<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Malformed input will cause a stack overflow and crash"
href="https://bugs.freedesktop.org/show_bug.cgi?id=91186">91186</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Malformed input will cause a stack overflow and crash
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hanno@hboeck.de
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=116869" name="attach_116869" title="sample input">attachment 116869</a> <a href="attachment.cgi?id=116869&action=edit" title="sample input">[details]</a></span>
sample input
The attached file will segfault poppler (can be tested with either evince or
any of the pdfto* command line tools). It seems to be an endless recursion
causing a stack overflow judging from the address sanitizer stack trace.
Found with american fuzzy lop.
Error message from asan:
==17945==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0e24df08 (pc
0x7fcca06dab7d bp 0x7ffd0e24e4e0 sp 0x7ffd0e24df10 T0)
#0 0x7fcca06dab7c in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1304
#1 0x7fcca06e0240 in buffered_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:2348
#2 0x7fcca06daca4 in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1296
#3 0x490882 in fprintf (/mnt/ram/poppler/pdftoppm+0x490882)
#4 0x5545f0 in error(ErrorCategory, long long, char const*, ...)
/f/poppler-0.33.0/poppler/Error.cc:88:7
#5 0x66d487 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:217:5
#6 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
#7 0x6ce3a8 in XRef::fetch(int, int, Object*, int)
/f/poppler-0.33.0/poppler/XRef.cc:1198:5
#8 0x65afd0 in Object::fetch(XRef*, Object*, int)
/f/poppler-0.33.0/poppler/Object.cc:122:10
#9 0x68f4ee in Stream::makeFilter(char*, Stream*, Object*, int, Object*)
/f/poppler-0.33.0/poppler/Stream.cc:348:9
#10 0x68d363 in Stream::addFilters(Object*, int)
/f/poppler-0.33.0/poppler/Stream.cc:188:11
#11 0x66ded9 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:277:9
#12 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
(this goes on for several hundred lines)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>