[Poppler-bugs] [Bug 77763] New: heap-use-after-free on TextBlock::isBeforeByRule1

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Apr 22 04:29:21 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=77763

          Priority: medium
            Bug ID: 77763
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: heap-use-after-free on TextBlock::isBeforeByRule1
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: a.husa at hushmail.com
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: general
           Product: poppler

Created attachment 97740
  --> https://bugs.freedesktop.org/attachment.cgi?id=97740&action=edit
PDF that causes heap-use-after-free

ASAN reports heap-use-after-free when pdf file is closed.


This can be reproduced with Zathura, however not with Evince. Running Zathura
in gdb also prints "LLVM ERROR: IO failure on output stream".

Poppler version: 0.24.5 and Git Master
Zathura version: 0.2.7
Zathura-pdf-poppler version: 0.2.5


ASAN report:
==19740== ERROR: AddressSanitizer: heap-use-after-free on address
0x60220000fefc at pc 0x7feb63e4e8b0 bp 0x7feb60642480 sp 0x7feb60642478
READ of size 4 at 0x60220000fefc thread T4 (pool)


GDB backtrace:
gdb$ bt
#0  __asan_report_error (pc=0x7fffea3c4c25, bp=0x7fffe6bb84e0,
sp=0x7fffe6bb84d8, addr=0x60220000fefc, is_write=0x0, access_size=0x4) at
../../.././libsanitizer/asan/asan_report.cc:628
#1  0x00007ffff4e5f824 in __asan::__asan_report_load4 (addr=<optimized out>) at
../../.././libsanitizer/asan/asan_rtl.cc:228
#2  0x00007fffea3c4c25 in TextBlock::isBeforeByRule1 (this=0x601c000105e0,
blk1=0x601c000177a0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1748
#3  0x00007fffea3c571b in TextBlock::visitDepthFirst (this=0x601c000105e0,
blkList=0x601c0001bcc0, pos1=0xd1, sorted=0x608400005200, sortPos=0x9c,
visited=0x60540000f080) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1856
#4  0x00007fffea3c57b8 in TextBlock::visitDepthFirst (this=0x601c00018680,
blkList=0x601c0001bcc0, pos1=0x3e, sorted=0x608400005200, sortPos=0x9b,
visited=0x60540000f080) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:1874
#5  0x00007fffea3d599d in TextPage::coalesce (this=0x60220000fe80,
physLayout=0x1, fixedPitch=0, doHTML=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:3427
#6  0x00007fffea9ac8fa in CairoOutputDev::endPage (this=0x603600000340) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:263
#7  0x00007fffea25ea7c in Gfx::~Gfx (this=0x60240008f4c0, __in_chrg=<optimized
out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:643
#8  0x00007fffea335ece in Page::displaySlice (this=0x6022000186a0,
out=0x603600000340, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1,
sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff,
printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:611
#9  0x00007fffea98f17c in _poppler_page_render (page=0x605200064c00,
cairo=0x604a0002f280, printing=0x0, print_flags=POPPLER_PRINT_DOCUMENT) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#10 0x00007fffea98f2a3 in poppler_page_render (page=0x605200064c00,
cairo=0x604a0002f280) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:385
#11 0x00007fffeac06d8f in pdf_page_render_cairo (page=0x600800026450,
poppler_page=0x605200064c00, cairo=0x604a0002f280, printing=0x0) at render.c:19
#12 0x00000000004519a4 in zathura_page_render (page=0x600800026450,
cairo=0x604a0002f280, printing=0x0) at page.c:360
#13 0x0000000000426511 in render (job=0x6004000c1a70, request=0x6052000150d0,
renderer=0x6062000063b0) at render.c:691
#14 0x0000000000426aee in render_job (data=0x6004000c1a70,
user_data=0x6062000063b0) at render.c:750
#15 0x00007ffff36f1ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007ffff36f14e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe6bba000)
at ../../.././libsanitizer/asan/asan_thread.cc:99
#18 0x00007ffff3269f3a in start_thread (arg=0x7fffe6bb9700) at
pthread_create.c:308
#19 0x00007ffff2a89c3d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20140422/e3ab8763/attachment.html>

More information about the Poppler-bugs mailing list