Bug 97149

Summary: pdfsig: Segfault in ~SignatureHandler / double-free
Product: poppler Reporter: Michael Joost <freedesktop>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: minor    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Michael Joost 2016-07-30 17:17:39 UTC 
pdfsig (from poppler-0.45) results in a segfault on any signed PDF document (e.g. the BUDGET-2015-BUD.pdf from gpo.gov).
Reason is a double-destroy of a certificate in the destructor of SignatureHandler.

The segfault only comes to effect if nspr(-4.12) is compiled for DEBUG, which, sadly, is its default setting. The debug version of nspr causes freed memory to be filled with a 0xDA pattern, and the second destroy's acccess to this in nss(-3.25) fails. The release version, without the pattern, is somehow able to recover from the double-destroy.

Switching between release/debug configs of a component, or any of its dependencies, should only impact non-functional aspects (such as performance), but never the functional behavior.


See also:

https://lists.freedesktop.org/archives/poppler/2016-July/011913.html
(and thread)

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/NSPR_build_instructions
Comment 1 Albert Astals Cid 2016-07-30 18:32:42 UTC 
Isn't that actually a bug in nspr that behaves different in debug vs non debug?
Comment 2 Michael Joost 2016-07-30 19:00:46 UTC 
No, this is not a bug of nspr, because subsequent access to freed memory is most likely a design fault of its users. The only (light) problem of nspr is that it is debug by default. The DA pattern is most likely intended to identify such invalid use.

Whether the double-destroy is a genuine problem of nss or pdfsig is not clear to me; don't know whether it is intended/allowed by nss to manage the same cert object in several lists. There is a condition in nss testing for NULL, which prevents the crash without the DA pattern, but this smells for problems.
Comment 3 GitLab Migration User 2018-08-20 22:08:37 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/212.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.