[Poppler-bugs] [Bug 89422] SIGABRT in getString at Object.h:202

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Mar 4 02:45:38 PST 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=89422

Henri Salo <henri+freedesktop at nerv.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |henri+freedesktop at nerv.fi

--- Comment #1 from Henri Salo <henri+freedesktop at nerv.fi> ---
Attached sample file crashes e.g. pdfinfo. Sample file is fuzzed with AFL
http://lcamtuf.coredump.cx/afl/

(gdb) bt
#0  0x00007ffff60d0165 in *__GI_raise (sig=<optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff60d33e0 in *__GI_abort () at abort.c:92
#2  0x00000000006c8d62 in getString (this=<optimized out>) at Object.h:202
#3  StandardSecurityHandler::StandardSecurityHandler (this=0xac33e0,
docA=<optimized out>, encryptDictA=<optimized out>) at SecurityHandler.cc:292
#4  0x00000000006c9ee3 in SecurityHandler::make (docA=0xac2ea0,
encryptDictA=0x7fffffffe160) at SecurityHandler.cc:56
#5  0x0000000000609afd in PDFDoc::checkEncryption (this=this at entry=0xac2ea0,
ownerPassword=ownerPassword at entry=0x0, userPassword=userPassword at entry=0x0) at
PDFDoc.cc:425
#6  0x0000000000617016 in PDFDoc::setup (this=this at entry=0xac2ea0,
ownerPassword=ownerPassword at entry=0x0, userPassword=userPassword at entry=0x0) at
PDFDoc.cc:276
#7  0x00000000006177c0 in PDFDoc::PDFDoc (this=0xac2ea0, fileNameA=<optimized
out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at
PDFDoc.cc:166
#8  0x00000000007e2a89 in LocalPDFDocBuilder::buildPDFDoc (this=<optimized
out>, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at
LocalPDFDocBuilder.cc:31
#9  0x0000000000409476 in main (argc=2, argv=0x7fffffffe588) at pdfinfo.cc:185
#10 0x00007ffff60bcead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe578) at
libc-start.c:244
#11 0x000000000040bcc5 in _start ()

frame 2 

(gdb) list
197
198       // Note: integers larger than 2^53 can not be exactly represented by
a double.
199       // Where the exact value of integers up to 2^63 is required, use
isInt64()/getInt64().
200       double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal);
201         return type == objInt ? (double)intg : type == objInt64 ?
(double)int64g : real; }
202       GooString *getString() { OBJECT_TYPE_CHECK(objString); return string;
}
203       // After takeString() the only method that should be called for the
object is free()
204       // because the object it's not expected to have a NULL string.
205       GooString *takeString() {
206         OBJECT_TYPE_CHECK(objString); GooString *s = string; string = NULL;
return s; }

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150304/0ee7927f/attachment-0001.html>

More information about the Poppler-bugs mailing list