[Poppler-bugs] [Bug 10910] New: Crash on fuzzed PDF: recursive call of Parser::getObj()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu May 10 16:48:05 PDT 2007 

http://bugs.freedesktop.org/show_bug.cgi?id=10910

           Summary: Crash on fuzzed PDF: recursive call of Parser::getObj()
           Product: poppler
           Version: unspecified
          Platform: x86 (IA32)
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: victor.stinner at haypocalc.com


Hi,

My bug #10898 was specific to version 0.5.4, but I found another bug in latest
version of poppler. I generated a fuzzed file which create recursive call of
Parser::getObj().

Valgrind detect thread stack overflow (before all stack is used by the
recursive calls...). Each call to getObj() create a new objet: 
   dict=0xbf476460
   dict=0xbf476840
   dict=0xbf476650
   dict=0xbf476a30
   ...

pdftotext finally crash with a SIGSEGV signal.

Backtrace:
--- malloc ---
#0  0xb7b26ad9 in _int_malloc (av=0xb7bdf120, bytes=96) at malloc.c:3865
#1  0xb7b28996 in *__GI___libc_malloc (bytes=96) at malloc.c:3382
#2  0xb7e3992c in grealloc (p=0x0, size=96) at gmem.cc:143
#3  0xb7e39a1c in greallocn (p=0x0, nObjs=8, objSize=12) at gmem.cc:193

--- call N ---
#4  0xb7d84e69 in Array::add (this=0x8face60, elem=0xbf476114) at Array.cc:47
#5  0xb7deb34d in Lexer (this=0x8facdb8, xrefA=0x80a8038, str=0x8facc78) at
Lexer.cc:58
#6  0xb7e0a2b5 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476270)
at XRef.cc:893
#7  0xb7df14e8 in Object::fetch (this=0x8facbd4, xref=0x80a8038,
obj=0xbf476270) at Object.cc:106
#8  0xb7d8fecf in Dict::lookup (this=0x8facba8, key=0xb7e734ff "Length",
obj=0xbf476270) at Dict.cc:108
#9  0xb7d84a9a in Object::dictLookup (this=0xbf476460, key=0xb7e734ff "Length",
obj=0xbf476270) at Object.h:259
#10 0xb7df71df in Parser::makeStream (this=0x8facb48, dict=0xbf476460,
fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#11 0xb7df7848 in Parser::getObj (this=0x8facb48, obj=0xbf476460, fileKey=0x0,
encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-1 ---
#12 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476460)
at XRef.cc:907
#13 0xb7df14e8 in Object::fetch (this=0x8fac83c, xref=0x80a8038,
obj=0xbf476460) at Object.cc:106
#14 0xb7d8fecf in Dict::lookup (this=0x8fac810, key=0xb7e734ff "Length",
obj=0xbf476460) at Dict.cc:108
#15 0xb7d84a9a in Object::dictLookup (this=0xbf476650, key=0xb7e734ff "Length",
obj=0xbf476460) at Object.h:259
#16 0xb7df71df in Parser::makeStream (this=0x8fac7b0, dict=0xbf476650,
fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#17 0xb7df7848 in Parser::getObj (this=0x8fac7b0, obj=0xbf476650, fileKey=0x0,
encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

---call N-2 ---
#18 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476650)
at XRef.cc:907
#19 0xb7df14e8 in Object::fetch (this=0x8fac4a4, xref=0x80a8038,
obj=0xbf476650) at Object.cc:106
#20 0xb7d8fecf in Dict::lookup (this=0x8fac478, key=0xb7e734ff "Length",
obj=0xbf476650) at Dict.cc:108
#21 0xb7d84a9a in Object::dictLookup (this=0xbf476840, key=0xb7e734ff "Length",
obj=0xbf476650) at Object.h:259
#22 0xb7df71df in Parser::makeStream (this=0x8fac418, dict=0xbf476840,
fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#23 0xb7df7848 in Parser::getObj (this=0x8fac418, obj=0xbf476840, fileKey=0x0,
encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-3 ---
#24 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476840)
at XRef.cc:907
#25 0xb7df14e8 in Object::fetch (this=0x8fac10c, xref=0x80a8038,
obj=0xbf476840) at Object.cc:106
#26 0xb7d8fecf in Dict::lookup (this=0x8fac0e0, key=0xb7e734ff "Length",
obj=0xbf476840) at Dict.cc:108
#27 0xb7d84a9a in Object::dictLookup (this=0xbf476a30, key=0xb7e734ff "Length",
obj=0xbf476840) at Object.h:259
#28 0xb7df71df in Parser::makeStream (this=0x8fac080, dict=0xbf476a30,
fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#29 0xb7df7848 in Parser::getObj (this=0x8fac080, obj=0xbf476a30, fileKey=0x0,
encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-4 ---
#30 0xb7e0a4f3 in XRef::fetch (this=0x80a8038, num=32, gen=0, obj=0xbf476a30)
at XRef.cc:907
#31 0xb7df14e8 in Object::fetch (this=0x8fabd74, xref=0x80a8038,
obj=0xbf476a30) at Object.cc:106
#32 0xb7d8fecf in Dict::lookup (this=0x8fabd48, key=0xb7e734ff "Length",
obj=0xbf476a30) at Dict.cc:108
#33 0xb7d84a9a in Object::dictLookup (this=0xbf476c20, key=0xb7e734ff "Length",
obj=0xbf476a30) at Object.h:259
#34 0xb7df71df in Parser::makeStream (this=0x8fabce8, dict=0xbf476c20,
fileKey=0x0, encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:160
#35 0xb7df7848 in Parser::getObj (this=0x8fabce8, obj=0xbf476c20, fileKey=0x0,
encAlgorithm=808464432, keyLength=825701936, objNum=32,
    objGen=0) at Parser.cc:94

--- call N-... ---
etc.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the Poppler-bugs mailing list