[Poppler-bugs] [Bug 38209] New: Problematic flow at poppler while 'startxref' is missing

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Jun 12 05:51:55 PDT 2011


           Summary: Problematic flow at poppler while 'startxref' is
           Product: poppler
           Version: unspecified
          Platform: All
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: igorenbein at finjan.com

Created an attachment (id=47866)
 --> (https://bugs.freedesktop.org/attachment.cgi?id=47866)


Recently I suffered a crash in poppler version 0.16.0 library. The crash is
very hardly reproducible. 

At the sample file, startxref keyword is missing. The code at poppler/PDFDoc.cc
Guint PDFDoc::getStartXRef() function, tries to assign the value to
startXRefPos. But for this specific sample it finally will equal to 1111000110.
Which is wrong and leads to crash (in some cases). This huge value is assigned
to the startXRefPos  variable by the following code startXRefPos = 

I do not understand why the strToUnsigned function should be called. I think
that it will be correctly to stop at:

if (i < 0) {
        startXRefPos = 0;

so, startXRefPos will be equal to 0.

The sample file is attached. NOTE, IT IS MALICIOUS!!! The file is password
protected archive (pass is malicious).
I checked the latest 0.16.6 version, but this, specific part of the code was
not changed.


Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Poppler-bugs mailing list