Bug 103116 - Valgrind: Invalid Read (24 bytes after block in arena)
Summary: Valgrind: Invalid Read (24 bytes after block in arena)
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-05 20:37 UTC by Jason Crain
Modified: 2019-06-24 07:54 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault (21.49 KB, application/pdf)
2017-10-05 20:37 UTC, Jason Crain
Details
Fix-crash-in-fuzzed-file.patch (1.21 KB, patch)
2017-10-05 20:40 UTC, Jason Crain
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Crain 2017-10-05 20:37:05 UTC
Created attachment 134690 [details]
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault

Forwarding from https://bugzilla.gnome.org/show_bug.cgi?id=786444

------------------------------

while fuzzing I found a pdf document that leads to the following valgrind messages:

==9190== Invalid read of size 8                                                                                                                                                                                     
==9190==    at 0x174C89B0: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                          
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                   
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                    
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                                         
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                                                                                           
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0
)                                                                                                                                                                                                                   
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                                                                                                                               
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                                                                                                                                    
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==  Address 0x10cf4818 is 24 bytes after a block of size 96 in arena "client"  


And then crashes by:

==9190== Process terminating with default action of signal 11 (SIGSEGV): dumping core                     
==9190==  Access not within mapped region at address 0xA8                                                 
==9190==    at 0x174C8A29: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0)                
==9190==    by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0)                         
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0)                                                   
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0)          
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)                               
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0)                                                    
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)                                     
==9190==    by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==    by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so)
Comment 1 Jason Crain 2017-10-05 20:40:47 UTC
Created attachment 134691 [details] [review]
Fix-crash-in-fuzzed-file.patch

This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. This patch fixes the overflow check in TextPool::addWord.
Comment 2 Albert Astals Cid 2017-10-12 22:43:28 UTC
fix pushed
Comment 3 oggyjack 2019-06-24 07:54:39 UTC
Just now connected the website and visit here http://freeimvucreditshacker.com/ for the best information here you fully guide any where and any time forever.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.