101084 – Perf_test utility will crash (segmentation fault) when parsing an illegal PDF file due to the program access a null pointer.

Bug 101084 - Perf_test utility will crash (segmentation fault) when parsing an illegal PDF file due to the program access a null pointer.

Summary: Perf_test utility will crash (segmentation fault) when parsing an illegal PDF...

Status:	RESOLVED INVALID

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	utils (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium major
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-18 05:46 UTC by Young
Modified:	2018-04-17 09:24 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
details of the bug (1.04 MB, application/vnd.openxmlformats-officedocument.wordprocessingml.document) 2017-05-18 05:46 UTC, Young	Details
View All

Description Young 2017-05-18 05:46:58 UTC

Created attachment 131399 [details]
details of the bug

Summary of the issue:
Perf_test utility will crash (segmentation fault) when parsing an illegal PDF file due to the program access a null pointer. 

Example output:
./ perf-test ~/poc/heap-buffer-overflow-619405/poc.pdf
started: /home/root/poc/heap-buffer-overflow-619405/poc.pdf
load splash: 0.00 ms
page count: 1
ASAN:DEADLYSIGNAL
=================================================================
==96731==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f2da9eccb81 bp 0x0c2600001b86 sp 0x7ffcd31999b0 T0)
    #0 0x7f2da9eccb80  (/home/root/poppler/build_clang/libpoppler.so.67+0x5d2b80)
    #1 0x7f2da9ec46a1  (/home/root/poppler/build_clang/libpoppler.so.67+0x5ca6a1)
    #2 0x7f2da9ec3a67  (/home/root/poppler/build_clang/libpoppler.so.67+0x5c9a67)
    #3 0x7f2da9e44b78  (/home/root/poppler/build_clang/libpoppler.so.67+0x54ab78)
    #4 0x7f2da9c448c1  (/home/root/poppler/build_clang/libpoppler.so.67+0x34a8c1)
    #5 0x7f2da9c090d5  (/home/root/poppler/build_clang/libpoppler.so.67+0x30f0d5)
    #6 0x7f2da9c27164  (/home/root/poppler/build_clang/libpoppler.so.67+0x32d164)
    #7 0x7f2da9c261d1  (/home/root/poppler/build_clang/libpoppler.so.67+0x32c1d1)
    #8 0x7f2da9d293f8  (/home/root/poppler/build_clang/libpoppler.so.67+0x42f3f8)
    #9 0x7f2da9d290fa  (/home/root/poppler/build_clang/libpoppler.so.67+0x42f0fa)
    #10 0x7f2da9d32ece  (/home/root/poppler/build_clang/libpoppler.so.67+0x438ece)
    #11 0x4f08a3  (/home/root/poppler/build_clang/test/perf-test+0x4f08a3)
    #12 0x7f2da868782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x419fb8  (/home/root/poppler/build_clang/test/perf-test+0x419fb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/root/poppler/build_clang/libpoppler.so.67+0x5d2b80) 
==96731==ABORTING

Debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff797fb81 in JPXStream::readUByte (x=0x28, this=<optimized out>) at /home/root/poppler/poppler/JPXStream.cc:3351
3351	  *x = (Guint)c0;
(gdb) bt
#0  0x00007ffff797fb81 in JPXStream::readUByte (x=0x28, this=<optimized out>) at /home/root/poppler/poppler/JPXStream.cc:3351
#1  JPXStream::readCodestream (this=<optimized out>, len=<optimized out>) at /home/root/poppler/poppler/JPXStream.cc:1205
#2  0x00007ffff79776a2 in JPXStream::readBoxes (this=<optimized out>) at /home/root/poppler/poppler/JPXStream.cc:780
#3  0x00007ffff7976a68 in JPXStream::reset (this=0x61300000db00) at /home/root/poppler/poppler/JPXStream.cc:275
#4  0x00007ffff78f7b79 in SplashOutputDev::drawImage (this=0x61300000dcc0, state=<optimized out>, ref=<optimized out>, str=0x61300000db00, width=999, height=999, colorMap=<optimized out>, 
    interpolate=<optimized out>, maskColors=0x40, inlineImg=240) at /home/root/poppler/poppler/SplashOutputDev.cc:3556
#5  0x00007ffff76f78c2 in Gfx::doImage (this=<optimized out>, ref=0x7fffffffd320, str=<optimized out>, 
    inlineImg=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/root/poppler/poppler/Gfx.cc:4711
#6  0x00007ffff76bc0d6 in Gfx::opXObject (this=0x611000009a00, args=<optimized out>, numArgs=<optimized out>) at /home/root/poppler/poppler/Gfx.cc:4213
#7  0x00007ffff76da165 in Gfx::go (this=<optimized out>, topLevel=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/root/poppler/poppler/Gfx.cc:767
#8  0x00007ffff76d91d2 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<error reading variable: access outside bounds of object referenced via synthetic pointer>)
    at /home/root/poppler/poppler/Gfx.cc:729
#9  0x00007ffff77dc3f9 in Page::displaySlice (this=0x611000009b40, out=<optimized out>, hDPI=72, vDPI=5.2727351433383131e-310, rotate=0, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=-1, 
    sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at /home/root/poppler/poppler/Page.cc:601
#10 0x00007ffff77dc0fb in Page::display (this=0x60200002def4, out=0x40, hDPI=-1.8325506472120096e-06, vDPI=9.3872472709836843e-322, rotate=2, useMediaBox=<optimized out>, crop=<optimized out>, 
    printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at /home/root/poppler/poppler/Page.cc:521
#11 0x00007ffff77e5ecf in PDFDoc::displayPage (this=0x60f00000ef50, out=0x61300000dcc0, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=0, useMediaBox=false, crop=true, 
    printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/root/poppler/poppler/PDFDoc.cc:491
#12 0x00000000004f08a4 in PdfEnginePoppler::renderBitmap (pageNo=<optimized out>, zoomReal=100, rotation=0, this=<optimized out>) at /home/root/poppler/test/perf-test.cc:452
#13 RenderPdf (fileName=<optimized out>) at /home/root/poppler/test/perf-test.cc:941
#14 RenderFile (fileName=<optimized out>) at /home/root/poppler/test/perf-test.cc:970
#15 RenderCmdLineArg (cmdLineArg=<optimized out>) at /home/root/poppler/test/perf-test.cc:1224
#16 main (argc=<optimized out>, argv=<optimized out>) at /home/root/poppler/test/perf-test.cc:1269

Comment 1 Albert Astals Cid 2017-06-17 10:21:48 UTC

Where going to need the file, please attach it.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.