<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - poppler-0.43.0: Crash during drawPngImage"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=95563">95563</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>poppler-0.43.0: Crash during drawPngImage
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>pdftohtml
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>legarrec.vincent@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hi, while fuzzing, pdftohtml may crash with invalid image (file enclosed) with
poppler-0.43.0 and poppler-0.44.0.

Internal Error: xref num 3 not found but needed, try to reconstruct<0a>
Syntax Error (71): Bad 'Length' attribute in stream
Bogus memory allocation size
Erreur de segmentation (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, 
    rgb=0x7fffffffd130)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070
6070          color.c[i] = lookup2[i][x[i]];
(gdb) bt
#0  0x00007ffff7a31626 in GfxImageColorMap::getRGB (this=0x68dc40, x=0x0, 
    rgb=0x7fffffffd130)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/GfxState.cc:6070
#1  0x0000000000426592 in HtmlOutputDev::drawPngImage (this=0x679190, 
    state=0x68d3c0, str=0x699530, width=1, height=1, colorMap=0x68dc40, 
    isMask=false) at HtmlOutputDev.cc:1396
#2  0x00007ffff7a06264 in Gfx::doImage (this=0x67d120, ref=0x7fffffffd440, 
    str=0x699530, inlineImg=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4707
#3  0x00007ffff7a03eea in Gfx::opXObject (this=0x67d120, args=0x7fffffffd580, 
    numArgs=1)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:4206
#4  0x00007ffff79f0e4c in Gfx::execOp (this=0x67d120, cmd=0x7fffffffd540, 
    args=0x7fffffffd580, numArgs=1)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:904
#5  0x00007ffff79f06e0 in Gfx::go (this=0x67d120, topLevel=true)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:763
#6  0x00007ffff79f04b1 in Gfx::display (this=0x67d120, obj=0x7fffffffd8d0, 
    topLevel=true)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Gfx.cc:729
#7  0x00007ffff7a5d0c3 in Page::displaySlice (this=0x67d050, out=0x679190, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, 
    sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, 
    annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:599
#8  0x00007ffff7a5cb00 in Page::display (this=0x67d050, out=0x679190, 
    hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/Page.cc:521
#9  0x00007ffff7a60b8f in PDFDoc::displayPage (this=0x677f70, out=0x679190, 
    page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:493
#10 0x00007ffff7a60c30 in PDFDoc::displayPages (this=0x677f70, out=0x679190, 
    firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, 
    crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0)
    at
/home/legarrec/info/portage/app-text/poppler-0.43.0/work/poppler-0.43.0/poppler/PDFDoc.cc:509
#11 0x00000000004093dd in main (argc=2, argv=<optimized out>)
    at pdftohtml.cc:392</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>