[Poppler-bugs] [Bug 38209] New: Problematic flow at poppler while 'startxref' is missing
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Jun 12 05:51:55 PDT 2011
https://bugs.freedesktop.org/show_bug.cgi?id=38209
Summary: Problematic flow at poppler while 'startxref' is
missing
Product: poppler
Version: unspecified
Platform: All
OS/Version: Linux (All)
Status: NEW
Severity: major
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: igorenbein at finjan.com
Created an attachment (id=47866)
--> (https://bugs.freedesktop.org/attachment.cgi?id=47866)
NOTE MALICIOUS FILE!!!
Hello,
Recently I suffered a crash in poppler version 0.16.0 library. The crash is
very hardly reproducible.
At the sample file, startxref keyword is missing. The code at poppler/PDFDoc.cc
Guint PDFDoc::getStartXRef() function, tries to assign the value to
startXRefPos. But for this specific sample it finally will equal to 1111000110.
Which is wrong and leads to crash (in some cases). This huge value is assigned
to the startXRefPos variable by the following code startXRefPos =
strToUnsigned(p);
I do not understand why the strToUnsigned function should be called. I think
that it will be correctly to stop at:
if (i < 0) {
startXRefPos = 0;
}
so, startXRefPos will be equal to 0.
The sample file is attached. NOTE, IT IS MALICIOUS!!! The file is password
protected archive (pass is malicious).
I checked the latest 0.16.6 version, but this, specific part of the code was
not changed.
Regards
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list