Bug 65969 - Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file
Summary: Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-20 13:34 UTC by jutaky
Modified: 2016-10-09 20:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description jutaky 2013-06-20 13:34:36 UTC 
Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file.

Crash reproduced on evince (git) + poppler (git), evince (3.8.2) + poppler (0.22.5) and epdfview (0.1.8) + poppler (0.22.5). On Arch linux 64bit.

Test case: http://jutaky.com/fuzzing/poppler_case_13499_7250.pdf

Backtrace on evince (git) + poppler (git):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a84700 (LWP 18406)]
0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0, in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
5497		*inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0, in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
#1  0x00007fffe8e5c3c9 in RescaleDrawImage::getRow (this=0x7fffe9a831f0, row_num=0, row_data=0x7fffd00bf930) at CairoOutputDev.cc:2852
#2  0x00007fffe8e5c195 in RescaleDrawImage::getSourceImage (this=0x7fffe9a831f0, str=0x7fffd0121740, widthA=2, height=1, scaledWidth=2, scaledHeight=1, printing=false, 
    colorMapA=0x7fffd01218f0, maskColorsA=0x0) at CairoOutputDev.cc:2796
#3  0x00007fffe8e599f5 in CairoOutputDev::drawImage (this=0x7fffd004d000, state=0x7fffd0120f50, ref=0x7fffe9a83540, str=0x7fffd0121740, widthA=2, heightA=1, colorMap=0x7fffd01218f0, 
    interpolate=false, maskColors=0x0, inlineImg=false) at CairoOutputDev.cc:2894
#4  0x00007fffe8a6af87 in Gfx::doImage (this=0x7fffd00551d0, ref=0x7fffe9a83540, str=0x7fffd0121740, inlineImg=false) at Gfx.cc:4586
#5  0x00007fffe8a69200 in Gfx::opXObject (this=0x7fffd00551d0, args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:4127
#6  0x00007fffe8a56e68 in Gfx::execOp (this=0x7fffd00551d0, cmd=0x7fffe9a838c0, args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:852
#7  0x00007fffe8a56764 in Gfx::go (this=0x7fffd00551d0, topLevel=true) at Gfx.cc:711
#8  0x00007fffe8a56585 in Gfx::display (this=0x7fffd00551d0, obj=0x7fffe9a83a10, topLevel=true) at Gfx.cc:677
#9  0x00007fffe8ab727a in Page::displaySlice (this=0x7fffd0052d30, out=0x7fffd004d000, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580
#10 0x00007fffe8e42790 in _poppler_page_render (page=0x7fffd004cd80, cairo=0xb05260, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at poppler-page.cc:362
#11 0x00007fffe8e42876 in poppler_page_render (page=0x7fffd004cd80, cairo=0xb05260) at poppler-page.cc:385
#12 0x00007fffe90796b8 in pdf_page_render (page=0x7fffd004cd80, width=569, height=736, rc=0x7fffd0001750) at ev-poppler.cc:412
#13 0x00007fffe907981b in pdf_document_render (document=0x77ef60, rc=0x7fffd0001750) at ev-poppler.cc:445
#14 0x00007ffff7454e32 in ev_document_render (document=0x77ef60, rc=0x7fffd0001750) at ev-document.c:678
#15 0x00007ffff7201e50 in ev_job_render_run (job=0x7fffd000ce20) at ev-jobs.c:634
#16 0x00007ffff7201334 in ev_job_run (job=0x7fffd000ce20) at ev-jobs.c:215
#17 0x00007ffff72051db in ev_job_thread (job=0x7fffd000ce20) at ev-job-scheduler.c:184
#18 0x00007ffff720528e in ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:217
#19 0x00007ffff3f81743 in g_thread_proxy (data=0x9dd140) at gthread.c:798
#20 0x00007ffff3cecdd2 in start_thread () from /usr/lib/libpthread.so.0
#21 0x00007ffff3509cdd in clone () from /usr/lib/libc.so.6

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Albert Astals Cid 2016-10-09 20:43:48 UTC 
Can't reproduce with latest version

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.