Created attachment 82990 [details] large mediabox pdf evince crashes with attached pdf there is a problem handling a mediabox with values larger than int range. poppler/poppler/TextOutputDec.cc void TextPool::addWord(TextWord *word){ ... wordBaseIdx = (int)(word->base / textPoolStep); ... } that cast to int makes wordBaseIdx = INT_MIN a possible fix is: wordBaseIdx = ((word->base / textPoolStep) > INT_MAX ? (INT_MAX - 129) : ((int) (word->base / textPoolStep)) ); #0 0x00007fffded4f379 in primaryCmp (word=0xd048bbe420445220, this=0x7fffd805da60) at TextOutputDev.cc:477 #1 TextPool::addWord (this=0x7fffd80542a0, word=0x7fffd805da60) at TextOutputDev.cc:664 #2 0x00007fffded52766 in endWord (this=0x7fffd8054160) at TextOutputDev.cc:2415 #3 TextPage::endWord (this=0x7fffd8054160) at TextOutputDev.cc:2405 #4 0x00007fffdf3d4265 in CairoOutputDev::endPage (this=0x7fffd8048150) at CairoOutputDev.cc:262 #5 0x00007fffdecde40f in Gfx::~Gfx (this=0x7fffd8050600, __in_chrg=<optimized out>) at Gfx.cc:648 #6 0x00007fffded227b0 in Page::displaySlice (this=0x7fffd804eba0, out=out@entry=0x7fffd8048150, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0, useMediaBox=useMediaBox@entry=false, crop=crop@entry=true, sliceX=sliceX@entry=-1, sliceY=sliceY@entry=-1, sliceW=sliceW@entry=-1, sliceH=sliceH@entry=-1, printing=printing@entry=false, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=false) at Page.cc:607 #7 0x00007fffdf3c9a5b in _poppler_page_render (page=0xa09b80, cairo=0xa205a0, printing=<optimized out>, print_flags=<optimized out>)at poppler-page.cc:362 #8 0x00007fffdf5f62c0 in pdf_page_render (page=page@entry=0xa09b80, width=569, height=569, rc=rc@entry=0x7fffd8001240) at ev-poppler.cc:412 #9 0x00007fffdf5f63f7 in pdf_document_render (document=<optimized out>, rc=0x7fffd8001240) at ev-poppler.cc:445 #10 0x00007ffff75536c8 in ev_job_render_run (job=0x7fffd8009e00) at ev-jobs.c:634 #11 0x00007ffff75548f2 in ev_job_thread (job=0x7fffd8009e00) at ev-job-scheduler.c:184 #12 ev_job_thread_proxy (data=<optimized out>) at ev-job-scheduler.c:217 #13 0x00007ffff57421f5 in g_thread_proxy (data=0x9ba230) at gthread.c:798 #14 0x00007ffff7322f8e in start_thread (arg=0x7fffdffff700) at pthread_create.c:311 #15 0x00007ffff5101e1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Fix looks good as a hotfix, could we have your name for attribution?
Hello? You there?
This bug with large values in mediabox is still present in poppler 0.25.1 and in master branch of git as of today. ASAN reports it as heap-buffer-overflow read of size 8.
It is, if it wasn't the bug would be marked as fixed :-)
I can't get the attached file to crash when compiled with asan for me at all running any of the utils/pdfto* nor ./qt5/tests/test-poppler-qt5 nor ./glib/demo/poppler-glib-demo so I'm closing this bug.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.