[Poppler-bugs] [Bug 16104] New: poppler crash in AnnotQuadrilaterals::AnnotQuadrilaterals
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon May 26 04:20:12 PDT 2008
http://bugs.freedesktop.org/show_bug.cgi?id=16104
Summary: poppler crash in
AnnotQuadrilaterals::AnnotQuadrilaterals
Product: poppler
Version: unspecified
Platform: All
URL: http://www.novell.com/rc/docrepository/public/37/basedoc
ument.2008-03-
24.1121868495/Whats_New_in_SLE_10_SP2_white_paper_en.pdf
OS/Version: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: thoger at redhat.com
Following pdf in the URL causes a crash in poppler due to the delete/free being
called for an uninitialized pointer. Verified on poppler 0.8.1 / 0.8.2,
versions 0.6.x do not seem to have affected code.
Problem is in the AnnotQuadrilaterals::AnnotQuadrilaterals in Annot.cc.
Whenever the code detects some problem with correctness of the data read from
the PDF file, it attempts to free previously allocated members of quads[] and
quads itself. However, for-loop freeing previously allocated members of
quads[] seems to be off-by-one, trying to free an uninitialized pointer.
In the loop 'while (i < (quadsLength) && correct)' i is incremented regardless
of whether correct or incorrect data were read from the file. If correct is
gFalse after leaving the loop, i is number of initialized quads members + 1
(not number of initialized quads members as code assumes).
Possible solutions:
- use j < i - 1 in the for loop freeing quads[]
- break while loop when incorrect value is detected, skipping i++
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list