Created attachment 97740 [details]
PDF that causes heap-use-after-free

ASAN reports heap-use-after-free when pdf file is closed.


This can be reproduced with Zathura, however not with Evince. Running Zathura in gdb also prints "LLVM ERROR: IO failure on output stream".

Poppler version: 0.24.5 and Git Master
Zathura version: 0.2.7
Zathura-pdf-poppler version: 0.2.5


ASAN report:
==19740== ERROR: AddressSanitizer: heap-use-after-free on address 0x60220000fefc at pc 0x7feb63e4e8b0 bp 0x7feb60642480 sp 0x7feb60642478
READ of size 4 at 0x60220000fefc thread T4 (pool)


GDB backtrace:
gdb$ bt
#0  __asan_report_error (pc=0x7fffea3c4c25, bp=0x7fffe6bb84e0, sp=0x7fffe6bb84d8, addr=0x60220000fefc, is_write=0x0, access_size=0x4) at ../../.././libsanitizer/asan/asan_report.cc:628
#1  0x00007ffff4e5f824 in __asan::__asan_report_load4 (addr=<optimized out>) at ../../.././libsanitizer/asan/asan_rtl.cc:228
#2  0x00007fffea3c4c25 in TextBlock::isBeforeByRule1 (this=0x601c000105e0, blk1=0x601c000177a0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1748
#3  0x00007fffea3c571b in TextBlock::visitDepthFirst (this=0x601c000105e0, blkList=0x601c0001bcc0, pos1=0xd1, sorted=0x608400005200, sortPos=0x9c, visited=0x60540000f080) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1856
#4  0x00007fffea3c57b8 in TextBlock::visitDepthFirst (this=0x601c00018680, blkList=0x601c0001bcc0, pos1=0x3e, sorted=0x608400005200, sortPos=0x9b, visited=0x60540000f080) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1874
#5  0x00007fffea3d599d in TextPage::coalesce (this=0x60220000fe80, physLayout=0x1, fixedPitch=0, doHTML=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:3427
#6  0x00007fffea9ac8fa in CairoOutputDev::endPage (this=0x603600000340) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:263
#7  0x00007fffea25ea7c in Gfx::~Gfx (this=0x60240008f4c0, __in_chrg=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:643
#8  0x00007fffea335ece in Page::displaySlice (this=0x6022000186a0, out=0x603600000340, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1, sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:611
#9  0x00007fffea98f17c in _poppler_page_render (page=0x605200064c00, cairo=0x604a0002f280, printing=0x0, print_flags=POPPLER_PRINT_DOCUMENT) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#10 0x00007fffea98f2a3 in poppler_page_render (page=0x605200064c00, cairo=0x604a0002f280) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:385
#11 0x00007fffeac06d8f in pdf_page_render_cairo (page=0x600800026450, poppler_page=0x605200064c00, cairo=0x604a0002f280, printing=0x0) at render.c:19
#12 0x00000000004519a4 in zathura_page_render (page=0x600800026450, cairo=0x604a0002f280, printing=0x0) at page.c:360
#13 0x0000000000426511 in render (job=0x6004000c1a70, request=0x6052000150d0, renderer=0x6062000063b0) at render.c:691
#14 0x0000000000426aee in render_job (data=0x6004000c1a70, user_data=0x6062000063b0) at render.c:750
#15 0x00007ffff36f1ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff36f14e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe6bba000) at ../../.././libsanitizer/asan/asan_thread.cc:99
#18 0x00007ffff3269f3a in start_thread (arg=0x7fffe6bb9700) at pthread_create.c:308
#19 0x00007ffff2a89c3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG