[Poppler-bugs] [Bug 65221] New: Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri May 31 15:06:52 PDT 2013
https://bugs.freedesktop.org/show_bug.cgi?id=65221
Priority: medium
Bug ID: 65221
Assignee: poppler-bugs at lists.freedesktop.org
Summary: Segfault in ImageStream::getLine on a corrupted
(fuzzed) PDF file
Severity: critical
Classification: Unclassified
OS: Linux (All)
Reporter: jutaky at gmail.com
Hardware: x86-64 (AMD64)
Status: NEW
Version: unspecified
Component: cairo backend
Product: poppler
Segfault in ImageStream::getLine on a corrupted (fuzzed) PDF file.
Tested on evince git 20130531 with poppler git 20130531.
Also crashes with epdfview.
Test case: http://jutaky.com/fuzzing/poppler_case_10298_1453.pdf
Debugging information:
0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
548 buf = (buf << 8) | (*p++ & 0xff);
(gdb) bt
#0 0x00007fffcbcae1a2 in ImageStream::getLine (this=0x7fffcc052f60) at
Stream.cc:548
#1 0x00007fffd025be94 in CairoOutputDev::drawSoftMaskedImage
(this=0x7fffcc049160, state=0x7fffcc052270, ref=0x7fffe4c20560,
str=0x7fffcc1ac5b0, width=2700, height=2250,
colorMap=0x7fffcc053150, interpolate=true, maskStr=0x7fffcc1b4b40,
maskWidth=2700, maskHeight=2250, maskColorMap=0x7fffcc1bd0d0,
maskInterpolate=true) at CairoOutputDev.cc:2567
#2 0x00007fffcbc538de in Gfx::doImage (this=0x7fffcc059600,
ref=0x7fffe4c20560, str=0x7fffcc1ac5b0, inlineImg=false) at Gfx.cc:4585
#3 0x00007fffcbc51caa in Gfx::opXObject (this=0x7fffcc059600,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:4133
#4 0x00007fffcbc3f95a in Gfx::execOp (this=0x7fffcc059600, cmd=0x7fffe4c208e0,
args=0x7fffe4c206d0, numArgs=1) at Gfx.cc:858
#5 0x00007fffcbc3f256 in Gfx::go (this=0x7fffcc059600, topLevel=true) at
Gfx.cc:717
#6 0x00007fffcbc3f077 in Gfx::display (this=0x7fffcc059600,
obj=0x7fffe4c20a30, topLevel=true) at Gfx.cc:683
#7 0x00007fffcbc9fd0e in Page::displaySlice (this=0x7fffcc04f8b0,
out=0x7fffcc049160, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1,
sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
Page.cc:580
#8 0x00007fffd0245690 in _poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at
poppler-page.cc:362
#9 0x00007fffd0245776 in poppler_page_render (page=0x7fffcc049400,
cairo=0x7fffcc059060) at poppler-page.cc:385
#10 0x00007fffe40151bc in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#11 0x00007fffe40152d7 in ?? () from
/usr/lib/evince/4/backends/libpdfdocument.so
#12 0x00007ffff720f830 in ev_job_render_run (job=0x9c8260) at ev-jobs.c:634
#13 0x00007ffff720ed14 in ev_job_run (job=0x9c8260) at ev-jobs.c:215
#14 0x00007ffff7212b07 in ev_job_thread (job=0x9c8260) at
ev-job-scheduler.c:184
#15 0x00007ffff7212bba in ev_job_thread_proxy (data=0x0) at
ev-job-scheduler.c:217
#16 0x00007ffff48bc185 in ?? () from /usr/lib/libglib-2.0.so.0
#17 0x00007ffff4127dd2 in start_thread () from /usr/lib/libpthread.so.0
#18 0x00007ffff3e58ced in clone () from /usr/lib/libc.so.6
--
Juha Kylmänen
Research Assistant, OUSPG
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20130531/ad096f03/attachment.html>
More information about the Poppler-bugs
mailing list