[Poppler-bugs] [Bug 78182] New: heap-use-after-free on GooFile::read

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri May 2 02:54:14 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=78182

          Priority: medium
            Bug ID: 78182
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: heap-use-after-free on GooFile::read
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: a.husa at hushmail.com
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: general
           Product: poppler

Created attachment 98332
  --> https://bugs.freedesktop.org/attachment.cgi?id=98332&action=edit
PDF that causes heap-use-after-free

ASAN reports heap-use-after-free when pdf viewer is closed as it starts to load
the pdf, i.e. before the pdf is fully loaded.

Poppler version: 0.24.5 and Git Master
Zathura version: 0.2.7
Zathura-pdf-poppler version: 0.2.5

Could not reproduce this with Evince.


At times when the viewer is closed right as it starts to load the pdf, ASAN
reports another bug (SEGV) in addition to the previous one. Also gdb gives two
different reports depending on if there's a breakpoint at __asan_report_error
or not, since the program seems to hang without the breakpoint.

ASAN report:
==22456== ERROR: AddressSanitizer: heap-use-after-free on address
0x6004000c5310 at pc 0x7ff39b448b10 bp 0x7ff397e59710 sp 0x7ff397e59708
READ of size 4 at 0x6004000c5310 thread T4 (pool)
ASAN:SIGSEGV
==22456== AddressSanitizer: while reporting a bug found another one.Ignoring.


gdb backtrace with a breakpoint at __asan_report_error:
#0  __asan_report_error (pc=0x7fffea140b10, bp=0x7fffe6b51710,
sp=0x7fffe6b51708, addr=0x6004000c5310, is_write=0x0, access_size=0x4) at
../../.././libsanitizer/asan/asan_report.cc:628
#1  0x00007ffff4e5f824 in __asan::__asan_report_load4 (addr=<optimized out>) at
../../.././libsanitizer/asan/asan_rtl.cc:228
#2  0x00007fffea140b10 in GooFile::read (this=0x6004000c5310,
buf=0x602e0000eec9
"\004G\025\240\203\204\030B\"8\351W\255\a\r\250&)\240\302\f,DDzK\341\204\302P\316\070\":\f!:B#\370\232\256\342\"\"\">W>\222i
\376\237\024\020\177\206\223C\370\240\301u\r\017A\215\064\035\006%\252R\251\226\272|\202\024K_B\v)\216AA\345\060\344Wv\362ڄGF\021\206J\230_\226\300q.eA\227E at R8b\"<\034\231\347\342\206y\374\265\315Q$\301\003\b8\207\004\f\020\062\060M'j\277-QFA\003(\340.\025\027\r\027a\203\240\203\tݵ_\371i\202\"O'eb\b3@\201\020\256\020\062\"\245\004\030h&\333\374r\205\276\376d$r\323)#Ff0U"...,
n=0x100, offset=0x4095) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/goo/gfile.cc:648
#3  0x00007fffea31ae10 in FileStream::fillBuf (this=0x602e0000ee60) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:821
#4  0x00007fffea32d605 in FileStream::getChar (this=0x602e0000ee60) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:458
#5  0x00007fffea3282ca in CCITTFaxStream::lookBits (this=0x60180006b800, n=0x7)
at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:2328
#6  0x00007fffea32761e in CCITTFaxStream::getTwoDimCode (this=0x60180006b800)
at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:2163
#7  0x00007fffea322b39 in CCITTFaxStream::lookChar (this=0x60180006b800) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:1749
#8  0x00007fffea32eb76 in CCITTFaxStream::getChar (this=0x60180006b800) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:793
#9  0x00007fffea1d4f91 in Stream::doGetChars (this=0x60180006b800,
nChars=0x136, buffer=0x60280000fdc0 '\377' <repeats 117 times>,
"\003\376\037\340?\200\377\377\377\377\377\377\374?\376\f\037\370\a\377\377\300\177\340\177\377\003\377\377\377\377\377\377")
at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.h:126
#10 0x00007fffea31724a in ImageStream::getLine (this=0x600c00071900) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Stream.cc:517
#11 0x00007fffea9c6428 in RescaleDrawImage::getRow (this=0x7fffe6b51d10,
row_num=0x493, row_data=0x607400007900) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2838
#12 0x00007fffea9c79ff in CairoRescaleBox::downScaleImage (this=0x7fffe6b51d10,
orig_width=0x9b0, orig_height=0xdb3, scaled_width=0x1a5, scaled_height=0x254,
start_column=0x0, start_row=0x0, width=0x1a5, height=0x254,
dest_surface=0x602c0001fa00) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoRescaleBox.cc:346
#13 0x00007fffea9c6248 in RescaleDrawImage::getSourceImage
(this=0x7fffe6b51d10, str=0x60180006b800, widthA=0x9b0, height=0xdb3,
scaledWidth=0x1a5, scaledHeight=0x254, printing=0x0, colorMapA=0x60440002f880,
maskColorsA=0x0) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2819
#14 0x00007fffea9c10c9 in CairoOutputDev::drawImage (this=0x603600000080,
state=0x603e0001f340, ref=0x7fffe6b52350, str=0x60180006b800, widthA=0x9b0,
heightA=0xdb3, colorMap=0x60440002f880, interpolate=0x0, maskColors=0x0,
inlineImg=0x0) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/CairoOutputDev.cc:2904
#15 0x00007fffea2428e5 in Gfx::doImage (this=0x60240008f4c0,
ref=0x7fffe6b52350, str=0x60180006b800, inlineImg=0x0) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4653
#16 0x00007fffea23f997 in Gfx::opXObject (this=0x60240008f4c0,
args=0x7fffe6b52580, numArgs=0x1) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:4179
#17 0x00007fffea219541 in Gfx::execOp (this=0x60240008f4c0, cmd=0x7fffe6b524e0,
args=0x7fffe6b52580, numArgs=0x1) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:903
#18 0x00007fffea21872a in Gfx::go (this=0x60240008f4c0, topLevel=0x1) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:762
#19 0x00007fffea21837e in Gfx::display (this=0x60240008f4c0,
obj=0x7fffe6b529c0, topLevel=0x1) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Gfx.cc:728
#20 0x00007fffea2fb95e in Page::displaySlice (this=0x602200017a40,
out=0x603600000080, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1,
sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff,
printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/poppler/Page.cc:585
#21 0x00007fffea982034 in _poppler_page_render (page=0x605200064f40,
cairo=0x604a0002f280, printing=0x0, print_flags=POPPLER_PRINT_DOCUMENT) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:362
#22 0x00007fffea98215b in poppler_page_render (page=0x605200064f40,
cairo=0x604a0002f280) at
/var/tmp/portage/app-text/poppler-9999/work/poppler-9999/glib/poppler-page.cc:385
#23 0x00007fffeac06d8f in pdf_page_render_cairo (page=0x600800024f10,
poppler_page=0x605200064f40, cairo=0x604a0002f280, printing=0x0) at render.c:19
#24 0x00000000004519a4 in zathura_page_render (page=0x600800024f10,
cairo=0x604a0002f280, printing=0x0) at page.c:360
#25 0x0000000000426511 in render (job=0x6004000c08d0, request=0x60520004c080,
renderer=0x6062000064f0) at render.c:691
#26 0x0000000000426aee in render_job (data=0x6004000c08d0,
user_data=0x6062000064f0) at render.c:750
#27 0x00007ffff36f1ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#28 0x00007ffff36f14e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#29 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe6b54000)
at ../../.././libsanitizer/asan/asan_thread.cc:99
#30 0x00007ffff3269f3a in start_thread (arg=0x7fffe6b53700) at
pthread_create.c:308
#31 0x00007ffff2a89c3d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


gdb backtrace with no breakpoint at __asan_report_error:
#0  __lll_lock_wait () at
../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
#1  0x00007ffff326c1b7 in _L_lock_1055 () from /lib64/libpthread.so.0
#2  0x00007ffff326c049 in __GI___pthread_mutex_lock (mutex=0x7ffff7ffd930
<_rtld_global+2352>) at pthread_mutex_lock.c:85
#3  0x00007ffff7deeb65 in _dl_close_worker (map=map at entry=0x604600016b80) at
dl-close.c:518
#4  0x00007ffff7def36c in _dl_close (_map=0x604600016b80) at dl-close.c:775
#5  0x00007ffff7de9986 in _dl_catch_error (objname=0x7ffff75d79f0
<__interceptor_calloc::calloc_memory_for_dlsym+16>, errstring=0x7ffff75d79f8
<__interceptor_calloc::calloc_memory_for_dlsym+24>, mallocedp=0x7ffff75d79e8
<__interceptor_calloc::calloc_memory_for_dlsym+8>, operate=0x7ffff27992a0
<dlclose_doit>, args=0x604600016b80) at dl-error.c:177
#6  0x00007ffff279978c in _dlerror_run (operate=operate at entry=0x7ffff27992a0
<dlclose_doit>, args=0x604600016b80) at dlerror.c:163
#7  0x00007ffff27992cf in __dlclose (handle=<optimized out>) at dlclose.c:47
#8  0x00007ffff347f489 in ?? () from /usr/lib64/libgmodule-2.0.so.0
#9  0x00007ffff347f602 in g_module_close () from /usr/lib64/libgmodule-2.0.so.0
#10 0x0000000000434935 in zathura_plugin_free (plugin=0x60200000e440) at
plugin.c:345
#11 0x00007ffff36c9578 in g_list_foreach () from /usr/lib64/libglib-2.0.so.0
#12 0x00007ffff36c959b in g_list_free_full () from /usr/lib64/libglib-2.0.so.0
#13 0x00007ffff4c3cc2f in girara_list_clear () from
/usr/lib64/libgirara-gtk3.so.1
#14 0x00007ffff4c3cc5e in girara_list_free () from
/usr/lib64/libgirara-gtk3.so.1
#15 0x0000000000434385 in zathura_plugin_manager_free
(plugin_manager=0x6006000039d0) at plugin.c:251
#16 0x00000000004363e8 in zathura_free (zathura=0x60300000f040) at
zathura.c:300
#17 0x00000000004122e7 in main (argc=0x2, argv=0x7fffffffe0a8) at main.c:199


--
Antti Husa
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20140502/12a5b527/attachment.html>

More information about the Poppler-bugs mailing list