[Poppler-bugs] [Bug 28406] New: poppler crashes under certain pdf file

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Jun 6 06:44:22 PDT 2010 

https://bugs.freedesktop.org/show_bug.cgi?id=28406

           Summary: poppler crashes under certain pdf file
           Product: poppler
           Version: unspecified
          Platform: Other
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: igorenbein at finjan.com


Created an attachment (id=36085)
 --> (https://bugs.freedesktop.org/attachment.cgi?id=36085)
Malicious file causes crash

Poppler version 0.12.0 crashes under certain pdf file (will be attached). 
Crash happens at file with manualy repaired root entry number (which is a
number of entries objects). The number was set to 70000000. 
Crash start at poppler/XRef.cc constructXRef() function line 788
greallocn(...).
When the system fails to allocate memory poppler exits with exit(1).
Unfortunately, I must say, that this is not a "conventional" way for the
library. 
On the other hand, if the code is compiled with "#define USE_EXCEPTIONS 1",
exceptions mechanism takes place instead of "exit". But, I did not see any
"catch" expression in the code, so I am not sure about memory leaks in the case
we use this flag.
And the last point. goo/gmem.cc has grealloc_checkoverflow function, which can
help in such situations. It returns NULL, instead of "exception" or "exit", but
in this case the code will crash at poppler/XRef.cc constructXRef() function
line 790 ( entries[i] ). In this case we can tackle the problem locally, but
the big problem of "exit(1)" will still exist.

P.S. One the ways to solve the problem, is to dynamicaly parse the file objects
(obj), without pre-knowledge of "how many are there".

ATTACHED FILE IS MALICIOUSE !!! BE CAREFULL !!! 

The file is password protected (mal_file). 

Please, advice what to do.

Thanks a lot,
Ilya

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Poppler-bugs mailing list