[Poppler-bugs] [Bug 102718] New: Gfx::display infinite loop and stack memory exhaustion in pdftops, poppler 0.59

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 14 02:20:00 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102718

            Bug ID: 102718
           Summary: Gfx::display infinite loop and stack memory exhaustion
                    in pdftops, poppler 0.59
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: utils
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: luanjunchao at 163.com

Created attachment 134209
  --> https://bugs.freedesktop.org/attachment.cgi?id=134209&action=edit
pdftops crash

When I run pdftops with a specific pdf, it crashes with stack memory
exhaustion.

root at c116349c2d78:/work/down/poppler-0.59.0# ./utils/pdftops crash_pdftops.pdf
1                                                                               
ASAN:SIGSEGV                                                       
=================================================================  
==12400==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7a61eff8 (pc
0x7f86dfc0480b bp 0x7ffe7a61f900 sp 0x7ffe7a61eff0 T0)  
    #0 0x7f86dfc0480a  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2280a)         
    #1 0x7f86dfc7a5d2 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)                                
    #2 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110            
    #3 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120            
    #4 0x4af864 in copyString /work/down/poppler-0.59.0/goo/gmem.cc:316
    #5 0x45f9c6 in Object::Object(ObjType, char const*)
/work/down/poppler-0.59.0/poppler/Object.h:157
    #6 0x610a77 in Lexer::getObj(int)
/work/down/poppler-0.59.0/poppler/Lexer.cc:573
    #7 0x62866f in Parser::shift(int)
/work/down/poppler-0.59.0/poppler/Parser.cc:291
    #8 0x6276e2 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int,
int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:149
    #9 0x627490 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int,
int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:120
    #10 0x45a345 in XRef::fetch(int, int, int)
/work/down/poppler-0.59.0/poppler/XRef.cc:1166
    #11 0x415b32 in Object::fetch(XRef*, int) const
/work/down/poppler-0.59.0/poppler/Object.cc:125
    #12 0x540925 in Dict::lookup(char const*, int)
/work/down/poppler-0.59.0/poppler/Dict.cc:259
    #13 0x429892 in Object::dictLookup(char const*, int)
/work/down/poppler-0.59.0/poppler/Object.h:362
    #14 0x598572 in Gfx8BitFont::getCharProc(int)
/work/down/poppler-0.59.0/poppler/GfxFont.cc:1756
    #15 0x57c8a2 in Gfx::doShowText(GooString*)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3956
    #16 0x579a07 in Gfx::opShowText(Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #17 0x558f53 in Gfx::execOp(Object*, Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #18 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #19 0x557b11 in Gfx::display(Object*, bool)
/work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #20 0x57c911 in Gfx::doShowText(GooString*)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #21 0x579a07 in Gfx::opShowText(Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #22 0x558f53 in Gfx::execOp(Object*, Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #23 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #24 0x557b11 in Gfx::display(Object*, bool)
/work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #25 0x57c911 in Gfx::doShowText(GooString*)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #26 0x579a07 in Gfx::opShowText(Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #27 0x558f53 in Gfx::execOp(Object*, Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #28 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #29 0x557b11 in Gfx::display(Object*, bool)
/work/down/poppler-0.59.0/poppler/Gfx.cc:706
   .....
  #245 0x57c911 in Gfx::doShowText(GooString*)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #246 0x579a07 in Gfx::opShowText(Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    #247 0x558f53 in Gfx::execOp(Object*, Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:880
    #248 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744
    #249 0x557b11 in Gfx::display(Object*, bool)
/work/down/poppler-0.59.0/poppler/Gfx.cc:706
    #250 0x57c911 in Gfx::doShowText(GooString*)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3961
    #251 0x579a07 in Gfx::opShowText(Object*, int)
/work/down/poppler-0.59.0/poppler/Gfx.cc:3756
    ......

It just goes into an infinite loop. The result of gdb:


gdb -q ./utils/pdftops
Reading symbols from ./utils/pdftops...done.
(gdb) run crash_pdftops.pdf 1
Starting program: /work/down/poppler-0.59.0/utils/pdftops crash_pdftops.pdf 1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
(gdb) bt
#0  0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#1  0x00007ffff6f02627 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#2  0x00000000004af2f4 in gmalloc (size=2, checkoverflow=false) at gmem.cc:110
#3  0x00000000004af38a in gmalloc (size=2) at gmem.cc:120
#4  0x00000000004af865 in copyString (s=0x610000595669 "]") at gmem.cc:316
#5  0x000000000045f9c7 in Object::Object (this=0x7fffff7ffa50, typeA=objCmd,
stringA=0x610000595669 "]") at Object.h:157
#6  0x00000000006100a4 in Lexer::getObj (this=0x610000595640, objNum=-1) at
Lexer.cc:467
#7  0x0000000000628670 in Parser::shift (this=0x60600015e1e0, objNum=-1) at
Parser.cc:291
#8  0x0000000000627abb in Parser::getObj (this=0x60600015e1e0,
simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586,
objNum=13, objGen=0, recursion=2, strict=false) at Parser.cc:180
#9  0x000000000062717a in Parser::getObj (this=0x60600015e1e0,
simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586,
objNum=13, objGen=0, recursion=1, strict=false) at Parser.cc:93
#10 0x0000000000627491 in Parser::getObj (this=0x60600015e1e0,
simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586,
objNum=13, objGen=0, recursion=0, strict=false) at Parser.cc:120
#11 0x000000000045a346 in XRef::fetch (this=0x611000009f00, num=13, gen=0,
recursion=0) at XRef.cc:1166
#12 0x0000000000415b33 in Object::fetch (this=0x60c00000b2d0,
xref=0x611000009f00, recursion=0) at Object.cc:125
#13 0x0000000000512b3d in Array::get (this=0x60700000d290, i=1, recursion=0) at
Array.cc:125
#14 0x00000000005a6437 in GfxCalGrayColorSpace::parse (arr=0x60700000d290,
state=0x6170004d4a00) at GfxState.cc:815
#15 0x00000000005a474b in GfxColorSpace::parse (res=0x60c000009340,
csObj=0x7fffff8004a0, out=0x60d00000cc30, state=0x6170004d4a00, recursion=0) at
GfxState.cc:389
#16 0x000000000055faae in Gfx::opSetFillColorSpace (this=0x611000009b40,
args=0x7fffff8006f0, numArgs=1) at Gfx.cc:1516
#17 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff8006b0,
args=0x7fffff8006f0, numArgs=1) at Gfx.cc:880
#18 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at
Gfx.cc:744
#19 0x0000000000557b12 in Gfx::display (this=0x611000009b40,
obj=0x7fffff800ff0, topLevel=false) at Gfx.cc:706
#20 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40,
s=0x6030000b5ed0) at Gfx.cc:3961
#21 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40,
args=0x7fffff801280, numArgs=1) at Gfx.cc:3756
#22 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801240,
args=0x7fffff801280, numArgs=1) at Gfx.cc:880
#23 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at
Gfx.cc:744
#24 0x0000000000557b12 in Gfx::display (this=0x611000009b40,
obj=0x7fffff801b80, topLevel=false) at Gfx.cc:706
#25 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40,
s=0x6030000b5fc0) at Gfx.cc:3961
#26 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40,
args=0x7fffff801e10, numArgs=1) at Gfx.cc:3756
#27 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801dd0,
args=0x7fffff801e10, numArgs=1) at Gfx.cc:880
#28 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at
Gfx.cc:744
......
#14163 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at
Gfx.cc:744                                        
#14164 0x0000000000557b12 in Gfx::display (this=0x611000009b40,
obj=0x7fffffffd640, topLevel=false) at Gfx.cc:706               
#14165 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40,
s=0x60300001c330) at Gfx.cc:3961                             
#14166 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40,
args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:3756               
#14167 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40,
cmd=0x7fffffffd890, args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:880
#14168 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=true) at
Gfx.cc:744                                         
#14169 0x0000000000557b12 in Gfx::display (this=0x611000009b40,
obj=0x7fffffffdd10, topLevel=true) at Gfx.cc:706                
#14170 0x0000000000624568 in Page::displaySlice (this=0x611000009dc0,
out=0x60d00000cc30, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0,
abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
at Page.cc:560                                    
#14171 0x0000000000475255 in PSOutputDev::checkPageSlice (this=0x61800000fc80,
page=0x611000009dc0, rotateA=0, useMediaBox=false, crop=true, sliceX=-1,
sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
    annotDisplayDecideCbkData=0x0) at PSOutputDev.cc:3255                       
#14172 0x00000000006243a6 in Page::displaySlice (this=0x611000009dc0,
out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0,
abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
at Page.cc:539                                    
#14173 0x0000000000623a3c in Page::display (this=0x611000009dc0,
out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true,
printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0,
    copyXRef=false) at Page.cc:483                                              
#14174 0x00000000004195af in PDFDoc::displayPage (this=0x60f00000ef50,
out=0x61800000fc80, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false,
crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0,
    annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:488             
#14175 0x0000000000408084 in main (argc=3, argv=0x7fffffffe658) at
pdftops.cc:423  

So I think there is lack of verification in some function.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170914/42758c91/attachment-0001.html>

More information about the Poppler-bugs mailing list