[Poppler-bugs] [Bug 95567] poppler-0.44.0: stack overflow while rending with pdftohtml

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon May 23 22:53:41 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=95567

--- Comment #3 from LE GARREC Vincent <legarrec.vincent at gmail.com> ---
Created attachment 124012
  --> https://bugs.freedesktop.org/attachment.cgi?id=124012&action=edit
stackoverflow-2.pdf

Thanks.
I just run again afl with all PDF that make poppler crashes.
It finds another case where there's no crash but a huge stack (size around
3000). Suddenly the stack stops growing and poppler runs into infinity loop.
Should I one file a new bug or reopen this one ?

And another thing: do you think that the line:
Stream.cc:5533
dict->dictLookup("DP", &params);
should be
dict->dictLookup("DP", &params, recursion);
like all others calls ?


Thanks for your work.

…
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Filter' attribute in stream
Syntax Error (482): Bad 'Length' attribute in stream
Syntax Error (448): Dictionary key must be a name object
…

gdb (I used CTRL+Z)
#0  0x00007ffff6a01dc3 in __pread_nocancel () at
../sysdeps/unix/syscall-template.S:84
#1  0x00007ffff7a0dcd6 in pread64 (__offset=<optimized out>,
__nbytes=<optimized out>, __buf=__buf at entry=0x74f269, __fd=<optimized out>)
    at /usr/include/bits/unistd.h:117
#2  GooFile::read (this=<optimized out>, 
    buf=buf at entry=0x74f269 "6 0
obj\n<</Type/XObject/Subtype/Image/WidthB1/Height 1/BitsPerComponent 8/Length 6
0 R\n/F 6 0 R\n>>\nstream\nx\234c``", 
    n=<optimized out>, offset=<optimized out>) at gfile.cc:648
#3  0x00007ffff78cdb13 in FileStream::fillBuf (this=0x74f200) at Stream.cc:827
#4  0x00007ffff78efe05 in FileStream::getChar (this=0x74f200) at Stream.h:458
#5  0x00007ffff786f8c2 in Object::streamGetChar (this=<optimized out>,
this=<optimized out>) at Object.h:363
#6  Lexer::getChar (this=0x74ee30, comesFromLook=false) at Lexer.cc:127
#7  0x00007ffff786fc72 in Lexer::getObj (this=0x74ee30, obj=obj at entry=0x74ef08,
objNum=objNum at entry=-1) at Lexer.cc:171
#8  0x00007ffff789cbec in Parser::Parser (this=0x74eef0, xrefA=<optimized out>,
lexerA=<optimized out>, allowStreamsA=<optimized out>) at Parser.cc:53
#9  0x00007ffff79360c2 in XRef::fetch (this=0x678140, num=6, gen=0,
obj=0x7ffffffbc880, obj at entry=0x0, recursion=recursion at entry=500) at
XRef.cc:1172
#10 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized
out>, obj=obj at entry=0x0, recursion=recursion at entry=500) at Object.cc:122
#11 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b2ff67 "F", obj=0x0, obj at entry=0x7ffffffbc880, 
    recursion=recursion at entry=500) at Dict.cc:261
#12 0x00007ffff78ea34d in Object::dictLookup (this=0x7ffffffbcb40,
this=0x7ffffffbcb40, recursion=500, obj=0x7ffffffbc880, key=0x7ffff7b2ff67 "F")
    at Object.h:330
#13 Stream::addFilters (this=this at entry=0x74f060,
dict=dict at entry=0x7ffffffbcb40, recursion=recursion at entry=500) at Stream.cc:181
#14 0x00007ffff789dbbe in Parser::makeStream (this=this at entry=0x74e880,
dict=dict at entry=0x7ffffffbcb40, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0, 
    recursion=500, strict=false) at Parser.cc:277
#15 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x74e880,
obj=obj at entry=0x7ffffffbcb40, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=499,
strict=false) at Parser.cc:131
#16 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7ffffffbcb40, obj at entry=0x6, 
    recursion=recursion at entry=499) at XRef.cc:1210
#17 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized
out>, obj=obj at entry=0x6, recursion=recursion at entry=499) at Object.cc:122
#18 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b2ff67 "F", obj=0x6, obj at entry=0x7ffffffbcb40, 
    recursion=recursion at entry=499) at Dict.cc:261
#19 0x00007ffff78ea34d in Object::dictLookup (this=0x7ffffffbce00,
this=0x7ffffffbce00, recursion=499, obj=0x7ffffffbcb40, key=0x7ffff7b2ff67 "F")
    at Object.h:330
#20 Stream::addFilters (this=this at entry=0x74ec90,
dict=dict at entry=0x7ffffffbce00, recursion=recursion at entry=499) at Stream.cc:181
#21 0x00007ffff789dbbe in Parser::makeStream (this=this at entry=0x74e2e0,
dict=dict at entry=0x7ffffffbce00, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0, 
    recursion=499, strict=false) at Parser.cc:277
#22 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x74e2e0,
obj=obj at entry=0x7ffffffbce00, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=498,
strict=false) at Parser.cc:131
#23 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7ffffffbce00, obj at entry=0x6, 
    recursion=recursion at entry=498) at XRef.cc:1210
#24 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized
out>, obj=obj at entry=0x6, recursion=recursion at entry=498) at Object.cc:122
#25 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b2ff67 "F", obj=0x6, obj at entry=0x7ffffffbce00, 
    recursion=recursion at entry=498) at Dict.cc:261
#26 0x00007ffff78ea34d in Object::dictLookup (this=0x7ffffffbd0c0,
this=0x7ffffffbd0c0, recursion=498, obj=0x7ffffffbce00, key=0x7ffff7b2ff67 "F")
    at Object.h:330
#27 Stream::addFilters (this=this at entry=0x74de50,
dict=dict at entry=0x7ffffffbd0c0, recursion=recursion at entry=498) at Stream.cc:181
#28 0x00007ffff789dbbe in Parser::makeStream (this=this at entry=0x74db30,
dict=dict at entry=0x7ffffffbd0c0, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0, 
    recursion=498, strict=false) at Parser.cc:277
#29 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x74db30,
obj=obj at entry=0x7ffffffbd0c0, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=497,
strict=false) at Parser.cc:131
#30 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7ffffffbd0c0, obj at entry=0x6, 
    recursion=recursion at entry=497) at XRef.cc:1210
#31 0x00007ffff7887344 in Object::fetch (this=<optimized out>, xref=<optimized
out>, obj=obj at entry=0x6, recursion=recursion at entry=497) at Object.cc:122
#32 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b2ff67 "F", obj=0x6, obj at entry=0x7ffffffbd0c0, 
    recursion=recursion at entry=497) at Dict.cc:261
#33 0x00007ffff78ea34d in Object::dictLookup (this=0x7ffffffbd390,
this=0x7ffffffbd390, recursion=497, obj=0x7ffffffbd0c0, key=0x7ffff7b2ff67 "F")
    at Object.h:330
…
#3008 0x00007ffff789d427 in Object::dictLookup (key=0x7ffff7b15f2d "Length",
this=0x7fffffffd550, this=0x7fffffffd550, recursion=3, obj=0x7fffffffd340)
    at Object.h:330
#3009 Parser::makeStream (this=this at entry=0x67c7d0,
dict=dict at entry=0x7fffffffd550, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0,
recursion=3, 
    strict=false) at Parser.cc:209
#3010 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x67c7d0,
obj=obj at entry=0x7fffffffd550, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=2,
strict=false) at Parser.cc:131
#3011 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7fffffffd550, obj at entry=0x6, 
    recursion=recursion at entry=2) at XRef.cc:1210
#3012 0x00007ffff7887344 in Object::fetch (this=<optimized out>,
xref=<optimized out>, obj=obj at entry=0x6, recursion=recursion at entry=2) at
Object.cc:122
---Type <return> to continue, or q <return> to quit---
#3013 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b15f2d "Length", obj=0x6, obj at entry=0x7fffffffd550, 
    recursion=recursion at entry=2) at Dict.cc:261
#3014 0x00007ffff789d427 in Object::dictLookup (key=0x7ffff7b15f2d "Length",
this=0x7fffffffd760, this=0x7fffffffd760, recursion=2, obj=0x7fffffffd550)
    at Object.h:330
#3015 Parser::makeStream (this=this at entry=0x67c1e0,
dict=dict at entry=0x7fffffffd760, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0,
recursion=2, 
    strict=false) at Parser.cc:209
#3016 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x67c1e0,
obj=obj at entry=0x7fffffffd760, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=1,
strict=false) at Parser.cc:131
#3017 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7fffffffd760, obj at entry=0x6, 
    recursion=recursion at entry=1) at XRef.cc:1210
#3018 0x00007ffff7887344 in Object::fetch (this=<optimized out>,
xref=<optimized out>, obj=obj at entry=0x6, recursion=recursion at entry=1) at
Object.cc:122
#3019 0x00007ffff76f0ccd in Dict::lookup (this=<optimized out>,
key=key at entry=0x7ffff7b15f2d "Length", obj=0x6, obj at entry=0x7fffffffd760, 
    recursion=recursion at entry=1) at Dict.cc:261
#3020 0x00007ffff789d427 in Object::dictLookup (key=0x7ffff7b15f2d "Length",
this=0x7fffffffd9a0, this=0x7fffffffd9a0, recursion=1, obj=0x7fffffffd760)
    at Object.h:330
#3021 Parser::makeStream (this=this at entry=0x67b5d0,
dict=dict at entry=0x7fffffffd9a0, fileKey=fileKey at entry=0x0, 
    encAlgorithm=encAlgorithm at entry=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=objNum at entry=6, objGen=0,
recursion=1, 
    strict=false) at Parser.cc:209
#3022 0x00007ffff789e8cc in Parser::getObj (this=this at entry=0x67b5d0,
obj=obj at entry=0x7fffffffd9a0, simpleOnly=simpleOnly at entry=false, fileKey=0x0, 
    encAlgorithm=(cryptAES256 | unknown: 774974788),
keyLength=keyLength at entry=-1020982732, objNum=6, objGen=0, recursion=0,
strict=false) at Parser.cc:131

#3023 0x00007ffff7936bb1 in XRef::fetch (this=0x678140, num=<optimized out>,
gen=<optimized out>, obj=0x7fffffffd9a0, recursion=0) at XRef.cc:1210
#3024 0x00007ffff7887344 in Object::fetch (this=<optimized out>,
xref=<optimized out>, obj=<optimized out>, recursion=<optimized out>) at
Object.cc:122
#3025 0x00007ffff76a6661 in Array::get (this=<optimized out>, i=i at entry=0,
obj=obj at entry=0x7fffffffd9a0, recursion=recursion at entry=0) at Array.cc:125
#3026 0x00007ffff76b9342 in Object::arrayGet (recursion=0, this=0x7fffffffd980,
this=0x7fffffffd980, obj=0x7fffffffd9a0, i=0) at Object.h:303
#3027 Catalog::cachePageTree (this=this at entry=0x678450, page=page at entry=1) at
Catalog.cc:392
#3028 0x00007ffff76bb23a in Catalog::getPage (this=0x678450, i=i at entry=1) at
Catalog.cc:240
#3029 0x00007ffff78b1c3d in PDFDoc::getPage (this=this at entry=0x677eb0,
page=page at entry=1) at PDFDoc.cc:2024

#3030 0x00007ffff78b1fd2 in PDFDoc::displayPage (this=this at entry=0x677eb0,
out=out at entry=0x678ec0, page=page at entry=1, hDPI=hDPI at entry=108, 
    vDPI=vDPI at entry=108, rotate=rotate at entry=0,
useMediaBox=useMediaBox at entry=true, crop=crop at entry=false, printing=false,
abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:489
#3031 0x00007ffff78b2287 in PDFDoc::displayPages (this=this at entry=0x677eb0,
out=out at entry=0x678ec0, firstPage=1, lastPage=17, hDPI=108, vDPI=108, 
    rotate=rotate at entry=0, useMediaBox=useMediaBox at entry=true, crop=false,
printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:509

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20160523/e657fac3/attachment-0001.html>

More information about the Poppler-bugs mailing list