[Poppler-bugs] [Bug 95567] New: poppler-0.43.0: stack overflow while rending with pdftohtml

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon May 23 21:30:04 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=95567

            Bug ID: 95567
           Summary: poppler-0.43.0: stack overflow while rending with
                    pdftohtml
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: legarrec.vincent at gmail.com

Hi, while fuzzing, pdftohtml crashes with invalid pdf (file enclosed) with
poppler-0.43.0 and poppler-0.44.0. 
Libpoppler runs into infinity loop that causes stack overflow.
Sorry, no trivial patch :(.

Output :
…
Syntax Error (525): Bad 'Length' attribute in stream
Syntax Error (457): Dictionary key must be a name object
Syntax Error (471): Dictionary key must be a name object
Syntax Error (488): Dictionary key must be a name object
Syntax Error (525): Bad 'Length' attribute in stream
Syntax Error (457): Dictionary key must be a name object
Syntax Error (471): Dictionary key must be a name object
Syntax Error (488): Dictionary key must be a name object
Syntax Error (525): Bad 'Length' attribute in stream
Syntax Error (457): Dictionary key must be a name object
Syntax Error (471): Dictionary key must be a name object
Syntax Error (488): Dictionary key must be a name object
Syntax Error (525): Bad 'Length' attribute in stream
…


gdb output :
…
#61018 0x00007ffff7a79df9 in XRef::fetch (this=0x662200, num=6, gen=0,
obj=0x7fffffffcd30, recursion=0) at XRef.cc:1210
#61019 0x00007ffff7a4815f in Object::fetch (this=0x6784e8, xref=0x662200,
obj=0x7fffffffcd30, recursion=0) at Object.cc:122
#61020 0x00007ffff79cf908 in Dict::lookup (this=0x669c60, key=0x7ffff7b2234e
"F", obj=0x7fffffffcd30, recursion=0) at Dict.cc:261
#61021 0x00007ffff7995361 in Object::dictLookup (this=0x7fffffffd0f0,
key=0x7ffff7b2234e "F", obj=0x7fffffffcd30, recursion=0) at Object.h:330
#61022 0x00007ffff7a5dca0 in Stream::addFilters (this=0x6785e0,
dict=0x7fffffffd0f0, recursion=1) at Stream.cc:181
#61023 0x00007ffff7a50446 in Parser::makeStream (this=0x678030,
dict=0x7fffffffd0f0, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown:
774974788), 
    keyLength=-1020982732, objNum=6, objGen=0, recursion=1, strict=false) at
Parser.cc:277
#61024 0x00007ffff7a4fcf5 in Parser::getObj (this=0x678030, obj=0x7fffffffd0f0,
simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732,
objNum=6, objGen=0, recursion=0, strict=false) at Parser.cc:131
#61025 0x00007ffff7a79df9 in XRef::fetch (this=0x662200, num=6, gen=0,
obj=0x7fffffffd0f0, recursion=0) at XRef.cc:1210
#61026 0x00007ffff7a4815f in Object::fetch (this=0x677a58, xref=0x662200,
obj=0x7fffffffd0f0, recursion=0) at Object.cc:122
#61027 0x00007ffff79cf908 in Dict::lookup (this=0x667f50, key=0x7ffff7b2234e
"F", obj=0x7fffffffd0f0, recursion=0) at Dict.cc:261
#61028 0x00007ffff7995361 in Object::dictLookup (this=0x7fffffffd4b0,
key=0x7ffff7b2234e "F", obj=0x7fffffffd0f0, recursion=0) at Object.h:330
#61029 0x00007ffff7a5dca0 in Stream::addFilters (this=0x677b50,
dict=0x7fffffffd4b0, recursion=1) at Stream.cc:181
#61030 0x00007ffff7a50446 in Parser::makeStream (this=0x6775f0,
dict=0x7fffffffd4b0, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown:
774974788), 
    keyLength=-1020982732, objNum=6, objGen=0, recursion=1, strict=false) at
Parser.cc:277
#61031 0x00007ffff7a4fcf5 in Parser::getObj (this=0x6775f0, obj=0x7fffffffd4b0,
simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732,
objNum=6, objGen=0, recursion=0, strict=false) at Parser.cc:131
#61032 0x00007ffff7a79df9 in XRef::fetch (this=0x662200, num=6, gen=0,
obj=0x7fffffffd4b0, recursion=0) at XRef.cc:1210
#61033 0x00007ffff7a4815f in Object::fetch (this=0x677018, xref=0x662200,
obj=0x7fffffffd4b0, recursion=0) at Object.cc:122
#61034 0x00007ffff79cf908 in Dict::lookup (this=0x668620, key=0x7ffff7b2234e
"F", obj=0x7fffffffd4b0, recursion=0) at Dict.cc:261
#61035 0x00007ffff7995361 in Object::dictLookup (this=0x7fffffffd8a0,
key=0x7ffff7b2234e "F", obj=0x7fffffffd4b0, recursion=0) at Object.h:330
#61036 0x00007ffff7a5dca0 in Stream::addFilters (this=0x677110,
dict=0x7fffffffd8a0, recursion=1) at Stream.cc:181
#61037 0x00007ffff7a50446 in Parser::makeStream (this=0x6646f0,
dict=0x7fffffffd8a0, fileKey=0x0, encAlgorithm=(cryptAES256 | unknown:
774974788), 
    keyLength=-1020982732, objNum=6, objGen=0, recursion=1, strict=false) at
Parser.cc:277
#61038 0x00007ffff7a4fcf5 in Parser::getObj (this=0x6646f0, obj=0x7fffffffd8a0,
simpleOnly=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788), keyLength=-1020982732,
objNum=6, objGen=0, recursion=0, strict=false) at Parser.cc:131
#61039 0x00007ffff7a79df9 in XRef::fetch (this=0x662200, num=6, gen=0,
obj=0x7fffffffd8a0, recursion=0) at XRef.cc:1210
#61040 0x00007ffff7a4815f in Object::fetch (this=0x663d20, xref=0x662200,
obj=0x7fffffffd8a0, recursion=0) at Object.cc:122
#61041 0x00007ffff79b70c8 in Array::get (this=0x663cb0, i=2,
obj=0x7fffffffd8a0, recursion=0) at Array.cc:125
#61042 0x00007ffff7997b61 in Object::arrayGet (this=0x7fffffffd880, i=2,
obj=0x7fffffffd8a0, recursion=0) at Object.h:303
#61043 0x00007ffff79bd2a5 in Catalog::cachePageTree (this=0x662510, page=3) at
Catalog.cc:392
#61044 0x00007ffff79bc919 in Catalog::getPage (this=0x662510, i=3) at
Catalog.cc:240
#61045 0x00007ffff7a58f0b in PDFDoc::getPage (this=0x661f70, page=3) at
PDFDoc.cc:2024
#61046 0x00007ffff7a518e9 in PDFDoc::displayPage (this=0x661f70, out=0x664be0,
page=3, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at
PDFDoc.cc:489
#61047 0x00007ffff7a519f6 in PDFDoc::displayPages (this=0x661f70, out=0x664be0,
firstPage=1, lastPage=14, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, 
    crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:509
#61048 0x00000000004088af in main (argc=3, argv=0x7fffffffdcd8) at
pdftohtml.cc:392

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20160523/89c42b9c/attachment.html>

More information about the Poppler-bugs mailing list