Bug 89422

Summary: SIGABRT in getString at Object.h:202
Product: poppler Reporter: Henri Salo <henri+freedesktop>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: henri+freedesktop
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: fuzzed sample file

Description Henri Salo 2015-03-04 10:44:09 UTC

    
Comment 1 Henri Salo 2015-03-04 10:45:38 UTC
Attached sample file crashes e.g. pdfinfo. Sample file is fuzzed with AFL http://lcamtuf.coredump.cx/afl/

(gdb) bt
#0  0x00007ffff60d0165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff60d33e0 in *__GI_abort () at abort.c:92
#2  0x00000000006c8d62 in getString (this=<optimized out>) at Object.h:202
#3  StandardSecurityHandler::StandardSecurityHandler (this=0xac33e0, docA=<optimized out>, encryptDictA=<optimized out>) at SecurityHandler.cc:292
#4  0x00000000006c9ee3 in SecurityHandler::make (docA=0xac2ea0, encryptDictA=0x7fffffffe160) at SecurityHandler.cc:56
#5  0x0000000000609afd in PDFDoc::checkEncryption (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:425
#6  0x0000000000617016 in PDFDoc::setup (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:276
#7  0x00000000006177c0 in PDFDoc::PDFDoc (this=0xac2ea0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at PDFDoc.cc:166
#8  0x00000000007e2a89 in LocalPDFDocBuilder::buildPDFDoc (this=<optimized out>, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at LocalPDFDocBuilder.cc:31
#9  0x0000000000409476 in main (argc=2, argv=0x7fffffffe588) at pdfinfo.cc:185
#10 0x00007ffff60bcead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe578) at libc-start.c:244
#11 0x000000000040bcc5 in _start ()

frame 2 

(gdb) list
197
198       // Note: integers larger than 2^53 can not be exactly represented by a double.
199       // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64().
200       double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal);
201         return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; }
202       GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; }
203       // After takeString() the only method that should be called for the object is free()
204       // because the object it's not expected to have a NULL string.
205       GooString *takeString() {
206         OBJECT_TYPE_CHECK(objString); GooString *s = string; string = NULL; return s; }
Comment 2 Henri Salo 2015-03-04 10:47:04 UTC
Created attachment 113986 [details]
fuzzed sample file
Comment 3 Henri Salo 2015-03-04 10:48:56 UTC
Tested with version: 0.31.0
Comment 4 Albert Astals Cid 2015-03-04 22:10:11 UTC
Not major at all
Comment 5 Henri Salo 2015-03-05 09:55:58 UTC
Good to know. List of "Importance" was not obvious. Crashing PDF-library is major in my books :)
Comment 6 Albert Astals Cid 2015-03-05 10:03:05 UTC
It's not crashing, it's aborting controlledly, and the fact it's a doctored file makes it also much less important.
Comment 7 Albert Astals Cid 2015-03-07 13:55:10 UTC
Fixed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.