<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - poppler 0.54.0: memory leak in Object::initArray" href="https://bugs.freedesktop.org/show_bug.cgi?id=100776">100776</a> </td> </tr> <tr> <th>Summary</th> <td>poppler 0.54.0: memory leak in Object::initArray </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>All </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>critical </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>utils </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>haojunhou@gmail.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=131003" name="attach_131003" title="testcase">attachment 131003</a> <a href="attachment.cgi?id=131003&action=edit" title="testcase">[details]</a></span> testcase on poppler 0.54.0 The Object::initArray function in Object.cc:67 which allows attackers to cause a denial of service (memory leak) via a crafted file. #pdfinfo $FILE ==113897==ERROR: LeakSanitizer: detected memory leaks Direct leak of 72 byte(s) in 1 object(s) allocated from: #0 0x7f90d5a81a20 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:60 #1 0x52040d in Object::initArray(XRef*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.cc:67 #2 0x52bb32 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:93 #3 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221 #4 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #5 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #6 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #7 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #8 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #9 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #10 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #11 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) Indirect leak of 2304 byte(s) in 1 object(s) allocated from: #0 0x7f90d5a80ec0 in __interceptor_realloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:75 #1 0x59cb29 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:159 #2 0x59cbd7 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:173 #3 0x59b22e in GooString::resize(int) /home/haojun/Downloads/testopensourcecode/poppler/goo/GooString.cc:158 #4 0x596dc1 in GooString::append(char const*, int) /home/haojun/Downloads/testopensourcecode/poppler/goo/GooString.cc:291 #5 0x515be6 in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:378 #6 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300 #7 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146 #8 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95 #9 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221 #10 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #11 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #16 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #17 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) Indirect leak of 1024 byte(s) in 1 object(s) allocated from: #0 0x7f90d5a80ec0 in __interceptor_realloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:75 #1 0x59cb29 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:159 #2 0x59cef2 in greallocn /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:240 #3 0x59cf1d in greallocn /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:244 #4 0x44d668 in Array::add(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Array.cc:98 #5 0x44ae3e in Object::arrayAdd(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:299 #6 0x52bbdc in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:96 #7 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221 #8 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #9 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #10 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #11 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #12 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #13 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #14 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #15 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x7f90d5a81a20 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:60 #1 0x515ba9 in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:376 #2 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300 #3 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146 #4 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95 #5 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221 #6 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #7 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #8 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #9 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #10 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #11 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #12 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #13 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) Indirect leak of 4 byte(s) in 1 object(s) allocated from: #0 0x7f90d5a80b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x59ca1f in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110 #2 0x59cab5 in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120 #3 0x59cf90 in copyString /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316 #4 0x516ef8 in Object::initCmd(char*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152 #5 0x5169ee in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576 #6 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300 #7 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146 #8 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95 #9 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221 #10 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #11 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #16 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #17 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: 3436 byte(s) leaked in 5 allocation(s). The $FILE poc in the attachment. Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>