[Poppler-bugs] [Bug 101366] New: [PATCH] Fix leak in SplashOutputDev::type3D1()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Jun 9 23:06:06 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101366

            Bug ID: 101366
           Summary: [PATCH] Fix leak in SplashOutputDev::type3D1()
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: splash backend
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: dudul04 at yahoo.fr

Created attachment 131834
  --> https://bugs.freedesktop.org/attachment.cgi?id=131834&action=edit
Crasher PDF file

Rendering of attached PDF file crashes with :

{{{
$ LD_LIBRARY_PATH=poppler/.libs/ valgrind --leak-check=full --num-callers=40
utils/.libs/pdftoppm
/home/even/oss-fuzz/build/out/gdal/./crash-cb4ddf1ecdfa9bac053d787a512499147f6a62bf
 > out.ppm
==10141== Memcheck, a memory error detector
==10141== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10141== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10141== Command: utils/.libs/pdftoppm
/home/even/oss-fuzz/build/out/gdal/./crash-cb4ddf1ecdfa9bac053d787a512499147f6a62bf
==10141== 
Syntax Error (88311): Dictionary key must be a name object
Syntax Error (88317): Dictionary key must be a name object
Syntax Error (88319): Dictionary key must be a name object
Syntax Error (88331): Dictionary key must be a name object
Syntax Error (88337): Dictionary key must be a name object
Syntax Error (88339): Dictionary key must be a name object
Syntax Error (88351): Dictionary key must be a name object
Syntax Error (88353): Dictionary key must be a name object
Syntax Error (88355): Dictionary key must be a name object
Syntax Error (88358): Dictionary key must be a name object
Syntax Error (3938): Unknown operator 'm5'
Syntax Error (4027): Unknown operator 'm2'
Syntax Error (4076): No current point in lineto
Syntax Error (4131): No current point in lineto
Syntax Error (4131): No current point in lineto
Syntax Error (4168): Unknown operator 'T'
Syntax Error (4168): Unknown operator 'm2'
Syntax Error (4197): Illegal character ')'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4212): Unknown operator 'D2'
Syntax Error (4225): Unknown operator 'D2'
Syntax Error (4240): Unknown operator 'TQ23m'
Syntax Error (4333): Unknown operator 'C'
Syntax Error (4340): Illegal character ')'
Syntax Error (4342): Unknown operator 'D2'
Syntax Error (4345): Unknown operator 'D2'
Syntax Error (4353): Unknown operator 'D2'
Syntax Error (4356): Unknown operator 'D2'
Syntax Error (4361): Unknown operator 'D2'
Syntax Error (4363): Unknown operator 'D'
Syntax Error (4364): Unknown operator 'D2'
Syntax Error (4367): Unknown operator 'D'
Syntax Error (4369): Unknown operator 'D2'
Syntax Error (4385): Unknown operator 'i.D2'
Syntax Error (4391): Unknown operator 'i.D2'
Syntax Error (4393): Unknown operator 'TQ23m'
==10141== Invalid read of size 1
==10141==    at 0x4EFB9C3: SplashOutputDev::type3D1(GfxState*, double, double,
double, double, double, double) (SplashOutputDev.cc:2728)
==10141==    by 0x4F4CCF8: Gfx::go(bool) (Gfx.cc:767)
==10141==    by 0x4F4D1FF: Gfx::display(Object*, bool) (Gfx.cc:729)
==10141==    by 0x4F967D4: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (Page.cc:601)
==10141==    by 0x401B25: savePageSlice (pdftoppm.cc:225)
==10141==    by 0x401B25: main (pdftoppm.cc:532)
==10141==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==10141== 
==10141== 
==10141== Process terminating with default action of signal 11 (SIGSEGV)
==10141==  Access not within mapped region at address 0x2
==10141==    at 0x4EFB9C3: SplashOutputDev::type3D1(GfxState*, double, double,
double, double, double, double) (SplashOutputDev.cc:2728)
==10141==    by 0x4F4CCF8: Gfx::go(bool) (Gfx.cc:767)
==10141==    by 0x4F4D1FF: Gfx::display(Object*, bool) (Gfx.cc:729)
==10141==    by 0x4F967D4: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (Page.cc:601)
==10141==    by 0x401B25: savePageSlice (pdftoppm.cc:225)
==10141==    by 0x401B25: main (pdftoppm.cc:532)

}}}

Credit to OSS Fuzz

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170609/a434e286/attachment-0001.html>

More information about the Poppler-bugs mailing list