<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - SEGV in StreamPredictor::getChar"
href="https://bugs.freedesktop.org/show_bug.cgi?id=76439">76439</a>
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Summary</th>
<td>SEGV in StreamPredictor::getChar
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Reporter</th>
<td>a.husa@hushmail.com
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86-64 (AMD64)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=96150" name="attach_96150" title="Fuzzed PDF file that causes SEGV">attachment 96150</a> <a href="attachment.cgi?id=96150&action=edit" title="Fuzzed PDF file that causes SEGV">[details]</a></span>
Fuzzed PDF file that causes SEGV
Segfault when malformed PDF file is opened.
Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.
Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3
Malformed file is given as an attachment.
ASAN report:
==11919== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f97d6271621 sp 0x7fffb285c5e0 bp 0x7fffb285c600 T0)
AddressSanitizer can not provide additional info.
#0 0x7f97d6271620 (/usr/lib64/libpoppler.so.44.0.0+0x302620)
#1 0x7f97d6287a1f (/usr/lib64/libpoppler.so.44.0.0+0x318a1f)
#2 0x7f97d62887fc (/usr/lib64/libpoppler.so.44.0.0+0x3197fc)
#3 0x7f97d628cacb (/usr/lib64/libpoppler.so.44.0.0+0x31dacb)
#4 0x7f97d628cf4b (/usr/lib64/libpoppler.so.44.0.0+0x31df4b)
#5 0x7f97d6261b2f (/usr/lib64/libpoppler.so.44.0.0+0x2f2b2f)
#6 0x7f97d62621a6 (/usr/lib64/libpoppler.so.44.0.0+0x2f31a6)
#7 0x7f97d6866f17 (/usr/lib64/libpoppler-glib.so.8.6.0+0x2cf17)
#8 0x7f97d6ad4d22 (/usr/lib64/zathura/pdf.so+0x2d22)
#9 0x42aee4 (/usr/bin/zathura+0x42aee4)
#10 0x411697 (/usr/bin/zathura+0x411697)
#11 0x412583 (/usr/bin/zathura+0x412583)
#12 0x7f97df8bba76 (/usr/lib64/libgdk-x11-2.0.so.0.2400.22+0x20a76)
#13 0x7f97decdea95 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4aa95)
#14 0x7f97decdede7 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4ade7)
#15 0x7f97decdf1e9 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4b1e9)
#16 0x7f97dfc88dd6 (/usr/lib64/libgtk-x11-2.0.so.0.2400.22+0x139dd6)
#17 0x40dd9a (/usr/bin/zathura+0x40dd9a)
#18 0x7f97ddfedbf4 (/lib64/libc-2.17.so+0x24bf4)
#19 0x40e4d4 (/usr/bin/zathura+0x40e4d4)
==11919== ABORTING
gdb backtrace:
615 return predLine[predIdx++];
gdb$ bt
#0 0x00007fffead20621 in StreamPredictor::getChar (this=0x600c0004e200) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Stream.cc:615
#1 0x00007fffead36a20 in XRef::readXRefStreamSection
(this=this@entry=0x60240006f800, xrefStr=xrefStr@entry=0x606200040300,
w=w@entry=0x7fffffffcdd0, first=first@entry=0x43, n=n@entry=0x47) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:844
#2 0x00007fffead377fd in XRef::readXRefStream (this=this@entry=0x60240006f800,
xrefStr=0x606200040300, pos=pos@entry=0x60240006f898) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:785
#3 0x00007fffead3bacc in XRef::readXRef (this=this@entry=0x60240006f800,
pos=0x60240006f898, followedXRefStm=followedXRefStm@entry=0x7fffffffd100,
xrefStreamObjsNum=xrefStreamObjsNum@entry=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:560
#4 0x00007fffead3bf4c in XRef::XRef (this=0x60240006f800, strA=<optimized
out>, pos=<optimized out>, mainXRefEntriesOffsetA=0x0,
wasReconstructed=0x7fffffffd1d0, reconstruct=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/XRef.cc:342
#5 0x00007fffead10b30 in PDFDoc::setup (this=this@entry=0x601c00007ac0,
ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:262
#6 0x00007fffead111a7 in PDFDoc::PDFDoc (this=0x601c00007ac0,
fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0,
guiDataA=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/PDFDoc.cc:167
#7 0x00007fffeb315f18 in poppler_document_new_from_file (uri=<optimized out>,
password=<optimized out>, error=0x7fffffffd378) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-document.cc:202
#8 0x00007fffeb583d23 in pdf_document_open () from /usr/lib64/zathura/pdf.so
#9 0x000000000042aee5 in zathura_document_open (plugin_manager=<optimized
out>, path=path@entry=0x600c0004ebc0
"/home/anon/tmp/samples/pdf/results/mal-16_zathura.pdf",
password=password@entry=0x0, error=error@entry=0x7fffffffd630) at
document.c:130
#10 0x0000000000411698 in document_open (zathura=0x60260000f660,
path=path@entry=0x600c0004ebc0
"/home/anon/tmp/samples/pdf/results/mal-16_zathura.pdf", password=0x0) at
zathura.c:482
#11 0x0000000000412584 in document_info_open (data=0x600600042670) at
zathura.c:465
#12 0x00007ffff436aa77 in ?? () from /usr/lib64/libgdk-x11-2.0.so.0
#13 0x00007ffff378da96 in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#14 0x00007ffff378dde8 in ?? () from /usr/lib64/libglib-2.0.so.0
#15 0x00007ffff378e1ea in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff4737dd7 in gtk_main () from /usr/lib64/libgtk-x11-2.0.so.0
#17 0x000000000040dd9b in main (argc=0x2, argv=0x7fffffffe098) at main.c:145
--
Antti Husa
Research Assistant, OUSPG</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>