Bug 76631 - SEGV in StreamPredictor::getChar (cairo backend)
Summary: SEGV in StreamPredictor::getChar (cairo backend)
Status: RESOLVED MOVED
Alias: None
Product: poppler
Classification: Unclassified
Component: cairo backend (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-26 12:25 UTC by Antti Husa
Modified: 2018-08-21 10:50 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Fuzzed PDF file that causes SEGV (14.41 KB, text/plain)
2014-03-26 12:25 UTC, Antti Husa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Husa 2014-03-26 12:25:47 UTC
Created attachment 96408 [details]
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince and Zathura with Poppler version 0.25.1 (git master branch).

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==9396== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7effa86af3a3 sp 0x7effa5c9d810 bp 0x7effa5c9d820 T3)
AddressSanitizer can not provide additional info.
    #0 0x7effa86af3a2 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615
    #1 0x7effa87f5655 in FlateStream::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/FlateStream.cc:58
    #2 0x7effa856bf60 in Stream::doGetChars(int, unsigned char*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:126
    #3 0x7effa86ae19f in ImageStream::getLine() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:517
    #4 0x7effa8d5c301 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2836
    #5 0x7effa8d5d674 in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoRescaleBox.cc:338
    #6 0x7effa8d5c121 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2817
    #7 0x7effa8d56fe8 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2896
    #8 0x7effa85d9840 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4653
    #9 0x7effa85d68f2 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4179
    #10 0x7effa85b049c in Gfx::execOp(Object*, Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:903
    #11 0x7effa85af685 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:762
    #12 0x7effa85af2d9 in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:728
    #13 0x7effa86928cd in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Page.cc:585
    #14 0x7effa8d17f53 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:362
    #15 0x7effa8d1807a in poppler_page_render /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:385
    #16 0x7effa8f9cf2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809
    #17 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183
    #18 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37
    #19 0x7effb11cbea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5)
    #20 0x7effb11cb4e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4)
    #21 0x7effb287ec07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99
    #22 0x7effb0b41f39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308
    #23 0x7effb057ec3c (/lib64/libc.so.6+0xedc3c)
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 StreamPredictor::getChar()
Thread T3 (pool) created by T0 here:
    #0 0x7effb2870c5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122
    #1 0x7effb11e6941 (/usr/lib64/libglib-2.0.so.0+0x8a941)
==9396== ABORTING


--
Antti Husa
Research Assistant, OUSPG
Comment 1 GitLab Migration User 2018-08-21 10:50:28 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/393.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.