<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Perf_test utility will crash (segmentation fault) when parsing an illegal PDF file due to the program access a null pointer."
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101084">101084</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Perf_test utility will crash (segmentation fault) when parsing an illegal PDF file due to the program access a null pointer.
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>utils
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>yangx92@hotmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=131399" name="attach_131399" title="details of the bug">attachment 131399</a> <a href="attachment.cgi?id=131399&action=edit" title="details of the bug">[details]</a></span>
details of the bug

Summary of the issue:
Perf_test utility will crash (segmentation fault) when parsing an illegal PDF
file due to the program access a null pointer. 

Example output:
./ perf-test ~/poc/heap-buffer-overflow-619405/poc.pdf
started: /home/root/poc/heap-buffer-overflow-619405/poc.pdf
load splash: 0.00 ms
page count: 1
ASAN:DEADLYSIGNAL
=================================================================
==96731==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc
0x7f2da9eccb81 bp 0x0c2600001b86 sp 0x7ffcd31999b0 T0)
    #0 0x7f2da9eccb80 
(/home/root/poppler/build_clang/libpoppler.so.67+0x5d2b80)
    #1 0x7f2da9ec46a1 
(/home/root/poppler/build_clang/libpoppler.so.67+0x5ca6a1)
    #2 0x7f2da9ec3a67 
(/home/root/poppler/build_clang/libpoppler.so.67+0x5c9a67)
    #3 0x7f2da9e44b78 
(/home/root/poppler/build_clang/libpoppler.so.67+0x54ab78)
    #4 0x7f2da9c448c1 
(/home/root/poppler/build_clang/libpoppler.so.67+0x34a8c1)
    #5 0x7f2da9c090d5 
(/home/root/poppler/build_clang/libpoppler.so.67+0x30f0d5)
    #6 0x7f2da9c27164 
(/home/root/poppler/build_clang/libpoppler.so.67+0x32d164)
    #7 0x7f2da9c261d1 
(/home/root/poppler/build_clang/libpoppler.so.67+0x32c1d1)
    #8 0x7f2da9d293f8 
(/home/root/poppler/build_clang/libpoppler.so.67+0x42f3f8)
    #9 0x7f2da9d290fa 
(/home/root/poppler/build_clang/libpoppler.so.67+0x42f0fa)
    #10 0x7f2da9d32ece 
(/home/root/poppler/build_clang/libpoppler.so.67+0x438ece)
    #11 0x4f08a3  (/home/root/poppler/build_clang/test/perf-test+0x4f08a3)
    #12 0x7f2da868782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x419fb8  (/home/root/poppler/build_clang/test/perf-test+0x419fb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/home/root/poppler/build_clang/libpoppler.so.67+0x5d2b80) 
==96731==ABORTING

Debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff797fb81 in JPXStream::readUByte (x=0x28, this=<optimized out>) at
/home/root/poppler/poppler/JPXStream.cc:3351
3351      *x = (Guint)c0;
(gdb) bt
#0  0x00007ffff797fb81 in JPXStream::readUByte (x=0x28, this=<optimized out>)
at /home/root/poppler/poppler/JPXStream.cc:3351
#1  JPXStream::readCodestream (this=<optimized out>, len=<optimized out>) at
/home/root/poppler/poppler/JPXStream.cc:1205
#2  0x00007ffff79776a2 in JPXStream::readBoxes (this=<optimized out>) at
/home/root/poppler/poppler/JPXStream.cc:780
#3  0x00007ffff7976a68 in JPXStream::reset (this=0x61300000db00) at
/home/root/poppler/poppler/JPXStream.cc:275
#4  0x00007ffff78f7b79 in SplashOutputDev::drawImage (this=0x61300000dcc0,
state=<optimized out>, ref=<optimized out>, str=0x61300000db00, width=999,
height=999, colorMap=<optimized out>, 
    interpolate=<optimized out>, maskColors=0x40, inlineImg=240) at
/home/root/poppler/poppler/SplashOutputDev.cc:3556
#5  0x00007ffff76f78c2 in Gfx::doImage (this=<optimized out>,
ref=0x7fffffffd320, str=<optimized out>, 
    inlineImg=<error reading variable: access outside bounds of object
referenced via synthetic pointer>) at /home/root/poppler/poppler/Gfx.cc:4711
#6  0x00007ffff76bc0d6 in Gfx::opXObject (this=0x611000009a00, args=<optimized
out>, numArgs=<optimized out>) at /home/root/poppler/poppler/Gfx.cc:4213
#7  0x00007ffff76da165 in Gfx::go (this=<optimized out>, topLevel=<error
reading variable: access outside bounds of object referenced via synthetic
pointer>) at /home/root/poppler/poppler/Gfx.cc:767
#8  0x00007ffff76d91d2 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<error reading variable: access outside bounds of object
referenced via synthetic pointer>)
    at /home/root/poppler/poppler/Gfx.cc:729
#9  0x00007ffff77dc3f9 in Page::displaySlice (this=0x611000009b40,
out=<optimized out>, hDPI=72, vDPI=5.2727351433383131e-310, rotate=0,
useMediaBox=<optimized out>, crop=<optimized out>, sliceX=-1, 
    sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>,
printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, 
    annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized
out>, copyXRef=<optimized out>) at /home/root/poppler/poppler/Page.cc:601
#10 0x00007ffff77dc0fb in Page::display (this=0x60200002def4, out=0x40,
hDPI=-1.8325506472120096e-06, vDPI=9.3872472709836843e-322, rotate=2,
useMediaBox=<optimized out>, crop=<optimized out>, 
    printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized
out>) at /home/root/poppler/poppler/Page.cc:521
#11 0x00007ffff77e5ecf in PDFDoc::displayPage (this=0x60f00000ef50,
out=0x61300000dcc0, page=1, hDPI=<optimized out>, vDPI=<optimized out>,
rotate=0, useMediaBox=false, crop=true, 
    printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    at /home/root/poppler/poppler/PDFDoc.cc:491
#12 0x00000000004f08a4 in PdfEnginePoppler::renderBitmap (pageNo=<optimized
out>, zoomReal=100, rotation=0, this=<optimized out>) at
/home/root/poppler/test/perf-test.cc:452
#13 RenderPdf (fileName=<optimized out>) at
/home/root/poppler/test/perf-test.cc:941
#14 RenderFile (fileName=<optimized out>) at
/home/root/poppler/test/perf-test.cc:970
#15 RenderCmdLineArg (cmdLineArg=<optimized out>) at
/home/root/poppler/test/perf-test.cc:1224
#16 main (argc=<optimized out>, argv=<optimized out>) at
/home/root/poppler/test/perf-test.cc:1269</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>