[Poppler-bugs] [Bug 95563] New: poppler-0.43.0: Crash during drawPngImage

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon May 23 20:35:59 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=95563

            Bug ID: 95563
           Summary: poppler-0.43.0: Crash during drawPngImage
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: pdftohtml
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: legarrec.vincent at gmail.com

Hi, while fuzzing, pdftohtml may crash with invalid image (file enclosed) with
poppler-0.43.0 and poppler-0.44.0.

Internal Error: xref num 3 not found but needed, try to reconstruct<0a>
Syntax Error (71): Bad 'Length' attribute in stream
Bogus memory allocation size
Erreur de segmentation (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, 
    rgb=0x7fffffffd130)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070
6070          color.c[i] = lookup2[i][x[i]];
(gdb) bt
#0  0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, 
    rgb=0x7fffffffd130)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070
#1  0x0000000000426592 in HtmlOutputDev::drawPngImage (this=0x679190, 
    state=0x68d3c0, str=0x699530, width=1, height=1, colorMap=0x68dc40, 
    isMask=false) at HtmlOutputDev.cc:1396
#2  0x00007ffff7a06264 in Gfx::doImage (this=0x67d120, ref=0x7fffffffd440, 
    str=0x699530, inlineImg=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4707
#3  0x00007ffff7a03eea in Gfx::opXObject (this=0x67d120, args=0x7fffffffd580, 
    numArgs=1)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4206
#4  0x00007ffff79f0e4c in Gfx::execOp (this=0x67d120, cmd=0x7fffffffd540, 
    args=0x7fffffffd580, numArgs=1)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:904
#5  0x00007ffff79f06e0 in Gfx::go (this=0x67d120, topLevel=true)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:763
#6  0x00007ffff79f04b1 in Gfx::display (this=0x67d120, obj=0x7fffffffd8d0, 
    topLevel=true)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:729
#7  0x00007ffff7a5d0c3 in Page::displaySlice (this=0x67d050, out=0x679190, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, 
    sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:599
#8  0x00007ffff7a5cb00 in Page::display (this=0x67d050, out=0x679190, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:521
#9  0x00007ffff7a60b8f in PDFDoc::displayPage (this=0x677f70, out=0x679190, 
    page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:493
#10 0x00007ffff7a60c30 in PDFDoc::displayPages (this=0x677f70, out=0x679190, 
    firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, 
    crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:509
#11 0x00000000004093dd in main (argc=2, argv=<optimized out>)
    at pdftohtml.cc:392

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20160523/4134ca09/attachment.html>

More information about the Poppler-bugs mailing list