89422 – SIGABRT in getString at Object.h:202

Bug 89422 - SIGABRT in getString at Object.h:202

Summary: SIGABRT in getString at Object.h:202

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-04 10:44 UTC by Henri Salo
Modified:	2015-03-07 13:55 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
fuzzed sample file (1.12 KB, application/pdf) 2015-03-04 10:47 UTC, Henri Salo	Details
View All

Description Henri Salo 2015-03-04 10:44:09 UTC

Comment 1 Henri Salo 2015-03-04 10:45:38 UTC

Attached sample file crashes e.g. pdfinfo. Sample file is fuzzed with AFL http://lcamtuf.coredump.cx/afl/

(gdb) bt
#0  0x00007ffff60d0165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff60d33e0 in *__GI_abort () at abort.c:92
#2  0x00000000006c8d62 in getString (this=<optimized out>) at Object.h:202
#3  StandardSecurityHandler::StandardSecurityHandler (this=0xac33e0, docA=<optimized out>, encryptDictA=<optimized out>) at SecurityHandler.cc:292
#4  0x00000000006c9ee3 in SecurityHandler::make (docA=0xac2ea0, encryptDictA=0x7fffffffe160) at SecurityHandler.cc:56
#5  0x0000000000609afd in PDFDoc::checkEncryption (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:425
#6  0x0000000000617016 in PDFDoc::setup (this=this@entry=0xac2ea0, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at PDFDoc.cc:276
#7  0x00000000006177c0 in PDFDoc::PDFDoc (this=0xac2ea0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at PDFDoc.cc:166
#8  0x00000000007e2a89 in LocalPDFDocBuilder::buildPDFDoc (this=<optimized out>, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at LocalPDFDocBuilder.cc:31
#9  0x0000000000409476 in main (argc=2, argv=0x7fffffffe588) at pdfinfo.cc:185
#10 0x00007ffff60bcead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe578) at libc-start.c:244
#11 0x000000000040bcc5 in _start ()

frame 2 

(gdb) list
197
198       // Note: integers larger than 2^53 can not be exactly represented by a double.
199       // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64().
200       double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal);
201         return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; }
202       GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; }
203       // After takeString() the only method that should be called for the object is free()
204       // because the object it's not expected to have a NULL string.
205       GooString *takeString() {
206         OBJECT_TYPE_CHECK(objString); GooString *s = string; string = NULL; return s; }

Comment 2 Henri Salo 2015-03-04 10:47:04 UTC

Created attachment 113986 [details]
fuzzed sample file

Comment 3 Henri Salo 2015-03-04 10:48:56 UTC

Tested with version: 0.31.0

Comment 4 Albert Astals Cid 2015-03-04 22:10:11 UTC

Not major at all

Comment 5 Henri Salo 2015-03-05 09:55:58 UTC

Good to know. List of "Importance" was not obvious. Crashing PDF-library is major in my books :)

Comment 6 Albert Astals Cid 2015-03-05 10:03:05 UTC

It's not crashing, it's aborting controlledly, and the fact it's a doctored file makes it also much less important.

Comment 7 Albert Astals Cid 2015-03-07 13:55:10 UTC

Fixed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.