<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Malformed input will cause a stack overflow and crash"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=91186">91186</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Malformed input will cause a stack overflow and crash
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>hanno@hboeck.de
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=116869" name="attach_116869" title="sample input">attachment 116869</a> <a href="attachment.cgi?id=116869&action=edit" title="sample input">[details]</a></span>
sample input

The attached file will segfault poppler (can be tested with either evince or
any of the pdfto* command line tools). It seems to be an endless recursion
causing a stack overflow judging from the address sanitizer stack trace.

Found with american fuzzy lop.

Error message from asan:
==17945==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0e24df08 (pc
0x7fcca06dab7d bp 0x7ffd0e24e4e0 sp 0x7ffd0e24df10 T0)
    #0 0x7fcca06dab7c in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1304
    #1 0x7fcca06e0240 in buffered_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:2348
    #2 0x7fcca06daca4 in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1296
    #3 0x490882 in fprintf (/mnt/ram/poppler/pdftoppm+0x490882)
    #4 0x5545f0 in error(ErrorCategory, long long, char const*, ...)
/f/poppler-0.33.0/poppler/Error.cc:88:7
    #5 0x66d487 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:217:5
    #6 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
    #7 0x6ce3a8 in XRef::fetch(int, int, Object*, int)
/f/poppler-0.33.0/poppler/XRef.cc:1198:5
    #8 0x65afd0 in Object::fetch(XRef*, Object*, int)
/f/poppler-0.33.0/poppler/Object.cc:122:10
    #9 0x68f4ee in Stream::makeFilter(char*, Stream*, Object*, int, Object*)
/f/poppler-0.33.0/poppler/Stream.cc:348:9
    #10 0x68d363 in Stream::addFilters(Object*, int)
/f/poppler-0.33.0/poppler/Stream.cc:188:11
    #11 0x66ded9 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:277:9
    #12 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34

(this goes on for several hundred lines)</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>