Created attachment 134690 [details] 0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault Forwarding from https://bugzilla.gnome.org/show_bug.cgi?id=786444 ------------------------------ while fuzzing I found a pdf document that leads to the following valgrind messages: ==9190== Invalid read of size 8 ==9190== at 0x174C89B0: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0 ) ==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== Address 0x10cf4818 is 24 bytes after a block of size 96 in arena "client" And then crashes by: ==9190== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==9190== Access not within mapped region at address 0xA8 ==9190== at 0x174C8A29: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)
Created attachment 134691 [details] [review] Fix-crash-in-fuzzed-file.patch This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. This patch fixes the overflow check in TextPool::addWord.
fix pushed
Just now connected the website and visit here http://freeimvucreditshacker.com/ for the best information here you fully guide any where and any time forever.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.