[Poppler-bugs] [Bug 65221] New: Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri May 31 15:06:52 PDT 2013 

https://bugs.freedesktop.org/show_bug.cgi?id=65221

          Priority: medium
            Bug ID: 65221
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: Segfault in ImageStream::getLine on a corrupted
                    (fuzzed) PDF file
          Severity: critical
    Classification: Unclassified
                OS: Linux (All)
          Reporter: jutaky at gmail.com
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: cairo backend
           Product: poppler

Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file.

Tested on evince git 20130531 with poppler git 20130531.

Also crashes with epdfview.

Test case: http://jutaky.com/fuzzing/poppler_case_10298_1453.pdf

Debugging information:

0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
548        buf = (buf << 8) | (*p++ & 0xff);
(gdb) bt
#0  0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
#1  0x00007fffd025be94 in CairoOutputDev::drawSoftMaskedImage
(this=0x7fffcc049160, state=0x7fffcc052270, ref=0x7fffe4c20560,
str=0x7fffcc1ac5b0, width=2700, height=2250, 
    colorMap=0x7fffcc053150, interpolate=true, maskStr=0x7fffcc1b4b40,
maskWidth=2700, maskHeight=2250, maskColorMap=0x7fffcc1bd0d0,
maskInterpolate=true) at CairoOutputDev.cc:2567
#2  0x00007fffcbc538de in Gfx::doImage (this=0x7fffcc059600,
ref=0x7fffe4c20560, str=0x7fffcc1ac5b0, inlineImg=false) at Gfx.cc:4585
#3  0x00007fffcbc51caa in Gfx::opXObject (this=0x7fffcc059600,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:4133
#4  0x00007fffcbc3f95a in Gfx::execOp (this=0x7fffcc059600, cmd=0x7fffe4c208e0,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:858
#5  0x00007fffcbc3f256 in Gfx::go (this=0x7fffcc059600, topLevel=true) at
Gfx.cc:717
#6  0x00007fffcbc3f077 in Gfx::display (this=0x7fffcc059600,
obj=0x7fffe4c20a30, topLevel=true) at Gfx.cc:683
#7  0x00007fffcbc9fd0e in Page::displaySlice (this=0x7fffcc04f8b0,
out=0x7fffcc049160, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, 
    sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:580
#8  0x00007fffd0245690 in _poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at
poppler-page.cc:362
#9  0x00007fffd0245776 in poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060) at poppler-page.cc:385
#10 0x00007fffe40151bc in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#11 0x00007fffe40152d7 in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#12 0x00007ffff720f830 in ev_job_render_run (job=0x9c8260) at ev-jobs.c:634
#13 0x00007ffff720ed14 in ev_job_run (job=0x9c8260) at ev-jobs.c:215
#14 0x00007ffff7212b07 in ev_job_thread (job=0x9c8260) at
ev-job-scheduler.c:184
#15 0x00007ffff7212bba in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#16 0x00007ffff48bc185 in ?? () from /usr/lib/libglib-2.0.so.0
#17 0x00007ffff4127dd2 in start_thread () from /usr/lib/libpthread.so.0
#18 0x00007ffff3e58ced in clone () from /usr/lib/libc.so.6

--
Juha Kylmänen
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20130531/ad096f03/attachment.html>

More information about the Poppler-bugs mailing list