[Poppler-bugs] [Bug 65969] New: Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jun 20 06:34:36 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=65969

          Priority: medium
            Bug ID: 65969
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: Segfault in GfxImageColorMap::getRGBLine on a
                    corrupted (fuzzed) pdf file
          Severity: critical
    Classification: Unclassified
                OS: Linux (All)
          Reporter: jutaky at gmail.com
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: cairo backend
           Product: poppler

Segfault in GfxImageColorMap::getRGBLine on a corrupted (fuzzed) pdf file.

Crash reproduced on evince (git) + poppler (git), evince (3.8.2) + poppler
(0.22.5) and epdfview (0.1.8) + poppler (0.22.5). On Arch linux 64bit.

Test case: http://jutaky.com/fuzzing/poppler_case_13499_7250.pdf

Backtrace on evince (git) + poppler (git):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a84700 (LWP 18406)]
0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0,
in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
5497        *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0  0x00007fffe8a8fcfd in GfxImageColorMap::getRGBLine (this=0x7fffd01218f0,
in=0x0, out=0x7fffd00bf930, length=2) at GfxState.cc:5497
#1  0x00007fffe8e5c3c9 in RescaleDrawImage::getRow (this=0x7fffe9a831f0,
row_num=0, row_data=0x7fffd00bf930) at CairoOutputDev.cc:2852
#2  0x00007fffe8e5c195 in RescaleDrawImage::getSourceImage
(this=0x7fffe9a831f0, str=0x7fffd0121740, widthA=2, height=1, scaledWidth=2,
scaledHeight=1, printing=false, 
    colorMapA=0x7fffd01218f0, maskColorsA=0x0) at CairoOutputDev.cc:2796
#3  0x00007fffe8e599f5 in CairoOutputDev::drawImage (this=0x7fffd004d000,
state=0x7fffd0120f50, ref=0x7fffe9a83540, str=0x7fffd0121740, widthA=2,
heightA=1, colorMap=0x7fffd01218f0, 
    interpolate=false, maskColors=0x0, inlineImg=false) at
CairoOutputDev.cc:2894
#4  0x00007fffe8a6af87 in Gfx::doImage (this=0x7fffd00551d0,
ref=0x7fffe9a83540, str=0x7fffd0121740, inlineImg=false) at Gfx.cc:4586
#5  0x00007fffe8a69200 in Gfx::opXObject (this=0x7fffd00551d0,
args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:4127
#6  0x00007fffe8a56e68 in Gfx::execOp (this=0x7fffd00551d0, cmd=0x7fffe9a838c0,
args=0x7fffe9a836b0, numArgs=1) at Gfx.cc:852
#7  0x00007fffe8a56764 in Gfx::go (this=0x7fffd00551d0, topLevel=true) at
Gfx.cc:711
#8  0x00007fffe8a56585 in Gfx::display (this=0x7fffd00551d0,
obj=0x7fffe9a83a10, topLevel=true) at Gfx.cc:677
#9  0x00007fffe8ab727a in Page::displaySlice (this=0x7fffd0052d30,
out=0x7fffd004d000, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:580
#10 0x00007fffe8e42790 in _poppler_page_render (page=0x7fffd004cd80,
cairo=0xb05260, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at
poppler-page.cc:362
#11 0x00007fffe8e42876 in poppler_page_render (page=0x7fffd004cd80,
cairo=0xb05260) at poppler-page.cc:385
#12 0x00007fffe90796b8 in pdf_page_render (page=0x7fffd004cd80, width=569,
height=736, rc=0x7fffd0001750) at ev-poppler.cc:412
#13 0x00007fffe907981b in pdf_document_render (document=0x77ef60,
rc=0x7fffd0001750) at ev-poppler.cc:445
#14 0x00007ffff7454e32 in ev_document_render (document=0x77ef60,
rc=0x7fffd0001750) at ev-document.c:678
#15 0x00007ffff7201e50 in ev_job_render_run (job=0x7fffd000ce20) at
ev-jobs.c:634
#16 0x00007ffff7201334 in ev_job_run (job=0x7fffd000ce20) at ev-jobs.c:215
#17 0x00007ffff72051db in ev_job_thread (job=0x7fffd000ce20) at
ev-job-scheduler.c:184
#18 0x00007ffff720528e in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#19 0x00007ffff3f81743 in g_thread_proxy (data=0x9dd140) at gthread.c:798
#20 0x00007ffff3cecdd2 in start_thread () from /usr/lib/libpthread.so.0
#21 0x00007ffff3509cdd in clone () from /usr/lib/libc.so.6

--
Juha Kylmänen
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20130620/41ea770f/attachment.html>

More information about the Poppler-bugs mailing list