<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=65969">65969</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>critical
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jutaky@gmail.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>cairo backend
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file.

Crash reproduced on evince (git) + poppler (git), evince (3.8.2) + poppler
(0.22.5) and epdfview (0.1.8) + poppler (0.22.5). On Arch linux 64bit.

Test case: <a href="http://jutaky.com/fuzzing/poppler_case_13499_7250.pdf">http://jutaky.com/fuzzing/poppler_case_13499_7250.pdf</a>

Backtrace on evince (git) + poppler (git):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a84700 (LWP 18406)]
0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0,
in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
5497        *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0,
in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
#1  0x00007fffe8e5c3c9 in RescaleDrawImage::getRow (this=0x7fffe9a831f0,
row_num=0, row_data=0x7fffd00bf930) at CairoOutputDev.cc:2852
#2  0x00007fffe8e5c195 in RescaleDrawImage::getSourceImage
(this=0x7fffe9a831f0, str=0x7fffd0121740, widthA=2, height=1, scaledWidth=2,
scaledHeight=1, printing=false, 
    colorMapA=0x7fffd01218f0, maskColorsA=0x0) at CairoOutputDev.cc:2796
#3  0x00007fffe8e599f5 in CairoOutputDev::drawImage (this=0x7fffd004d000,
state=0x7fffd0120f50, ref=0x7fffe9a83540, str=0x7fffd0121740, widthA=2,
heightA=1, colorMap=0x7fffd01218f0, 
    interpolate=false, maskColors=0x0, inlineImg=false) at
CairoOutputDev.cc:2894
#4  0x00007fffe8a6af87 in Gfx::doImage (this=0x7fffd00551d0,
ref=0x7fffe9a83540, str=0x7fffd0121740, inlineImg=false) at Gfx.cc:4586
#5  0x00007fffe8a69200 in Gfx::opXObject (this=0x7fffd00551d0,
args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:4127
#6  0x00007fffe8a56e68 in Gfx::execOp (this=0x7fffd00551d0, cmd=0x7fffe9a838c0,
args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:852
#7  0x00007fffe8a56764 in Gfx::go (this=0x7fffd00551d0, topLevel=true) at
Gfx.cc:711
#8  0x00007fffe8a56585 in Gfx::display (this=0x7fffd00551d0,
obj=0x7fffe9a83a10, topLevel=true) at Gfx.cc:677
#9  0x00007fffe8ab727a in Page::displaySlice (this=0x7fffd0052d30,
out=0x7fffd004d000, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:580
#10 0x00007fffe8e42790 in _poppler_page_render (page=0x7fffd004cd80,
cairo=0xb05260, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at
poppler-page.cc:362
#11 0x00007fffe8e42876 in poppler_page_render (page=0x7fffd004cd80,
cairo=0xb05260) at poppler-page.cc:385
#12 0x00007fffe90796b8 in pdf_page_render (page=0x7fffd004cd80, width=569,
height=736, rc=0x7fffd0001750) at ev-poppler.cc:412
#13 0x00007fffe907981b in pdf_document_render (document=0x77ef60,
rc=0x7fffd0001750) at ev-poppler.cc:445
#14 0x00007ffff7454e32 in ev_document_render (document=0x77ef60,
rc=0x7fffd0001750) at ev-document.c:678
#15 0x00007ffff7201e50 in ev_job_render_run (job=0x7fffd000ce20) at
ev-jobs.c:634
#16 0x00007ffff7201334 in ev_job_run (job=0x7fffd000ce20) at ev-jobs.c:215
#17 0x00007ffff72051db in ev_job_thread (job=0x7fffd000ce20) at
ev-job-scheduler.c:184
#18 0x00007ffff720528e in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#19 0x00007ffff3f81743 in g_thread_proxy (data=0x9dd140) at gthread.c:798
#20 0x00007ffff3cecdd2 in start_thread () from /usr/lib/libpthread.so.0
#21 0x00007ffff3509cdd in clone () from /usr/lib/libc.so.6

--
Juha Kylmänen
Research Assistant, OUSPG</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>