Bug 96027 - poppler-0.44.0: stack overflow while rending with pdftohtml (3)
Summary: poppler-0.44.0: stack overflow while rending with pdftohtml (3)
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: pdftohtml (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-24 20:07 UTC by LE GARREC Vincent
Modified: 2016-05-24 21:35 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
stackoverflow.pdf (1.80 KB, application/pdf)
2016-05-24 20:08 UTC, LE GARREC Vincent 		Details
View All

Description LE GARREC Vincent 2016-05-24 20:07:17 UTC 
Hi, while fuzzing, pdftohtml crashes with invalid pdf (file enclosed) with poppler-0.43.0 and poppler-0.44.0. 
Libpoppler runs into infinity loop. I don't know if it's stack overflow but the stack looks broken so probably.


Output :
…
Syntax Error (1712): Illegal character <2f> in hex string
Syntax Error (1713): Illegal character <49> in hex string
Syntax Error (1714): Illegal character <6e> in hex string
Syntax Error (1716): Illegal character <6f> in hex string
Syntax Error (1723): Illegal character <52> in hex string
Syntax Error (1725): Illegal character <2f> in hex string
Syntax Error (1726): Illegal character <49> in hex string
Syntax Error (1729): Illegal character <5b> in hex string
Syntax Error (1731): Illegal character <3c> in hex string
Syntax Error (1734): Illegal character <54> in hex string
Syntax Error (1764): Missing 'endstream' or incorrect stream length
Syntax Error (957): Dictionary key must be a name object
Syntax Error (959): Dictionary key must be a name object

gdb output :
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a20fcd in gfree (p=0xbd4c60) at gmem.cc:289
289       if (p) {
(gdb) bt
#0  0x00007ffff7a20fcd in gfree (p=0xbd4c60) at gmem.cc:289
#1  0x00007ffff78874d8 in Object::free (this=0xbd2068) at Object.cc:158
#2  0xffffffffffd58ad0 in ?? ()
#3  0x0000000000000007 in ?? ()
#4  0x0000000000000007 in ?? ()
#5  0x0000000000bd4c60 in ?? ()
#6  0x0000000000000002 in ?? ()
#7  0x0000000000000000 in ?? ()
Comment 1 LE GARREC Vincent 2016-05-24 20:08:38 UTC 
Created attachment 124061 [details]
stackoverflow.pdf
Comment 2 LE GARREC Vincent 2016-05-24 20:18:12 UTC 
I just try to open it with evince. Evince crashed but I now have the stack. Hope it's help. Good luck.

#0  _int_malloc (av=av@entry=0x7fffd0000020, bytes=bytes@entry=2) at malloc.c:3320
#1  0x00007ffff4945ad9 in __GI___libc_malloc (bytes=2) at malloc.c:2914
#2  0x00007fffe4dbf90e in gmalloc (size=2, checkoverflow=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/goo/gmem.cc:110
#3  0x00007fffe4dbf97b in gmalloc (size=2)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/goo/gmem.cc:120
#4  0x00007fffe4dbfdac in copyString (s=0x7fffd04b0c79 "[")
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/goo/gmem.cc:316
#5  0x00007fffe4e86c26 in Object::initCmd (this=0x7fffd04b06e8, cmdA=0x7fffd04b0c79 "[")
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Object.h:151
#6  0x00007fffe4e8649a in Lexer::getObj (this=0x7fffd04b0c50, obj=0x7fffd04b06e8, objNum=-1)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Lexer.cc:470
#7  0x00007fffe4e95784 in Parser::shift (this=0x7fffd04b06c0, objNum=-1)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:300
#8  0x00007fffe4e94b4f in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc2c0, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=182, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:92
#9  0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc390, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=181, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#10 0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc460, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=180, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#11 0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc530, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=179, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#12 0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc600, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=178, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#13 0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc6d0, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=177, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#14 0x00007fffe4e94bed in Parser::getObj (this=0x7fffd04b06c0, obj=0x7fffe5abc7a0, simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=176, 
    strict=false) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
…
#9045 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83cd530, obj=0x7fffe9c84e00, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=3, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9046 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83cd530, obj=0x7fffe9c84ed0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=2, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9047 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83cd530, obj=0x7fffe9c84fa0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=1, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9048 0x00007fffe8e97e5d in Parser::getObj (this=0x7fffd83cd530, obj=0x7fffe9c851f0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=0, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:121
#9049 0x00007fffe8ec0167 in XRef::fetch (this=0x7fffd80522c0, num=6, gen=0, obj=0x7fffe9c851f0, recursion=0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/XRef.cc:1210
#9050 0x00007fffe8e90769 in Object::fetch (this=0x7fffd83cd6f0, xref=0x7fffd80522c0, obj=0x7fffe9c851f0, recursion=0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Object.cc:122
#9051 0x00007fffe8e16b2c in Dict::lookup (this=0x7fffd83ccf20, key=0x7fffe8f5d9fc "DP", obj=0x7fffe9c851f0, recursion=0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Dict.cc:261
#9052 0x00007fffe960d085 in Object::dictLookup (this=0x7fffe9c85430, key=0x7fffe8f5d9fc "DP", obj=0x7fffe9c851f0, recursion=0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Object.h:330
#9053 0x00007fffe8ea4823 in Stream::addFilters (this=0x7fffd83cdc70, dict=0x7fffe9c85430, recursion=200) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Stream.cc:186
#9054 0x00007fffe8e98680 in Parser::makeStream (this=0x7fffd83c8690, dict=0x7fffe9c85430, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=200, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:277
#9055 0x00007fffe8e97f2f in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c85430, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=199, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:131
#9056 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c85500, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=198, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9057 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c855d0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=197, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9058 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c856a0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=196, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9059 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c85770, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=195, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#9060 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd83c8690, obj=0x7fffe9c85840, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=6, objGen=0, recursion=194, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
…
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40766 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd0f0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=9, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40767 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd1c0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=8, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40768 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd290, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=7, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40769 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd360, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=6, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40770 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd430, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=5, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40771 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd500, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=4, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40772 0x00007fffe8e97e5d in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd5d0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=3, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:121

#40773 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd6a0, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=2, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40774 0x00007fffe8e97bed in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd770, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=1, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:95
#40775 0x00007fffe8e97e5d in Parser::getObj (this=0x7fffd8052620, obj=0x7fffea2bd920, simpleOnly=false, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732, objNum=11, objGen=0, recursion=0, strict=false)
    at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Parser.cc:121
#40776 0x00007fffe8ec0167 in XRef::fetch (this=0x7fffd80522c0, num=11, gen=0, obj=0x7fffea2bd920, recursion=0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/XRef.cc:1210
#40777 0x00007fffe8ebfb85 in XRef::getCatalog (this=0x7fffd80522c0, catalog=0x7fffea2bd920) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/XRef.cc:1136

#40778 0x00007fffe8e03047 in Catalog::Catalog (this=0x7fffd80523c0, docA=0x7fffd8052070) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Catalog.cc:109
#40779 0x00007fffe8e98fbc in PDFDoc::setup (this=0x7fffd8052070, ownerPassword=0x0, userPassword=0x0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:284
#40780 0x00007fffe8e98c34 in PDFDoc::PDFDoc (this=0x7fffd8052070, fileNameA=0x7fffd8051f50, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:168

#40781 0x00007fffe960d931 in poppler_document_new_from_file (uri=0xbaf880 "file:///home/legarrec/info/programmation/tmp/poppler-0.44.0/testcases2/4.pdf", password=0x0, error=0x7fffea2bdb18) at /home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/glib/poppler-document.cc:202
#40782 0x00007fffe98b07ec in pdf_document_load (document=0xba0f10, uri=0xbaf880 "file:///home/legarrec/info/programmation/tmp/poppler-0.44.0/testcases2/4.pdf", error=0x7fffea2bdb68) at ev-poppler.cc:280
#40783 0x00007ffff7bad8ca in ev_document_load (document=0xba0f10, uri=0xbaf880 "file:///home/legarrec/info/programmation/tmp/poppler-0.44.0/testcases2/4.pdf", error=0x7fffea2bdbc0) at ev-document.c:318
#40784 0x00007ffff7bb09db in ev_document_factory_get_document (uri=0xbaf880 "file:///home/legarrec/info/programmation/tmp/poppler-0.44.0/testcases2/4.pdf", error=0x7fffea2bdc10) at ev-document-factory.c:313
#40785 0x00007ffff794a8d2 in ev_job_load_run (job=0xb95450) at ev-jobs.c:1117
#40786 0x00007ffff794875d in ev_job_run (job=0xb95450) at ev-jobs.c:216
#40787 0x00007ffff794cb8d in ev_job_thread (job=0xb95450) at ev-job-scheduler.c:184
#40788 0x00007ffff794cc41 in ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:217
#40789 0x00007ffff5208b4c in g_thread_proxy (data=0xb95400) at /home/legarrec/info/portage/dev-libs/glib-2.48.0-r1/work/glib-2.48.0/glib/gthread.c:780
#40790 0x00007ffff4c6f4e0 in start_thread (arg=0x7fffea2be700) at pthread_create.c:333
#40791 0x00007ffff49b7d3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Comment 3 Albert Astals Cid 2016-05-24 21:35:26 UTC 
Fix pushed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.