[Poppler-bugs] [Bug 44660] New: Stack overflow in libpoppler in PDFDoc::markObject()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jan 10 20:10:41 PST 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=44660

             Bug #: 44660
           Summary: Stack overflow in libpoppler in PDFDoc::markObject()
    Classification: Unclassified
           Product: poppler
           Version: unspecified
          Platform: x86-64 (AMD64)
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: asolokha at gmx.com


Created attachment 55404
  --> https://bugs.freedesktop.org/attachment.cgi?id=55404
gdb backtrace

pdfunite exposes a stack overflow in libpoppler w/ certain files (backtrace
attached). The crash is reproducible w/ either pdfunite 0.18.2 or built from
today's git (master).

Steps to reproduce:
% wget http://svnbook.red-bean.com/en/1.7/svn-book.pdf
% mv svn-book.pdf a.pdf
% cp a.pdf b.pdf
% pdfunite svn-book.pdf b.pdf c.pdf

% valgrind pdfunite a.pdf b.pdf c.pdf
==31239== Memcheck, a memory error detector
==31239== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==31239== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==31239== Command: pdfunite a.pdf b.pdf c.pdf
==31239== 
==31239== Stack overflow in thread 1: can't grow stack to 0x7fe801ff8
==31239== 
==31239== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==31239==  Access not within mapped region at address 0x7FE801FF8
==31239==    at 0x4F4E9FF: Lexer::getChar(bool) (in
/usr/lib64/libpoppler.so.19.0.0)
==31239==  If you believe this happened as a result of a stack
==31239==  overflow in your program's main thread (unlikely but
==31239==  possible), you can try to increase the size of the
==31239==  main thread stack using the --main-stacksize= flag.
==31239==  The main thread stack size used in this run was 8388608.
==31239== Stack overflow in thread 1: can't grow stack to 0x7fe801ff0
==31239== 
==31239== Process terminating with default action of signal 11 (SIGSEGV)
==31239==  Access not within mapped region at address 0x7FE801FF0
==31239==    at 0x4A25670: _vgnU_freeres (in
/usr/lib64/valgrind/vgpreload_core-amd64-linux.so)
==31239==  If you believe this happened as a result of a stack
==31239==  overflow in your program's main thread (unlikely but
==31239==  possible), you can try to increase the size of the
==31239==  main thread stack using the --main-stacksize= flag.
==31239==  The main thread stack size used in this run was 8388608.
==31239== 
==31239== HEAP SUMMARY:
==31239==     in use at exit: 94,978,141 bytes in 89,540 blocks
==31239==   total heap usage: 5,528,951 allocs, 5,439,411 frees, 207,618,968
bytes allocated
==31239== 
==31239== LEAK SUMMARY:
==31239==    definitely lost: 548 bytes in 32 blocks
==31239==    indirectly lost: 512 bytes in 4 blocks
==31239==      possibly lost: 0 bytes in 0 blocks
==31239==    still reachable: 94,977,081 bytes in 89,504 blocks
==31239==         suppressed: 0 bytes in 0 blocks
==31239== Rerun with --leak-check=full to see details of leaked memory
==31239== 
==31239== For counts of detected and suppressed errors, rerun with: -v
==31239== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
% valgrind --main-stacksize=16777216 pdfunite a.pdf b.pdf c.pdf      
==880== Memcheck, a memory error detector                                       
==880== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==880== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==880== Command: pdfunite a.pdf b.pdf c.pdf
==880== 
==880== Stack overflow in thread 1: can't grow stack to 0x7fe001fc0
==880== 
==880== Process terminating with default action of signal 11 (SIGSEGV): dumping
core
==880==  Access not within mapped region at address 0x7FE001FC0
==880==    at 0x4C2B48B: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==880==  If you believe this happened as a result of a stack
==880==  overflow in your program's main thread (unlikely but
==880==  possible), you can try to increase the size of the
==880==  main thread stack using the --main-stacksize= flag.
==880==  The main thread stack size used in this run was 16777216.
==880== Stack overflow in thread 1: can't grow stack to 0x7fe001fb8
==880== 
==880== Process terminating with default action of signal 11 (SIGSEGV)
==880==  Access not within mapped region at address 0x7FE001FB8
==880==    at 0x4A25670: _vgnU_freeres (in
/usr/lib64/valgrind/vgpreload_core-amd64-linux.so)
==880==  If you believe this happened as a result of a stack
==880==  overflow in your program's main thread (unlikely but
==880==  possible), you can try to increase the size of the
==880==  main thread stack using the --main-stacksize= flag.
==880==  The main thread stack size used in this run was 16777216.
==880== 
==880== HEAP SUMMARY:
==880==     in use at exit: 189,550,428 bytes in 178,782 blocks
==880==   total heap usage: 11,050,679 allocs, 10,871,897 frees, 412,291,111
bytes allocated
==880== 
==880== LEAK SUMMARY:
==880==    definitely lost: 548 bytes in 32 blocks
==880==    indirectly lost: 512 bytes in 4 blocks
==880==      possibly lost: 0 bytes in 0 blocks
==880==    still reachable: 189,549,368 bytes in 178,746 blocks
==880==         suppressed: 0 bytes in 0 blocks
==880== Rerun with --leak-check=full to see details of leaked memory
==880== 
==880== For counts of detected and suppressed errors, rerun with: -v
==880== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Poppler-bugs mailing list