<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - heap-use-after-free on TextBlock::isBeforeByRule1"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=77763">77763</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>heap-use-after-free on TextBlock::isBeforeByRule1
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>a.husa@hushmail.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=97740" name="attach_97740" title="PDF that causes heap-use-after-free">attachment 97740</a> <a href="attachment.cgi?id=97740&action=edit" title="PDF that causes heap-use-after-free">[details]</a></span>
PDF that causes heap-use-after-free

ASAN reports heap-use-after-free when pdf file is closed.


This can be reproduced with Zathura, however not with Evince. Running Zathura
in gdb also prints "LLVM ERROR: IO failure on output stream".

Poppler version: 0.24.5 and Git Master
Zathura version: 0.2.7
Zathura-pdf-poppler version: 0.2.5


ASAN report:
==19740== ERROR: AddressSanitizer: heap-use-after-free on address
0x60220000fefc at pc 0x7feb63e4e8b0 bp 0x7feb60642480 sp 0x7feb60642478
READ of size 4 at 0x60220000fefc thread T4 (pool)


GDB backtrace:
gdb$ bt
#0  __asan_report_error (pc=0x7fffea3c4c25, bp=0x7fffe6bb84e0,
sp=0x7fffe6bb84d8, addr=0x60220000fefc, is_write=0x0, access_size=0x4) at
../../.././libsanitizer/asan/asan_report.cc:628
#1  0x00007ffff4e5f824 in __asan::__asan_report_load4 (addr=<optimized out>) at
../../.././libsanitizer/asan/asan_rtl.cc:228
#2  0x00007fffea3c4c25 in TextBlock::isBeforeByRule1 (this=0x601c000105e0,
blk1=0x601c000177a0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1748
#3  0x00007fffea3c571b in TextBlock::visitDepthFirst (this=0x601c000105e0,
blkList=0x601c0001bcc0, pos1=0xd1, sorted=0x608400005200, sortPos=0x9c,
visited=0x60540000f080) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1856
#4  0x00007fffea3c57b8 in TextBlock::visitDepthFirst (this=0x601c00018680,
blkList=0x601c0001bcc0, pos1=0x3e, sorted=0x608400005200, sortPos=0x9b,
visited=0x60540000f080) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1874
#5  0x00007fffea3d599d in TextPage::coalesce (this=0x60220000fe80,
physLayout=0x1, fixedPitch=0, doHTML=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:3427
#6  0x00007fffea9ac8fa in CairoOutputDev::endPage (this=0x603600000340) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:263
#7  0x00007fffea25ea7c in Gfx::~Gfx (this=0x60240008f4c0, __in_chrg=<optimized
out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:643
#8  0x00007fffea335ece in Page::displaySlice (this=0x6022000186a0,
out=0x603600000340, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1,
sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff,
printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:611
#9  0x00007fffea98f17c in _poppler_page_render (page=0x605200064c00,
cairo=0x604a0002f280, printing=0x0, print_flags=POPPLER_PRINT_DOCUMENT) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#10 0x00007fffea98f2a3 in poppler_page_render (page=0x605200064c00,
cairo=0x604a0002f280) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:385
#11 0x00007fffeac06d8f in pdf_page_render_cairo (page=0x600800026450,
poppler_page=0x605200064c00, cairo=0x604a0002f280, printing=0x0) at render.c:19
#12 0x00000000004519a4 in zathura_page_render (page=0x600800026450,
cairo=0x604a0002f280, printing=0x0) at page.c:360
#13 0x0000000000426511 in render (job=0x6004000c1a70, request=0x6052000150d0,
renderer=0x6062000063b0) at render.c:691
#14 0x0000000000426aee in render_job (data=0x6004000c1a70,
user_data=0x6062000063b0) at render.c:750
#15 0x00007ffff36f1ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff36f14e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe6bba000)
at ../../.././libsanitizer/asan/asan_thread.cc:99
#18 0x00007ffff3269f3a in start_thread (arg=0x7fffe6bb9700) at
pthread_create.c:308
#19 0x00007ffff2a89c3d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>