Bug 10910 - Crash on fuzzed PDF: recursive call of Parser::getObj()
Summary: Crash on fuzzed PDF: recursive call of Parser::getObj()
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-10 16:47 UTC by Victor Stinner
Modified: 2010-11-21 03:14 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Fuzzed PDF file (contains a lot of errors) (137.40 KB, application/octet-stream)
2007-05-10 16:48 UTC, Victor Stinner
Details

Description Victor Stinner 2007-05-10 16:47:55 UTC
Hi,

My bug #10898 was specific to version 0.5.4, but I found another bug in latest version of poppler. I generated a fuzzed file which create recursive call of Parser::getObj().

Valgrind detect thread stack overflow (before all stack is used by the recursive calls...). Each call to getObj() create a new objet: 
   dict=0xbf476460
   dict=0xbf476840
   dict=0xbf476650
   dict=0xbf476a30
   ...

pdftotext finally crash with a SIGSEGV signal.

Backtrace:
--- malloc ---
#0  0xb7b26ad9 in _int_malloc (av=0xb7bdf120, bytes=96) at malloc.c:3865
#1  0xb7b28996 in *__GI___libc_malloc (bytes=96) at malloc.c:3382
#2  0xb7e3992c in grealloc (p=0x0, size=96) at gmem.cc:143
#3  0xb7e39a1c in greallocn (p=0x0, nObjs=8, objSize=12) at gmem.cc:193

--- call N ---
#4  0xb7d84e69 in Array::add (this=0x8face60, elem=0xbf476114) at Array.cc:47
#5  0xb7deb34d in Lexer (this=0x8facdb8, xrefA=0x80a8038, str=0x8facc78) at Lexer.cc:58
#6  0xb7e0a2b5 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476270) at XRef.cc:893
#7  0xb7df14e8 in Object::fetch (this=0x8facbd4, xref=0x80a8038, obj=0xbf476270) at Object.cc:106
#8  0xb7d8fecf in Dict::lookup (this=0x8facba8, key=0xb7e734ff "Length", obj=0xbf476270) at Dict.cc:108
#9  0xb7d84a9a in Object::dictLookup (this=0xbf476460, key=0xb7e734ff "Length", obj=0xbf476270) at Object.h:259
#10 0xb7df71df in Parser::makeStream (this=0x8facb48, dict=0xbf476460, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#11 0xb7df7848 in Parser::getObj (this=0x8facb48, obj=0xbf476460, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-1 ---
#12 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476460) at XRef.cc:907
#13 0xb7df14e8 in Object::fetch (this=0x8fac83c, xref=0x80a8038, obj=0xbf476460) at Object.cc:106
#14 0xb7d8fecf in Dict::lookup (this=0x8fac810, key=0xb7e734ff "Length", obj=0xbf476460) at Dict.cc:108
#15 0xb7d84a9a in Object::dictLookup (this=0xbf476650, key=0xb7e734ff "Length", obj=0xbf476460) at Object.h:259
#16 0xb7df71df in Parser::makeStream (this=0x8fac7b0, dict=0xbf476650, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#17 0xb7df7848 in Parser::getObj (this=0x8fac7b0, obj=0xbf476650, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

---call N-2 ---
#18 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476650) at XRef.cc:907
#19 0xb7df14e8 in Object::fetch (this=0x8fac4a4, xref=0x80a8038, obj=0xbf476650) at Object.cc:106
#20 0xb7d8fecf in Dict::lookup (this=0x8fac478, key=0xb7e734ff "Length", obj=0xbf476650) at Dict.cc:108
#21 0xb7d84a9a in Object::dictLookup (this=0xbf476840, key=0xb7e734ff "Length", obj=0xbf476650) at Object.h:259
#22 0xb7df71df in Parser::makeStream (this=0x8fac418, dict=0xbf476840, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#23 0xb7df7848 in Parser::getObj (this=0x8fac418, obj=0xbf476840, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-3 ---
#24 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476840) at XRef.cc:907
#25 0xb7df14e8 in Object::fetch (this=0x8fac10c, xref=0x80a8038, obj=0xbf476840) at Object.cc:106
#26 0xb7d8fecf in Dict::lookup (this=0x8fac0e0, key=0xb7e734ff "Length", obj=0xbf476840) at Dict.cc:108
#27 0xb7d84a9a in Object::dictLookup (this=0xbf476a30, key=0xb7e734ff "Length", obj=0xbf476840) at Object.h:259
#28 0xb7df71df in Parser::makeStream (this=0x8fac080, dict=0xbf476a30, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#29 0xb7df7848 in Parser::getObj (this=0x8fac080, obj=0xbf476a30, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-4 ---
#30 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476a30) at XRef.cc:907
#31 0xb7df14e8 in Object::fetch (this=0x8fabd74, xref=0x80a8038, obj=0xbf476a30) at Object.cc:106
#32 0xb7d8fecf in Dict::lookup (this=0x8fabd48, key=0xb7e734ff "Length", obj=0xbf476a30) at Dict.cc:108
#33 0xb7d84a9a in Object::dictLookup (this=0xbf476c20, key=0xb7e734ff "Length", obj=0xbf476a30) at Object.h:259
#34 0xb7df71df in Parser::makeStream (this=0x8fabce8, dict=0xbf476c20, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#35 0xb7df7848 in Parser::getObj (this=0x8fabce8, obj=0xbf476c20, fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-... ---
etc.
Comment 1 Victor Stinner 2007-05-10 16:48:29 UTC
Created attachment 9919 [details]
Fuzzed PDF file (contains a lot of errors)
Comment 2 Albert Astals Cid 2010-11-21 03:14:59 UTC
Fixed on master


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.