<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW --- - SEGV in StreamPredictor::getChar (cairo backend)" href="https://bugs.freedesktop.org/show_bug.cgi?id=76631">76631</a> </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Summary</th> <td>SEGV in StreamPredictor::getChar (cairo backend) </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Classification</th> <td>Unclassified </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Reporter</th> <td>a.husa@hushmail.com </td> </tr> <tr> <th>Hardware</th> <td>x86-64 (AMD64) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Component</th> <td>cairo backend </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=96408" name="attach_96408" title="Fuzzed PDF file that causes SEGV">attachment 96408</a> <a href="attachment.cgi?id=96408&action=edit" title="Fuzzed PDF file that causes SEGV">[details]</a></span> Fuzzed PDF file that causes SEGV Segfault when malformed PDF file is opened. Reproduced on Evince and Zathura with Poppler version 0.25.1 (git master branch). Distrubution: Gentoo Linux 64bit Evince version: 3.10.3 Zathura version: 0.2.1 Zathura-pdf-poppler version: 0.2.3 Malformed file is given as an attachment. ASAN report: ==9396== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7effa86af3a3 sp 0x7effa5c9d810 bp 0x7effa5c9d820 T3) AddressSanitizer can not provide additional info. #0 0x7effa86af3a2 in StreamPredictor::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 #1 0x7effa87f5655 in FlateStream::getChar() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/FlateStream.cc:58 #2 0x7effa856bf60 in Stream::doGetChars(int, unsigned char*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:126 #3 0x7effa86ae19f in ImageStream::getLine() /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:517 #4 0x7effa8d5c301 in RescaleDrawImage::getRow(int, unsigned int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2836 #5 0x7effa8d5d674 in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoRescaleBox.cc:338 #6 0x7effa8d5c121 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2817 #7 0x7effa8d56fe8 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2896 #8 0x7effa85d9840 in Gfx::doImage(Object*, Stream*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4653 #9 0x7effa85d68f2 in Gfx::opXObject(Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4179 #10 0x7effa85b049c in Gfx::execOp(Object*, Object*, int) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:903 #11 0x7effa85af685 in Gfx::go(bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:762 #12 0x7effa85af2d9 in Gfx::display(Object*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:728 #13 0x7effa86928cd in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Page.cc:585 #14 0x7effa8d17f53 in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:362 #15 0x7effa8d1807a in poppler_page_render /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:385 #16 0x7effa8f9cf2c in pdf_page_render_cairo /var/tmp/portage/app-text/zathura-pdf-poppler-0.2.3/work/zathura-pdf-poppler-0.2.3/pdf.c:809 #17 0x42f947 in render /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:183 #18 0x42f947 in render_job /var/tmp/portage/app-text/zathura-0.2.1/work/zathura-0.2.1/render.c:37 #19 0x7effb11cbea5 (/usr/lib64/libglib-2.0.so.0+0x6fea5) #20 0x7effb11cb4e4 (/usr/lib64/libglib-2.0.so.0+0x6f4e4) #21 0x7effb287ec07 in __asan::AsanThread::ThreadStart() /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_thread.cc:99 #22 0x7effb0b41f39 in start_thread /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/nptl/pthread_create.c:308 #23 0x7effb057ec3c (/lib64/libc.so.6+0xedc3c) SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:615 StreamPredictor::getChar() Thread T3 (pool) created by T0 here: #0 0x7effb2870c5b in __interceptor_pthread_create /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_interceptors.cc:122 #1 0x7effb11e6941 (/usr/lib64/libglib-2.0.so.0+0x8a941) ==9396== ABORTING -- Antti Husa Research Assistant, OUSPG</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>