Bug 65221 - Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file
Summary: Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-31 22:06 UTC by jutaky
Modified: 2013-06-01 11:47 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description jutaky 2013-05-31 22:06:52 UTC 
Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file.

Tested on evince git 20130531 with poppler git 20130531.

Also crashes with epdfview.

Test case: http://jutaky.com/fuzzing/poppler_case_10298_1453.pdf

Debugging information:

0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at Stream.cc:548
548		buf = (buf << 8) | (*p++ & 0xff);
(gdb) bt
#0  0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at Stream.cc:548
#1  0x00007fffd025be94 in CairoOutputDev::drawSoftMaskedImage (this=0x7fffcc049160, state=0x7fffcc052270, ref=0x7fffe4c20560, str=0x7fffcc1ac5b0, width=2700, height=2250, 
    colorMap=0x7fffcc053150, interpolate=true, maskStr=0x7fffcc1b4b40, maskWidth=2700, maskHeight=2250, maskColorMap=0x7fffcc1bd0d0, maskInterpolate=true) at CairoOutputDev.cc:2567
#2  0x00007fffcbc538de in Gfx::doImage (this=0x7fffcc059600, ref=0x7fffe4c20560, str=0x7fffcc1ac5b0, inlineImg=false) at Gfx.cc:4585
#3  0x00007fffcbc51caa in Gfx::opXObject (this=0x7fffcc059600, args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:4133
#4  0x00007fffcbc3f95a in Gfx::execOp (this=0x7fffcc059600, cmd=0x7fffe4c208e0, args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:858
#5  0x00007fffcbc3f256 in Gfx::go (this=0x7fffcc059600, topLevel=true) at Gfx.cc:717
#6  0x00007fffcbc3f077 in Gfx::display (this=0x7fffcc059600, obj=0x7fffe4c20a30, topLevel=true) at Gfx.cc:683
#7  0x00007fffcbc9fd0e in Page::displaySlice (this=0x7fffcc04f8b0, out=0x7fffcc049160, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580
#8  0x00007fffd0245690 in _poppler_page_render (page=0x7fffcc049400, cairo=0x7fffcc059060, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at poppler-page.cc:362
#9  0x00007fffd0245776 in poppler_page_render (page=0x7fffcc049400, cairo=0x7fffcc059060) at poppler-page.cc:385
#10 0x00007fffe40151bc in ?? () from /usr/lib/evince/4/backends/libpdfdocument.so
#11 0x00007fffe40152d7 in ?? () from /usr/lib/evince/4/backends/libpdfdocument.so
#12 0x00007ffff720f830 in ev_job_render_run (job=0x9c8260) at ev-jobs.c:634
#13 0x00007ffff720ed14 in ev_job_run (job=0x9c8260) at ev-jobs.c:215
#14 0x00007ffff7212b07 in ev_job_thread (job=0x9c8260) at ev-job-scheduler.c:184
#15 0x00007ffff7212bba in ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:217
#16 0x00007ffff48bc185 in ?? () from /usr/lib/libglib-2.0.so.0
#17 0x00007ffff4127dd2 in start_thread () from /usr/lib/libpthread.so.0
#18 0x00007ffff3e58ced in clone () from /usr/lib/libc.so.6

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Albert Astals Cid 2013-06-01 11:47:00 UTC 
Will be fixed on next poppler release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.