Hi, while fuzzing, pdftohtml may crash with invalid image (file enclosed) with poppler-0.43.0 and poppler-0.44.0. Internal Error: xref num 3 not found but needed, try to reconstruct<0a> Syntax Error (71): Bad 'Length' attribute in stream Bogus memory allocation size Erreur de segmentation (core dumped) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, rgb=0x7fffffffd130) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070 6070 color.c[i] = lookup2[i][x[i]]; (gdb) bt #0 0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, rgb=0x7fffffffd130) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070 #1 0x0000000000426592 in HtmlOutputDev::drawPngImage (this=0x679190, state=0x68d3c0, str=0x699530, width=1, height=1, colorMap=0x68dc40, isMask=false) at HtmlOutputDev.cc:1396 #2 0x00007ffff7a06264 in Gfx::doImage (this=0x67d120, ref=0x7fffffffd440, str=0x699530, inlineImg=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4707 #3 0x00007ffff7a03eea in Gfx::opXObject (this=0x67d120, args=0x7fffffffd580, numArgs=1) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4206 #4 0x00007ffff79f0e4c in Gfx::execOp (this=0x67d120, cmd=0x7fffffffd540, args=0x7fffffffd580, numArgs=1) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:904 #5 0x00007ffff79f06e0 in Gfx::go (this=0x67d120, topLevel=true) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:763 #6 0x00007ffff79f04b1 in Gfx::display (this=0x67d120, obj=0x7fffffffd8d0, topLevel=true) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:729 #7 0x00007ffff7a5d0c3 in Page::displaySlice (this=0x67d050, out=0x679190, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:599 #8 0x00007ffff7a5cb00 in Page::display (this=0x67d050, out=0x679190, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:521 #9 0x00007ffff7a60b8f in PDFDoc::displayPage (this=0x677f70, out=0x679190, page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:493 #10 0x00007ffff7a60c30 in PDFDoc::displayPages (this=0x677f70, out=0x679190, firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:509 #11 0x00000000004093dd in main (argc=2, argv=<optimized out>) at pdftohtml.cc:392
Please attach a file to reproduce.
Created attachment 124007 [details] drawPngImage.pdf
Created attachment 124008 [details] [review] drawPngImage.patch Proposal patch.
Pushed, thanks :)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.