<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - poppler 0.54.0: memory leak in gmalloc"
href="https://bugs.freedesktop.org/show_bug.cgi?id=100775">100775</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>poppler 0.54.0: memory leak in gmalloc
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>critical
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>utils
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>haojunhou@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=131002" name="attach_131002" title="testcase">attachment 131002</a> <a href="attachment.cgi?id=131002&action=edit" title="testcase">[details]</a></span>
testcase
on poppler 0.54.0
The gmalloc function in gmem.cc:110 which allows attackers to cause a denial
of service (memory leak) via a crafted file.
#pdfinfo $FILE
=================================================================
==39456==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f41c4bd3b58 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x59ca1f in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110
#2 0x59cab5 in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120
#3 0x59cf90 in copyString
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316
#4 0x516ef8 in Object::initCmd(char*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152
#5 0x5169ee in Lexer::getObj(Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576
#6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53
#7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606
#8 0x586eef in XRef::getEntry(int, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681
#9 0x5821de in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167
#10 0x581e91 in XRef::getCatalog(Object*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
#11 0x44e595 in Catalog::Catalog(PDFDoc*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
#12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
#13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
#14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&,
GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
#15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*,
GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
#16 0x4079c9 in main
/home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
#17 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f41c4bd3b58 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x59ca1f in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110
#2 0x59cab5 in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120
#3 0x59cf90 in copyString
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316
#4 0x516ef8 in Object::initCmd(char*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152
#5 0x5169ee in Lexer::getObj(Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576
#6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53
#7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606
#8 0x586eef in XRef::getEntry(int, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681
#9 0x5821de in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167
#10 0x582f44 in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1278
#11 0x581e91 in XRef::getCatalog(Object*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
#12 0x44e595 in Catalog::Catalog(PDFDoc*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
#13 0x52e4a1 in PDFDoc::setup(GooString*, GooString*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
#14 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
#15 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&,
GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
#16 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*,
GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
#17 0x4079c9 in main
/home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
#18 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
SUMMARY: AddressSanitizer: 18 byte(s) leaked in 2 allocation(s).
The $FILE poc in the attachment.
Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>