored file makes it also much less important. Fixed |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.