Bug 76445 - SEGV in RescaleDrawImage::getRow
Summary: SEGV in RescaleDrawImage::getRow
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
: 76444 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-03-21 11:36 UTC by Antti Husa
Modified: 2014-03-30 20:09 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Fuzzed PDF file that causes SEGV (1.20 KB, application/pdf)
2014-03-21 11:36 UTC, Antti Husa 		Details
fix segv (1.19 KB, patch)
2014-03-28 10:21 UTC, Adrian Johnson 		Details | Splinter Review
View All

Description Antti Husa 2014-03-21 11:36:48 UTC 
Created attachment 96155 [details]
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==895== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f177e460be5 sp 0x7f177b474880 bp 0x7f177b474900 T3)
AddressSanitizer can not provide additional info.
    #0 0x7f177e460be4 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5fbe4)
    #1 0x7f177e46187b (/usr/lib64/libpoppler-glib.so.8.6.0+0x6087b)
    #2 0x7f177e45df30 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5cf30)
    #3 0x7f177dd69b43 (/usr/lib64/libpoppler.so.44.0.0+0x233b43)
    #4 0x7f177dd6d0a1 (/usr/lib64/libpoppler.so.44.0.0+0x2370a1)
    #5 0x7f177dd5bb45 (/usr/lib64/libpoppler.so.44.0.0+0x225b45)
    #6 0x7f177dd5c50f (/usr/lib64/libpoppler.so.44.0.0+0x22650f)
    #7 0x7f177de186d7 (/usr/lib64/libpoppler.so.44.0.0+0x2e26d7)
    #8 0x7f177e435a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92)
    #9 0x7f177e69cca4 (/usr/lib64/zathura/pdf.so+0x3ca4)
    #10 0x42f8b7 (/usr/bin/zathura+0x42f8b7)
    #11 0x7f17868caea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5)
    #12 0x7f17868ca4e4 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6f4e4)
    #13 0x7f1787f7dc07 (/usr/lib64/libasan.so.0.0.0+0x18c07)
    #14 0x7f1786240f39 (/lib64/libpthread-2.17.so+0x8f39)
    #15 0x7f1785c7dc3c (/lib64/libc-2.17.so+0xedc3c)
Thread T3 (pool) created by T0 here:
    #0 0x7f1787f6fc5b (/usr/lib64/libasan.so.0.0.0+0xac5b)
    #1 0x7f17868e5941 (/usr/lib64/libglib-2.0.so.0.3800.2+0x8a941)
==895== ABORTING


gdb backtrace:
0x00007fffeb348be5 in RescaleDrawImage::getRow (this=0x7fffe835cc80, row_num=<optimized out>, row_data=0x607400007900) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845
2845	        rgb = lookup[*p];

gdb$ bt
#0  0x00007fffeb348be5 in RescaleDrawImage::getRow (this=0x7fffe835cc80, row_num=<optimized out>, row_data=0x607400007900) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845
#1  0x00007fffeb34987c in CairoRescaleBox::downScaleImage (this=this@entry=0x7fffe835cc80, orig_width=<optimized out>, orig_height=orig_height@entry=0xdb3, scaled_width=scaled_width@entry=0x198, scaled_height=scaled_height@entry=0x242, start_column=start_column@entry=0x0, start_row=start_row@entry=0x0, width=width@entry=0x198, height=height@entry=0x242, dest_surface=dest_surface@entry=0x602c0001fa00) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoRescaleBox.cc:338
#2  0x00007fffeb345f31 in getSourceImage (maskColorsA=0x0, colorMapA=0x60440002f880, printing=0x0, scaledHeight=0x242, scaledWidth=0x198, height=0xdb3, widthA=0x9b0, str=0x601800047b00, this=0x7fffe835cc80) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2817
#3  CairoOutputDev::drawImage (this=0x603600004540, state=<optimized out>, ref=0x7fffe835d2c0, str=0x601800047b00, widthA=0x9b0, heightA=0xdb3, colorMap=0x60440002f880, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2896
#4  0x00007fffeac51b44 in Gfx::doImage (this=this@entry=0x60240007f5c0, ref=ref@entry=0x7fffe835d2c0, str=<optimized out>, inlineImg=inlineImg@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4587
#5  0x00007fffeac550a2 in Gfx::opXObject (this=0x60240007f5c0, args=<optimized out>, numArgs=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4128
#6  0x00007fffeac43b46 in Gfx::go (this=this@entry=0x60240007f5c0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
#7  0x00007fffeac44510 in Gfx::display (this=this@entry=0x60240007f5c0, obj=obj@entry=0x7fffe835d9d0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
#8  0x00007fffead006d8 in Page::displaySlice (this=0x6022000191e0, out=out@entry=0x603600004540, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=sliceY@entry=0xffffffff, sliceW=sliceW@entry=0xffffffff, sliceH=sliceH@entry=0xffffffff, printing=printing@entry=0x0, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
#9  0x00007fffeb31da93 in _poppler_page_render (page=0x605200035180, cairo=0x604a0000f100, printing=<optimized out>, print_flags=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#10 0x00007fffeb584ca5 in pdf_page_render_cairo () from /usr/lib64/zathura/pdf.so
#11 0x000000000042f8b8 in render (page=0x60080002a110, zathura=0x60260000f660) at render.c:183
#12 render_job (data=0x60080002a110, user_data=0x60260000f660) at render.c:37
#13 0x00007ffff37b2ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff37b24e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe835f000) at ../../.././libsanitizer/asan/asan_thread.cc:99
#16 0x00007ffff3128f3a in start_thread (arg=0x7fffe835e700) at pthread_create.c:308
#17 0x00007ffff2b65c3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG
Comment 1 Albert Astals Cid 2014-03-21 22:20:21 UTC 
Hi can you please read http://tsdgeos.blogspot.de/2014/03/asan-and-gcc-how-to-get-line-numbers-in.html and provide numbers with the ASAN backtrace?
Comment 2 Antti Husa 2014-03-24 17:35:57 UTC 
Fixed ASAN report with line numbers:

==16970== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff219a9e9c5 sp 0x7ff216ab5880 bp 0x7ff216ab5900 T3)
AddressSanitizer can not provide additional info.
    #0 0x7ff219a9e9c4 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845
    #1 0x7ff219a9f64a in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoRescaleBox.cc:338
    #2 0x7ff219a9bd10 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2817
    #3 0x7ff219a9bd10 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2896
    #4 0x7ff2193a9c53 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4587
    #5 0x7ff2193ad1b1 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4128
    #6 0x7ff21939bc55 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
    #7 0x7ff21939c61f in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
    #8 0x7ff219458be7 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
    #9 0x7ff219a73812 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
    #10 0x7ff219cdbf2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809
    #11 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183
    #12 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37
    #13 0x7ff221f0aea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5)
    #14 0x7ff221f0a4e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4)
    #15 0x7ff2235bdc07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99
    #16 0x7ff221880f39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308
    #17 0x7ff2212bdc3c (/lib64/libc.so.6+0xedc3c)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845 RescaleDrawImage::getRow(int, unsigned int*)
Thread T3 (pool) created by T0 here:
    #0 0x7ff2235afc5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122
    #1 0x7ff221f25941 (/usr/lib64/libglib-2.0.so.0+0x8a941)
==16970== ABORTING
Comment 3 Albert Astals Cid 2014-03-25 22:31:01 UTC 
Yep, i can get that too. Cairo guys?
Comment 4 Adrian Johnson 2014-03-28 10:21:01 UTC 
Created attachment 96518 [details] [review]
fix segv
Comment 5 Carlos Garcia Campos 2014-03-28 14:27:22 UTC 
Comment on attachment 96518 [details] [review]
fix segv

Review of attachment 96518 [details] [review]:
-----------------------------------------------------------------

Thanks Adrian, I have a couple of questions

::: poppler/CairoOutputDev.cc
@@ +2839,4 @@
>        current_row++;
>      }
>  
> +    if (unlikely(pix == NULL)) {

So, if I understand correctly, the problem is that for buggy PDF documents, ImageStream::getLine can return NULL, right? What about the other places where we use it too? Could we make getRow() return bool and abort the image decode when it returns false?
Comment 6 Adrian Johnson 2014-03-28 22:06:25 UTC 
(In reply to comment #5)
> So, if I understand correctly, the problem is that for buggy PDF documents,
> ImageStream::getLine can return NULL, right?

Correct.

> What about the other places
> where we use it too?

I would wait for a PDF that reproduces the problem before I fix it.

> Could we make getRow() return bool and abort the image
> decode when it returns false?

We want to continue on with rendering as much of the document as possible. It is easier to return zero data when the image stream fails than to add checks all the way up the stack trace to the drawImage function to handle an error status.
Comment 7 Carlos Garcia Campos 2014-03-30 10:22:10 UTC 
Ok, please push it. Thank you.
Comment 8 Albert Astals Cid 2014-03-30 14:23:02 UTC 
*** Bug 76444 has been marked as a duplicate of this bug. ***
Comment 9 Adrian Johnson 2014-03-30 20:09:35 UTC 
Pushed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.