[Poppler-bugs] [Bug 91186] New: Malformed input will cause a stack overflow and crash

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jul 2 01:42:04 PDT 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=91186

            Bug ID: 91186
           Summary: Malformed input will cause a stack overflow and crash
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: hanno at hboeck.de

Created attachment 116869
  --> https://bugs.freedesktop.org/attachment.cgi?id=116869&action=edit
sample input

The attached file will segfault poppler (can be tested with either evince or
any of the pdfto* command line tools). It seems to be an endless recursion
causing a stack overflow judging from the address sanitizer stack trace.

Found with american fuzzy lop.

Error message from asan:
==17945==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0e24df08 (pc
0x7fcca06dab7d bp 0x7ffd0e24e4e0 sp 0x7ffd0e24df10 T0)
    #0 0x7fcca06dab7c in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1304
    #1 0x7fcca06e0240 in buffered_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:2348
    #2 0x7fcca06daca4 in _IO_vfprintf
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/stdio-common/vfprintf.c:1296
    #3 0x490882 in fprintf (/mnt/ram/poppler/pdftoppm+0x490882)
    #4 0x5545f0 in error(ErrorCategory, long long, char const*, ...)
/f/poppler-0.33.0/poppler/Error.cc:88:7
    #5 0x66d487 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:217:5
    #6 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34
    #7 0x6ce3a8 in XRef::fetch(int, int, Object*, int)
/f/poppler-0.33.0/poppler/XRef.cc:1198:5
    #8 0x65afd0 in Object::fetch(XRef*, Object*, int)
/f/poppler-0.33.0/poppler/Object.cc:122:10
    #9 0x68f4ee in Stream::makeFilter(char*, Stream*, Object*, int, Object*)
/f/poppler-0.33.0/poppler/Stream.cc:348:9
    #10 0x68d363 in Stream::addFilters(Object*, int)
/f/poppler-0.33.0/poppler/Stream.cc:188:11
    #11 0x66ded9 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm,
int, int, int, int, bool) /f/poppler-0.33.0/poppler/Parser.cc:277:9
    #12 0x66bbea in Parser::getObj(Object*, bool, unsigned char*,
CryptAlgorithm, int, int, int, int, bool)
/f/poppler-0.33.0/poppler/Parser.cc:131:34

(this goes on for several hundred lines)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150702/4c9093db/attachment.html>

More information about the Poppler-bugs mailing list