[Poppler-bugs] [Bug 103116] New: Valgrind: Invalid Read (24 bytes after block in arena)
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Oct 5 20:37:05 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103116
Bug ID: 103116
Summary: Valgrind: Invalid Read (24 bytes after block in arena)
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: critical
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: jason at inspiresomeone.us
Created attachment 134690
--> https://bugs.freedesktop.org/attachment.cgi?id=134690&action=edit
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault
Forwarding from https://bugzilla.gnome.org/show_bug.cgi?id=786444
------------------------------
while fuzzing I found a pdf document that leads to the following valgrind
messages:
==9190== Invalid read of size 8
==9190== at 0x174C89B0: TextPool::addWord(TextWord*) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x174CBB62: TextPage::endWord() (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double,
double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double,
double, double, double, double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler-glib.so.8.9.0)
==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1744404A: Gfx::display(Object*, bool) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0
)
==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)
==9190== by 0x16B4C938: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)
==9190== by 0x16B4CB94: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)
==9190== Address 0x10cf4818 is 24 bytes after a block of size 96 in arena
"client"
And then crashes by:
==9190== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==9190== Access not within mapped region at address 0xA8
==9190== at 0x174C8A29: TextPool::addWord(TextWord*) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x174CBB62: TextPage::endWord() (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double,
double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double,
double, double, double, double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler-glib.so.8.9.0)
==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1744404A: Gfx::display(Object*, bool) (in
/usr/lib/libpoppler.so.68.0.0)
==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0)
==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)
==9190== by 0x16B4C938: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)
==9190== by 0x16B4CB94: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20171005/46aa8171/attachment-0001.html>
More information about the Poppler-bugs
mailing list