<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file"
href="https://bugs.freedesktop.org/show_bug.cgi?id=65221">65221</a>
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Summary</th>
<td>Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file
</td>
</tr>
<tr>
<th>Severity</th>
<td>critical
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Reporter</th>
<td>jutaky@gmail.com
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86-64 (AMD64)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Component</th>
<td>cairo backend
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr></table>
<p>
<div>
<pre>Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file.
Tested on evince git 20130531 with poppler git 20130531.
Also crashes with epdfview.
Test case: <a href="http://jutaky.com/fuzzing/poppler_case_10298_1453.pdf">http://jutaky.com/fuzzing/poppler_case_10298_1453.pdf</a>
Debugging information:
0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
548 buf = (buf << 8) | (*p++ & 0xff);
(gdb) bt
#0 0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
#1 0x00007fffd025be94 in CairoOutputDev::drawSoftMaskedImage
(this=0x7fffcc049160, state=0x7fffcc052270, ref=0x7fffe4c20560,
str=0x7fffcc1ac5b0, width=2700, height=2250,
colorMap=0x7fffcc053150, interpolate=true, maskStr=0x7fffcc1b4b40,
maskWidth=2700, maskHeight=2250, maskColorMap=0x7fffcc1bd0d0,
maskInterpolate=true) at CairoOutputDev.cc:2567
#2 0x00007fffcbc538de in Gfx::doImage (this=0x7fffcc059600,
ref=0x7fffe4c20560, str=0x7fffcc1ac5b0, inlineImg=false) at Gfx.cc:4585
#3 0x00007fffcbc51caa in Gfx::opXObject (this=0x7fffcc059600,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:4133
#4 0x00007fffcbc3f95a in Gfx::execOp (this=0x7fffcc059600, cmd=0x7fffe4c208e0,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:858
#5 0x00007fffcbc3f256 in Gfx::go (this=0x7fffcc059600, topLevel=true) at
Gfx.cc:717
#6 0x00007fffcbc3f077 in Gfx::display (this=0x7fffcc059600,
obj=0x7fffe4c20a30, topLevel=true) at Gfx.cc:683
#7 0x00007fffcbc9fd0e in Page::displaySlice (this=0x7fffcc04f8b0,
out=0x7fffcc049160, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1,
sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:580
#8 0x00007fffd0245690 in _poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at
poppler-page.cc:362
#9 0x00007fffd0245776 in poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060) at poppler-page.cc:385
#10 0x00007fffe40151bc in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#11 0x00007fffe40152d7 in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#12 0x00007ffff720f830 in ev_job_render_run (job=0x9c8260) at ev-jobs.c:634
#13 0x00007ffff720ed14 in ev_job_run (job=0x9c8260) at ev-jobs.c:215
#14 0x00007ffff7212b07 in ev_job_thread (job=0x9c8260) at
ev-job-scheduler.c:184
#15 0x00007ffff7212bba in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#16 0x00007ffff48bc185 in ?? () from /usr/lib/libglib-2.0.so.0
#17 0x00007ffff4127dd2 in start_thread () from /usr/lib/libpthread.so.0
#18 0x00007ffff3e58ced in clone () from /usr/lib/libc.so.6
--
Juha Kylmänen
Research Assistant, OUSPG</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>