[Poppler-bugs] [Bug 28406] New: poppler crashes under certain pdf file
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Jun 6 06:44:22 PDT 2010
https://bugs.freedesktop.org/show_bug.cgi?id=28406
Summary: poppler crashes under certain pdf file
Product: poppler
Version: unspecified
Platform: Other
OS/Version: Linux (All)
Status: NEW
Severity: major
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: igorenbein at finjan.com
Created an attachment (id=36085)
--> (https://bugs.freedesktop.org/attachment.cgi?id=36085)
Malicious file causes crash
Poppler version 0.12.0 crashes under certain pdf file (will be attached).
Crash happens at file with manualy repaired root entry number (which is a
number of entries objects). The number was set to 70000000.
Crash start at poppler/XRef.cc constructXRef() function line 788
greallocn(...).
When the system fails to allocate memory poppler exits with exit(1).
Unfortunately, I must say, that this is not a "conventional" way for the
library.
On the other hand, if the code is compiled with "#define USE_EXCEPTIONS 1",
exceptions mechanism takes place instead of "exit". But, I did not see any
"catch" expression in the code, so I am not sure about memory leaks in the case
we use this flag.
And the last point. goo/gmem.cc has grealloc_checkoverflow function, which can
help in such situations. It returns NULL, instead of "exception" or "exit", but
in this case the code will crash at poppler/XRef.cc constructXRef() function
line 790 ( entries[i] ). In this case we can tackle the problem locally, but
the big problem of "exit(1)" will still exist.
P.S. One the ways to solve the problem, is to dynamicaly parse the file objects
(obj), without pre-knowledge of "how many are there".
ATTACHED FILE IS MALICIOUSE !!! BE CAREFULL !!!
The file is password protected (mal_file).
Please, advice what to do.
Thanks a lot,
Ilya
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list