Bug 76631 - SEGV in StreamPredictor::getChar (cairo backend)
Summary: SEGV in StreamPredictor::getChar (cairo backend)
Status: NEW
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-26 12:25 UTC by Antti Husa
Modified: 2014-03-26 12:25 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Fuzzed PDF file that causes SEGV (14.41 KB, text/plain)
2014-03-26 12:25 UTC, Antti Husa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Husa 2014-03-26 12:25:47 UTC
Created attachment 96408 [details]
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince and Zathura with Poppler version 0.25.1 (git master branch).

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==9396== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7effa86af3a3 sp 0x7effa5c9d810 bp 0x7effa5c9d820 T3)
AddressSanitizer can not provide additional info.
    #0 0x7effa86af3a2 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615
    #1 0x7effa87f5655 in FlateStream::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/FlateStream.cc:58
    #2 0x7effa856bf60 in Stream::doGetChars(int, unsigned char*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:126
    #3 0x7effa86ae19f in ImageStream::getLine() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:517
    #4 0x7effa8d5c301 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2836
    #5 0x7effa8d5d674 in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoRescaleBox.cc:338
    #6 0x7effa8d5c121 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2817
    #7 0x7effa8d56fe8 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2896
    #8 0x7effa85d9840 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4653
    #9 0x7effa85d68f2 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4179
    #10 0x7effa85b049c in Gfx::execOp(Object*, Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:903
    #11 0x7effa85af685 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:762
    #12 0x7effa85af2d9 in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:728
    #13 0x7effa86928cd in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Page.cc:585
    #14 0x7effa8d17f53 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:362
    #15 0x7effa8d1807a in poppler_page_render /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:385
    #16 0x7effa8f9cf2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809
    #17 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183
    #18 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37
    #19 0x7effb11cbea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5)
    #20 0x7effb11cb4e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4)
    #21 0x7effb287ec07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99
    #22 0x7effb0b41f39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308
    #23 0x7effb057ec3c (/lib64/libc.so.6+0xedc3c)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 StreamPredictor::getChar()
Thread T3 (pool) created by T0 here:
    #0 0x7effb2870c5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122
    #1 0x7effb11e6941 (/usr/lib64/libglib-2.0.so.0+0x8a941)
==9396== ABORTING


--
Antti Husa
Research Assistant, OUSPG


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.