Bug 67296 - evince crashed with SIGSEGV in TextPool::addWord
Summary: evince crashed with SIGSEGV in TextPool::addWord
Status: RESOLVED WORKSFORME
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 11:09 UTC by hoffmeister.pierre
Modified: 2016-12-06 22:42 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
large mediabox pdf (797 bytes, text/plain)
2013-07-25 11:09 UTC, hoffmeister.pierre 		Details
View All

Description hoffmeister.pierre 2013-07-25 11:09:07 UTC 
Created attachment 82990 [details]
large mediabox pdf

evince crashes with attached pdf

there is a problem handling a mediabox with values larger than int range.

poppler/poppler/TextOutputDec.cc
void TextPool::addWord(TextWord *word){
...
wordBaseIdx = (int)(word->base / textPoolStep);
...
}

that cast to int makes wordBaseIdx = INT_MIN

a possible fix is:
wordBaseIdx = ((word->base / textPoolStep) > INT_MAX ? (INT_MAX - 129) : ((int) (word->base / textPoolStep)) );

#0  0x00007fffded4f379 in primaryCmp (word=0xd048bbe420445220, this=0x7fffd805da60) at TextOutputDev.cc:477
#1  TextPool::addWord (this=0x7fffd80542a0, word=0x7fffd805da60) at TextOutputDev.cc:664
#2  0x00007fffded52766 in endWord (this=0x7fffd8054160) at TextOutputDev.cc:2415
#3  TextPage::endWord (this=0x7fffd8054160) at TextOutputDev.cc:2405
#4  0x00007fffdf3d4265 in CairoOutputDev::endPage (this=0x7fffd8048150) at CairoOutputDev.cc:262
#5  0x00007fffdecde40f in Gfx::~Gfx (this=0x7fffd8050600, __in_chrg=<optimized out>) at Gfx.cc:648
#6  0x00007fffded227b0 in Page::displaySlice (this=0x7fffd804eba0, out=out@entry=0x7fffd8048150, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0, useMediaBox=useMediaBox@entry=false, crop=crop@entry=true, sliceX=sliceX@entry=-1, sliceY=sliceY@entry=-1, sliceW=sliceW@entry=-1, sliceH=sliceH@entry=-1, printing=printing@entry=false, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=false) at Page.cc:607
#7  0x00007fffdf3c9a5b in _poppler_page_render (page=0xa09b80, cairo=0xa205a0, printing=<optimized out>, print_flags=<optimized out>)at poppler-page.cc:362
#8  0x00007fffdf5f62c0 in pdf_page_render (page=page@entry=0xa09b80, width=569, height=569, rc=rc@entry=0x7fffd8001240) at ev-poppler.cc:412
#9  0x00007fffdf5f63f7 in pdf_document_render (document=<optimized out>, rc=0x7fffd8001240) at ev-poppler.cc:445
#10 0x00007ffff75536c8 in ev_job_render_run (job=0x7fffd8009e00) at ev-jobs.c:634
#11 0x00007ffff75548f2 in ev_job_thread (job=0x7fffd8009e00) at ev-job-scheduler.c:184
#12 ev_job_thread_proxy (data=<optimized out>) at ev-job-scheduler.c:217
#13 0x00007ffff57421f5 in g_thread_proxy (data=0x9ba230) at gthread.c:798
#14 0x00007ffff7322f8e in start_thread (arg=0x7fffdffff700) at pthread_create.c:311
#15 0x00007ffff5101e1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Comment 1 Albert Astals Cid 2013-07-25 20:37:10 UTC 
Fix looks good as a hotfix, could we have your name for attribution?
Comment 2 Albert Astals Cid 2013-08-04 22:27:05 UTC 
Hello? You there?
Comment 3 Antti Husa 2014-03-26 12:04:31 UTC 
This bug with large values in mediabox is still present in poppler 0.25.1 and in master branch of git as of today. ASAN reports it as heap-buffer-overflow read of size 8.
Comment 4 Albert Astals Cid 2014-03-26 21:03:35 UTC 
It is, if it wasn't the bug would be marked as fixed :-)
Comment 5 Albert Astals Cid 2016-12-06 22:42:27 UTC 
I can't get the attached file to crash when compiled with  asan for me at all running any of the utils/pdfto* nor ./qt5/tests/test-poppler-qt5 nor ./glib/demo/poppler-glib-demo so I'm closing this bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.