<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - SEGV in RescaleDrawImage::getRow"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=76445">76445</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>SEGV in RescaleDrawImage::getRow
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>a.husa@hushmail.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>cairo backend
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=96155" name="attach_96155" title="Fuzzed PDF file that causes SEGV">attachment 96155</a> <a href="attachment.cgi?id=96155&action=edit" title="Fuzzed PDF file that causes SEGV">[details]</a></span>
Fuzzed PDF file that causes SEGV

Segfault when malformed PDF file is opened.

Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==895== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f177e460be5 sp 0x7f177b474880 bp 0x7f177b474900 T3)
AddressSanitizer can not provide additional info.
    #0 0x7f177e460be4 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5fbe4)
    #1 0x7f177e46187b (/usr/lib64/libpoppler-glib.so.8.6.0+0x6087b)
    #2 0x7f177e45df30 (/usr/lib64/libpoppler-glib.so.8.6.0+0x5cf30)
    #3 0x7f177dd69b43 (/usr/lib64/libpoppler.so.44.0.0+0x233b43)
    #4 0x7f177dd6d0a1 (/usr/lib64/libpoppler.so.44.0.0+0x2370a1)
    #5 0x7f177dd5bb45 (/usr/lib64/libpoppler.so.44.0.0+0x225b45)
    #6 0x7f177dd5c50f (/usr/lib64/libpoppler.so.44.0.0+0x22650f)
    #7 0x7f177de186d7 (/usr/lib64/libpoppler.so.44.0.0+0x2e26d7)
    #8 0x7f177e435a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92)
    #9 0x7f177e69cca4 (/usr/lib64/zathura/pdf.so+0x3ca4)
    #10 0x42f8b7 (/usr/bin/zathura+0x42f8b7)
    #11 0x7f17868caea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5)
    #12 0x7f17868ca4e4 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6f4e4)
    #13 0x7f1787f7dc07 (/usr/lib64/libasan.so.0.0.0+0x18c07)
    #14 0x7f1786240f39 (/lib64/libpthread-2.17.so+0x8f39)
    #15 0x7f1785c7dc3c (/lib64/libc-2.17.so+0xedc3c)
Thread T3 (pool) created by T0 here:
    #0 0x7f1787f6fc5b (/usr/lib64/libasan.so.0.0.0+0xac5b)
    #1 0x7f17868e5941 (/usr/lib64/libglib-2.0.so.0.3800.2+0x8a941)
==895== ABORTING


gdb backtrace:
0x00007fffeb348be5 in RescaleDrawImage::getRow (this=0x7fffe835cc80,
row_num=<optimized out>, row_data=0x607400007900) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845
2845            rgb = lookup[*p];

gdb$ bt
#0  0x00007fffeb348be5 in RescaleDrawImage::getRow (this=0x7fffe835cc80,
row_num=<optimized out>, row_data=0x607400007900) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2845
#1  0x00007fffeb34987c in CairoRescaleBox::downScaleImage
(this=this@entry=0x7fffe835cc80, orig_width=<optimized out>,
orig_height=orig_height@entry=0xdb3, scaled_width=scaled_width@entry=0x198,
scaled_height=scaled_height@entry=0x242, start_column=start_column@entry=0x0,
start_row=start_row@entry=0x0, width=width@entry=0x198,
height=height@entry=0x242, dest_surface=dest_surface@entry=0x602c0001fa00) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoRescaleBox.cc:338
#2  0x00007fffeb345f31 in getSourceImage (maskColorsA=0x0,
colorMapA=0x60440002f880, printing=0x0, scaledHeight=0x242, scaledWidth=0x198,
height=0xdb3, widthA=0x9b0, str=0x601800047b00, this=0x7fffe835cc80) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2817
#3  CairoOutputDev::drawImage (this=0x603600004540, state=<optimized out>,
ref=0x7fffe835d2c0, str=0x601800047b00, widthA=0x9b0, heightA=0xdb3,
colorMap=0x60440002f880, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:2896
#4  0x00007fffeac51b44 in Gfx::doImage (this=this@entry=0x60240007f5c0,
ref=ref@entry=0x7fffe835d2c0, str=<optimized out>,
inlineImg=inlineImg@entry=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4587
#5  0x00007fffeac550a2 in Gfx::opXObject (this=0x60240007f5c0, args=<optimized
out>, numArgs=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:4128
#6  0x00007fffeac43b46 in Gfx::go (this=this@entry=0x60240007f5c0,
topLevel=topLevel@entry=0x1) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
#7  0x00007fffeac44510 in Gfx::display (this=this@entry=0x60240007f5c0,
obj=obj@entry=0x7fffe835d9d0, topLevel=topLevel@entry=0x1) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
#8  0x00007fffead006d8 in Page::displaySlice (this=0x6022000191e0,
out=out@entry=0x603600004540, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72,
rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0,
crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff,
sliceY=sliceY@entry=0xffffffff, sliceW=sliceW@entry=0xffffffff,
sliceH=sliceH@entry=0xffffffff, printing=printing@entry=0x0,
abortCheckCbk=abortCheckCbk@entry=0x0,
abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0,
copyXRef=copyXRef@entry=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
#9  0x00007fffeb31da93 in _poppler_page_render (page=0x605200035180,
cairo=0x604a0000f100, printing=<optimized out>, print_flags=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#10 0x00007fffeb584ca5 in pdf_page_render_cairo () from
/usr/lib64/zathura/pdf.so
#11 0x000000000042f8b8 in render (page=0x60080002a110, zathura=0x60260000f660)
at render.c:183
#12 render_job (data=0x60080002a110, user_data=0x60260000f660) at render.c:37
#13 0x00007ffff37b2ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff37b24e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe835f000)
at ../../.././libsanitizer/asan/asan_thread.cc:99
#16 0x00007ffff3128f3a in start_thread (arg=0x7fffe835e700) at
pthread_create.c:308
#17 0x00007ffff2b65c3d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>