[Poppler-bugs] [Bug 16104] New: poppler crash in AnnotQuadrilaterals::AnnotQuadrilaterals

Mon May 26 04:20:12 PDT 2008

http://bugs.freedesktop.org/show_bug.cgi?id=16104

           Summary: poppler crash in
                    AnnotQuadrilaterals::AnnotQuadrilaterals
           Product: poppler
           Version: unspecified
          Platform: All
               URL: http://www.novell.com/rc/docrepository/public/37/basedoc
                    ument.2008-03-
                    24.1121868495/Whats_New_in_SLE_10_SP2_white_paper_en.pdf
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: thoger at redhat.com

Following pdf in the URL causes a crash in poppler due to the delete/free being
called for an uninitialized pointer.  Verified on poppler 0.8.1 / 0.8.2,
versions 0.6.x do not seem to have affected code.

Problem is in the AnnotQuadrilaterals::AnnotQuadrilaterals in Annot.cc. 
Whenever the code detects some problem with correctness of the data read from
the PDF file, it attempts to free previously allocated members of quads[] and
quads itself.  However, for-loop freeing previously allocated members of
quads[] seems to be off-by-one, trying to free an uninitialized pointer.

In the loop 'while (i < (quadsLength) && correct)' i is incremented regardless
of whether correct or incorrect data were read from the file.  If correct is
gFalse after leaving the loop, i is number of initialized quads members + 1
(not number of initialized quads members as code assumes).

Possible solutions:
- use j < i - 1 in the for loop freeing quads[]
- break while loop when incorrect value is detected, skipping i++

-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.