76444 – SEGV in GfxImageColorMap::getRGBLine

Bug 76444 - SEGV in GfxImageColorMap::getRGBLine

Summary: SEGV in GfxImageColorMap::getRGBLine

Status:	RESOLVED DUPLICATE of bug 76445

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	cairo backend (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-21 11:26 UTC by Antti Husa
Modified:	2014-03-30 14:23 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Fuzzed PDF file that causes SEGV (1.10 KB, text/plain) 2014-03-21 11:26 UTC, Antti Husa	Details
View All

Description Antti Husa 2014-03-21 11:26:36 UTC

Created attachment 96154 [details]
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==25976== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbf3011a730 sp 0x7fbf2d7cd790 bp 0x7fbf2d7cd870 T3)
AddressSanitizer can not provide additional info.
    #0 0x7fbf3011a72f (/usr/lib64/libpoppler.so.44.0.0+0x28b72f)
    #1 0x7fbf307b9ff1 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5fff1)
    #2 0x7fbf307ba87b (/usr/lib64/libpoppler-glib.so.8.6.0+0x6087b)
    #3 0x7fbf307b6f30 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5cf30)
    #4 0x7fbf300c2b43 (/usr/lib64/libpoppler.so.44.0.0+0x233b43)
    #5 0x7fbf300c60a1 (/usr/lib64/libpoppler.so.44.0.0+0x2370a1)
    #6 0x7fbf300b4b45 (/usr/lib64/libpoppler.so.44.0.0+0x225b45)
    #7 0x7fbf300b550f (/usr/lib64/libpoppler.so.44.0.0+0x22650f)
    #8 0x7fbf301716d7 (/usr/lib64/libpoppler.so.44.0.0+0x2e26d7)
    #9 0x7fbf3078ea92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92)
    #10 0x7fbf309f5ca4 (/usr/lib64/zathura/pdf.so+0x3ca4)
    #11 0x42f8b7 (/usr/bin/zathura+0x42f8b7)
    #12 0x7fbf38c23ea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5)
    #13 0x7fbf38c234e4 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6f4e4)
    #14 0x7fbf3a2d6c07 (/usr/lib64/libasan.so.0.0.0+0x18c07)
    #15 0x7fbf38599f39 (/lib64/libpthread-2.17.so+0x8f39)
    #16 0x7fbf37fd6c3c (/lib64/libc-2.17.so+0xedc3c)
Thread T3 (pool) created by T0 here:
    #0 0x7fbf3a2c8c5b (/usr/lib64/libasan.so.0.0.0+0xac5b)
    #1 0x7fbf38c3e941 (/usr/lib64/libglib-2.0.so.0.3800.2+0x8a941)
==25976== ABORTING


gdb backtrace:
0x00007fffeaca9730 in GfxImageColorMap::getRGBLine (this=<optimized out>, in=in@entry=0x0, out=out@entry=0x60740000c900, length=0x9b0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/GfxState.cc:55055505		*inp = byte_lookup[*inp * nComps + i];


#0  0x00007fffeaca9730 in GfxImageColorMap::getRGBLine (this=<optimized out>, in=in@entry=0x0, out=out@entry=0x60740000c900, length=0x9b0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/GfxState.cc:5505
#1  0x00007fffeb348ff2 in RescaleDrawImage::getRow (this=0x7fffe835cc80, row_num=0x0, row_data=0x60740000c900) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2853
#2  0x00007fffeb34987c in CairoRescaleBox::downScaleImage (this=this@entry=0x7fffe835cc80, orig_width=<optimized out>, orig_height=orig_height@entry=0xdb3, scaled_width=scaled_width@entry=0x198, scaled_height=scaled_height@entry=0x242, start_column=start_column@entry=0x0, start_row=start_row@entry=0x0, width=width@entry=0x198, height=height@entry=0x242, dest_surface=dest_surface@entry=0x602c0001fbc0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoRescaleBox.cc:338
#3  0x00007fffeb345f31 in getSourceImage (maskColorsA=0x0, colorMapA=0x60440002f880, printing=0x0, scaledHeight=0x242, scaledWidth=0x198, height=0xdb3, widthA=0x9b0, str=0x60460002ec80, this=0x7fffe835cc80) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2817
#4  CairoOutputDev::drawImage (this=0x603600004540, state=<optimized out>, ref=0x7fffe835d2c0, str=0x60460002ec80, widthA=0x9b0, heightA=0xdb3, colorMap=0x60440002f880, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2896
#5  0x00007fffeac51b44 in Gfx::doImage (this=this@entry=0x60240007f5c0, ref=ref@entry=0x7fffe835d2c0, str=<optimized out>, inlineImg=inlineImg@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4587
#6  0x00007fffeac550a2 in Gfx::opXObject (this=0x60240007f5c0, args=<optimized out>, numArgs=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4128
#7  0x00007fffeac43b46 in Gfx::go (this=this@entry=0x60240007f5c0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
#8  0x00007fffeac44510 in Gfx::display (this=this@entry=0x60240007f5c0, obj=obj@entry=0x7fffe835d9d0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
#9  0x00007fffead006d8 in Page::displaySlice (this=0x6022000191e0, out=out@entry=0x603600004540, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=sliceY@entry=0xffffffff, sliceW=sliceW@entry=0xffffffff, sliceH=sliceH@entry=0xffffffff, printing=printing@entry=0x0, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
#10 0x00007fffeb31da93 in _poppler_page_render (page=0x605200035180, cairo=0x604a0000f100, printing=<optimized out>, print_flags=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#11 0x00007fffeb584ca5 in pdf_page_render_cairo () from /usr/lib64/zathura/pdf.so
#12 0x000000000042f8b8 in render (page=0x60080002a010, zathura=0x60260000f660) at render.c:183
#13 render_job (data=0x60080002a010, user_data=0x60260000f660) at render.c:37
#14 0x00007ffff37b2ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff37b24e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe835f000) at ../../.././libsanitizer/asan/asan_thread.cc:99
#17 0x00007ffff3128f3a in start_thread (arg=0x7fffe835e700) at pthread_create.c:308
#18 0x00007ffff2b65c3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG

Comment 1 Albert Astals Cid 2014-03-21 22:20:06 UTC

Hi can you please read http://tsdgeos.blogspot.de/2014/03/asan-and-gcc-how-to-get-line-numbers-in.html and provide numbers with the ASAN backtrace?

Comment 2 Antti Husa 2014-03-25 10:42:24 UTC

Fixed ASAN report with line numbers:

==6308== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8b569bcc40 sp 0x7f8b54070790 bp 0x7f8b54070870 T3)
AddressSanitizer can not provide additional info.
    #0 0x7f8b569bcc3f in GfxImageColorMap::getRGBLine(unsigned char*, unsigned int*, int) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/GfxState.cc:5505
    #1 0x7f8b57059dd1 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2853
    #2 0x7f8b5705a64a in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoRescaleBox.cc:338
    #3 0x7f8b57056d10 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2817
    #4 0x7f8b57056d10 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2896
    #5 0x7f8b56964c53 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4587
    #6 0x7f8b569681b1 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4128
    #7 0x7f8b56956c55 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
    #8 0x7f8b5695761f in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
    #9 0x7f8b56a13be7 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
    #10 0x7f8b5702e812 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
    #11 0x7f8b57296f2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809
    #12 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183
    #13 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37
    #14 0x7f8b5f4c5ea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5)
    #15 0x7f8b5f4c54e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4)
    #16 0x7f8b60b78c07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99
    #17 0x7f8b5ee3bf39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308
    #18 0x7f8b5e878c3c (/lib64/libc.so.6+0xedc3c)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/GfxState.cc:5505 GfxImageColorMap::getRGBLine(unsigned char*, unsigned int*, int)
Thread T3 (pool) created by T0 here:
    #0 0x7f8b60b6ac5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122
    #1 0x7f8b5f4e0941 (/usr/lib64/libglib-2.0.so.0+0x8a941)
==6308== ABORTING

Comment 3 Albert Astals Cid 2014-03-25 22:32:10 UTC

Yep, get that too. Cairo guys?

Comment 4 Adrian Johnson 2014-03-28 10:24:03 UTC

Patch in bug 76445 also fixes this bug.

Comment 5 Albert Astals Cid 2014-03-30 14:23:02 UTC


*** This bug has been marked as a duplicate of bug 76445 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.