[Poppler-bugs] [Bug 91186] New: Malformed input will cause a stack overflow and crash
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Jul 2 01:42:04 PDT 2015
https://bugs.freedesktop.org/show_bug.cgi?id=91186
Bug ID: 91186
Summary: Malformed input will cause a stack overflow and crash
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: hanno at hboeck.de
Created attachment 116869
--> https://bugs.freedesktop.org/attachment.cgi?id=116869&action=edit
sample input
The attached file will segfault poppler (can be tested with either evince or
any of the pdfto* command line tools). It seems to be an endless recursion
causing a stack overflow judging from the address sanitizer stack trace.
Found with american fuzzy lop.
Error message from asan:
==17945==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0e24df08 (pc
0x7fcca06dab7d bp 0x7ffd0e24e4e0 sp 0x7ffd0e24df10 T0)
#0 0x7fcca06dab7c in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1304
#1 0x7fcca06e0240 in buffered_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:2348
#2 0x7fcca06daca4 in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1296
#3 0x490882 in fprintf (/mnt/ram/poppler/pdftoppm+0x490882)
#4 0x5545f0 in error(ErrorCategory, long long, char const*, ...)
/f/poppler-0.33.0/poppler/Error.cc:88:7
#5 0x66d487 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:217:5
#6 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
#7 0x6ce3a8 in XRef::fetch(int, int, Object*, int)
/f/poppler-0.33.0/poppler/XRef.cc:1198:5
#8 0x65afd0 in Object::fetch(XRef*, Object*, int)
/f/poppler-0.33.0/poppler/Object.cc:122:10
#9 0x68f4ee in Stream::makeFilter(char*, Stream*, Object*, int, Object*)
/f/poppler-0.33.0/poppler/Stream.cc:348:9
#10 0x68d363 in Stream::addFilters(Object*, int)
/f/poppler-0.33.0/poppler/Stream.cc:188:11
#11 0x66ded9 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:277:9
#12 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
(this goes on for several hundred lines)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150702/4c9093db/attachment.html>
More information about the Poppler-bugs
mailing list