Bug 103116 - Valgrind: Invalid Read (24 bytes after block in arena)
Summary: Valgrind: Invalid Read (24 bytes after block in arena)
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-05 20:37 UTC by Jason Crain
Modified: 2017-10-12 22:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault (21.49 KB, application/pdf)
2017-10-05 20:37 UTC, Jason Crain
Details
Fix-crash-in-fuzzed-file.patch (1.21 KB, patch)
2017-10-05 20:40 UTC, Jason Crain
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Crain 2017-10-05 20:37:05 UTC
Created attachment 134690 [details]
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault

Forwarding from https://bugzilla.gnome.org/show_bug.cgi?id=786444

------------------------------

while fuzzing I found a pdf document that leads to the following valgrind messages:

==9190== Invalid read of size 8                                                                                                                                                                                     
==9190==    at 0x174C89B0: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                          
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                   
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                    
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                         
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0
)                                                                                                                                                                                                                   
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                                                                                                                               
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                                                                                                                                    
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==  Address 0x10cf4818 is 24 bytes after a block of size 96 in arena "client"  


And then crashes by:

==9190== Process terminating with default action of signal 11 (SIGSEGV): dumping core                     
==9190==  Access not within mapped region at address 0xA8                                                 
==9190==    at 0x174C8A29: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                         
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)          
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                               
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                    
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                     
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)
Comment 1 Jason Crain 2017-10-05 20:40:47 UTC
Created attachment 134691 [details] [review]
Fix-crash-in-fuzzed-file.patch

This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. This patch fixes the overflow check in TextPool::addWord.
Comment 2 Albert Astals Cid 2017-10-12 22:43:28 UTC
fix pushed


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.