[Poppler-bugs] [Bug 106408] New: NULL pointer dereference in AnnotPath::getCoordsLength of poppler 0.24.5

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat May 5 09:51:40 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=106408

            Bug ID: 106408
           Summary: NULL pointer dereference in AnnotPath::getCoordsLength
                    of poppler 0.24.5
           Product: poppler
           Version: unspecified
          Hardware: x86 (IA32)
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: pdftohtml
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: bugzilla.freedesktop at qiushi.ac.cn

Created attachment 139367
  --> https://bugs.freedesktop.org/attachment.cgi?id=139367&action=edit
poc

There is a null pointer dereference in libpoppler 0.24.5 on ubuntu 14.04.5. 

How to reproduce?

On Ubuntu 14.04.5 32bit:
$ apt-get source libpoppler44:i386
$ apt-get install autoconf
$ cd poppler-0.24.5
$ ./configure --disable-shared CFLAGS="-fsanitize=address -ggdb"
CXXFLAGS="-fsanitize=address -ggdb"
$ make
$ gdb utils/pdftohtml
(gdb) set args ./POC_poppler.pdf

Starting program: poppler-0.24.5/utils/pdftohtml POC_poppler.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: Bad Annot Path
Syntax Error: Bad Annot Path

Program received signal SIGSEGV, Segmentation fault.
0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109
109       int getCoordsLength() const { return coordsLength; }
(gdb) bt
#0  0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109
#1  0x080c02f3 in AnnotInk::draw (this=0xb611a3e0, gfx=0xb3503e40, 
    printing=false) at Annot.cc:6059
#2  0x0819c3a1 in Page::displaySlice (this=0xb2f03370, out=0xb3b03060, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, 
    sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:605
#3  0x0819b7ea in Page::display (this=0xb2f03370, out=0xb3b03060, hDPI=108, 
    vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, 
    abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:506
#4  0x081a2a85 in PDFDoc::displayPage (this=0xb3f01fa0, out=0xb3b03060, 
    page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at PDFDoc.cc:464
#5  0x081a2b3d in PDFDoc::displayPages (this=0xb3f01fa0, out=0xb3b03060, 
    firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, 
    crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:480
#6  0x0804cce7 in main (argc=2, argv=0xbffff0d4) at pdftohtml.cc:387

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20180505/f4121950/attachment.html>

More information about the Poppler-bugs mailing list