[Poppler-bugs] [Bug 91686] New: [patch] Fix pdftoppm core dump with free(): invalid next size (normal): 0x00000000009e2f80

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Aug 19 01:29:58 PDT 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=91686

            Bug ID: 91686
           Summary: [patch] Fix pdftoppm core dump with free(): invalid
                    next size (normal): 0x00000000009e2f80
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: splash backend
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: williambader at hotmail.com

Created attachment 117779
  --> https://bugs.freedesktop.org/attachment.cgi?id=117779&action=edit
patch to fix the core dump

Pieter van der Eems produced a PDF where
 pdftoppm -cropbox -f 0 -l 0 -r 150 /tmp/memory_issue_pdf.pdf x
core dumps with a memory corruption error like
  *** Error in `/usr/bin/pdftoppm': double free or corruption (out):
0x00000000011145b0 ***
or
  *** Error in `./pdftoppm': free(): invalid next size (normal):
0x000000000107cf80 ***

valgrind reports
Invalid read of size 1
   at 0x47AF9C: Splash::pipeRun(SplashPipe*) (Splash.cc:504)
   by 0x488D97: Splash::drawPixel(SplashPipe*, int, int, bool) (Splash.cc:1414)
   by 0x47F96A: Splash::arbitraryTransformMask(bool (*)(void*, unsigned char*),
void*, int, int, double*, bool) (Splash.cc:3242)
   by 0x48331B: Splash::fillImageMask(bool (*)(void*, unsigned char*), void*,
int, int, double*, bool) (Splash.cc:2980)
   by 0x40EE72: SplashOutputDev::setSoftMaskFromImageMask(GfxState*, Object*,
Stream*, int, int, bool, bool, double*) (SplashOutputDev.cc:2845)
   by 0x42529A: Gfx::doPatternImageMask(Object*, Stream*, int, int, bool, bool)
(Gfx.cc:2091)
   by 0x42611A: Gfx::doImage(Object*, Stream*, bool) (Gfx.cc:4380)
   by 0x4268C9: Gfx::opBeginImage(Object*, int) (Gfx.cc:4987)
   by 0x421BC9: Gfx::go(bool) (Gfx.cc:763)
   by 0x422054: Gfx::display(Object*, bool) (Gfx.cc:729)
   by 0x4BF027: Page::displaySlice(OutputDev*, double, double, int, bool, bool,
int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*),
void*, ...
   by 0x40AAF3: savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int,
int, double, double, char*) (pdftoppm.cc:225)
 Address 0x58d82af is 1 bytes before a block of size 2,112 alloc'd
   at 0x4A06BBD: malloc (vg_replace_malloc.c:296)
   by 0x469F6C: gmalloc(unsigned long, bool) (gmem.cc:110)
   by 0x489A8F: SplashBitmap::SplashBitmap(int, int, int, SplashColorMode,
bool, bool, GooList*) (SplashBitmap.cc:113)
   by 0x40EDC9: SplashOutputDev::setSoftMaskFromImageMask(GfxState*, Object*,
Stream*, int, int, bool, bool, double*) (SplashOutputDev.cc:2839)
   by 0x42529A: Gfx::doPatternImageMask(Object*, Stream*, int, int, bool, bool)
(Gfx.cc:2091)
   by 0x42611A: Gfx::doImage(Object*, Stream*, bool) (Gfx.cc:4380)
   by 0x4268C9: Gfx::opBeginImage(Object*, int) (Gfx.cc:4987)
   by 0x421BC9: Gfx::go(bool) (Gfx.cc:763)
   by 0x422054: Gfx::display(Object*, bool) (Gfx.cc:729)
   by 0x4BF027: Page::displaySlice(OutputDev*, double, double, int, bool, bool,
int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*),
void*, ...
   by 0x40AAF3: savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int,
int, double, double, char*) (pdftoppm.cc:225)
   by 0x40A348: main (pdftoppm.cc:532)

Debug code shows that Splash::arbitraryTransformMask() was setting xa to -1 and
then running
  for (x = xa; x < xb; x++) {
    drawPixel(&pipe, x, y, clipRes2 == splashClipAllInside);
  }
With xa of -1, it was corrupting internal malloc data in front of the buffer.
valgrind warns "Address 0x58d82af is 1 bytes before a block of size 2,112
alloc'd"

A later write to the byte corrupts memory, and then pdftoppm will eventually
crash.

Invalid write of size 1
  at 0x47AAD1: Splash::pipeRun(SplashPipe*) (Splash.cc:827)
  by 0x488D97: Splash::drawPixel(SplashPipe*, int, int, bool) (Splash.cc:1414)
  by 0x47F96A: Splash::arbitraryTransformMask(bool (*)(void*, unsigned char*),
void*, int, int, double*, bool) (Splash.cc:3242)
  by 0x48331B: Splash::fillImageMask(bool (*)(void*, unsigned char*), void*,
int, int, double*, bool) (Splash.cc:2980)

The patch ensures that xa is >= 0.

There might be a deeper problem that splashFloor() can return a negative value.
splashFloor() is implemented in SplashMath.h.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150819/180a96d3/attachment.html>

More information about the Poppler-bugs mailing list