<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Gfx::display infinite loop and stack memory exhaustion in pdftops, poppler 0.59" href="https://bugs.freedesktop.org/show_bug.cgi?id=102718">102718</a> </td> </tr> <tr> <th>Summary</th> <td>Gfx::display infinite loop and stack memory exhaustion in pdftops, poppler 0.59 </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>utils </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>luanjunchao@163.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=134209" name="attach_134209" title="pdftops crash">attachment 134209</a> <a href="attachment.cgi?id=134209&action=edit" title="pdftops crash">[details]</a></span> pdftops crash When I run pdftops with a specific pdf, it crashes with stack memory exhaustion. root@c116349c2d78:/work/down/poppler-0.59.0# ./utils/pdftops crash_pdftops.pdf 1 ASAN:SIGSEGV ================================================================= ==12400==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7a61eff8 (pc 0x7f86dfc0480b bp 0x7ffe7a61f900 sp 0x7ffe7a61eff0 T0) #0 0x7f86dfc0480a (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2280a) #1 0x7f86dfc7a5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2) #2 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110 #3 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120 #4 0x4af864 in copyString /work/down/poppler-0.59.0/goo/gmem.cc:316 #5 0x45f9c6 in Object::Object(ObjType, char const*) /work/down/poppler-0.59.0/poppler/Object.h:157 #6 0x610a77 in Lexer::getObj(int) /work/down/poppler-0.59.0/poppler/Lexer.cc:573 #7 0x62866f in Parser::shift(int) /work/down/poppler-0.59.0/poppler/Parser.cc:291 #8 0x6276e2 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:149 #9 0x627490 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /work/down/poppler-0.59.0/poppler/Parser.cc:120 #10 0x45a345 in XRef::fetch(int, int, int) /work/down/poppler-0.59.0/poppler/XRef.cc:1166 #11 0x415b32 in Object::fetch(XRef*, int) const /work/down/poppler-0.59.0/poppler/Object.cc:125 #12 0x540925 in Dict::lookup(char const*, int) /work/down/poppler-0.59.0/poppler/Dict.cc:259 #13 0x429892 in Object::dictLookup(char const*, int) /work/down/poppler-0.59.0/poppler/Object.h:362 #14 0x598572 in Gfx8BitFont::getCharProc(int) /work/down/poppler-0.59.0/poppler/GfxFont.cc:1756 #15 0x57c8a2 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3956 #16 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756 #17 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880 #18 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744 #19 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706 #20 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961 #21 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756 #22 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880 #23 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744 #24 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706 #25 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961 #26 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756 #27 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880 #28 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744 #29 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706 ..... #245 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961 #246 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756 #247 0x558f53 in Gfx::execOp(Object*, Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:880 #248 0x55804e in Gfx::go(bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:744 #249 0x557b11 in Gfx::display(Object*, bool) /work/down/poppler-0.59.0/poppler/Gfx.cc:706 #250 0x57c911 in Gfx::doShowText(GooString*) /work/down/poppler-0.59.0/poppler/Gfx.cc:3961 #251 0x579a07 in Gfx::opShowText(Object*, int) /work/down/poppler-0.59.0/poppler/Gfx.cc:3756 ...... It just goes into an infinite loop. The result of gdb: gdb -q ./utils/pdftops Reading symbols from ./utils/pdftops...done. (gdb) run crash_pdftops.pdf 1 Starting program: /work/down/poppler-0.59.0/utils/pdftops crash_pdftops.pdf 1 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2 (gdb) bt #0 0x00007ffff6f0d334 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2 #1 0x00007ffff6f02627 in malloc () from /usr/lib/x86_64-linux-gnu/libasan.so.2 #2 0x00000000004af2f4 in gmalloc (size=2, checkoverflow=false) at gmem.cc:110 #3 0x00000000004af38a in gmalloc (size=2) at gmem.cc:120 #4 0x00000000004af865 in copyString (s=0x610000595669 "]") at gmem.cc:316 #5 0x000000000045f9c7 in Object::Object (this=0x7fffff7ffa50, typeA=objCmd, stringA=0x610000595669 "]") at Object.h:157 #6 0x00000000006100a4 in Lexer::getObj (this=0x610000595640, objNum=-1) at Lexer.cc:467 #7 0x0000000000628670 in Parser::shift (this=0x60600015e1e0, objNum=-1) at Parser.cc:291 #8 0x0000000000627abb in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=2, strict=false) at Parser.cc:180 #9 0x000000000062717a in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=1, strict=false) at Parser.cc:93 #10 0x0000000000627491 in Parser::getObj (this=0x60600015e1e0, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=-1094795586, objNum=13, objGen=0, recursion=0, strict=false) at Parser.cc:120 #11 0x000000000045a346 in XRef::fetch (this=0x611000009f00, num=13, gen=0, recursion=0) at XRef.cc:1166 #12 0x0000000000415b33 in Object::fetch (this=0x60c00000b2d0, xref=0x611000009f00, recursion=0) at Object.cc:125 #13 0x0000000000512b3d in Array::get (this=0x60700000d290, i=1, recursion=0) at Array.cc:125 #14 0x00000000005a6437 in GfxCalGrayColorSpace::parse (arr=0x60700000d290, state=0x6170004d4a00) at GfxState.cc:815 #15 0x00000000005a474b in GfxColorSpace::parse (res=0x60c000009340, csObj=0x7fffff8004a0, out=0x60d00000cc30, state=0x6170004d4a00, recursion=0) at GfxState.cc:389 #16 0x000000000055faae in Gfx::opSetFillColorSpace (this=0x611000009b40, args=0x7fffff8006f0, numArgs=1) at Gfx.cc:1516 #17 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff8006b0, args=0x7fffff8006f0, numArgs=1) at Gfx.cc:880 #18 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744 #19 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffff800ff0, topLevel=false) at Gfx.cc:706 #20 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x6030000b5ed0) at Gfx.cc:3961 #21 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffff801280, numArgs=1) at Gfx.cc:3756 #22 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801240, args=0x7fffff801280, numArgs=1) at Gfx.cc:880 #23 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744 #24 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffff801b80, topLevel=false) at Gfx.cc:706 #25 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x6030000b5fc0) at Gfx.cc:3961 #26 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffff801e10, numArgs=1) at Gfx.cc:3756 #27 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffff801dd0, args=0x7fffff801e10, numArgs=1) at Gfx.cc:880 #28 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744 ...... #14163 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=false) at Gfx.cc:744 #14164 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffffffd640, topLevel=false) at Gfx.cc:706 #14165 0x000000000057c912 in Gfx::doShowText (this=0x611000009b40, s=0x60300001c330) at Gfx.cc:3961 #14166 0x0000000000579a08 in Gfx::opShowText (this=0x611000009b40, args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:3756 #14167 0x0000000000558f54 in Gfx::execOp (this=0x611000009b40, cmd=0x7fffffffd890, args=0x7fffffffd8d0, numArgs=1) at Gfx.cc:880 #14168 0x000000000055804f in Gfx::go (this=0x611000009b40, topLevel=true) at Gfx.cc:744 #14169 0x0000000000557b12 in Gfx::display (this=0x611000009b40, obj=0x7fffffffdd10, topLevel=true) at Gfx.cc:706 #14170 0x0000000000624568 in Page::displaySlice (this=0x611000009dc0, out=0x60d00000cc30, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560 #14171 0x0000000000475255 in PSOutputDev::checkPageSlice (this=0x61800000fc80, page=0x611000009dc0, rotateA=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PSOutputDev.cc:3255 #14172 0x00000000006243a6 in Page::displaySlice (this=0x611000009dc0, out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:539 #14173 0x0000000000623a3c in Page::display (this=0x611000009dc0, out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:483 #14174 0x00000000004195af in PDFDoc::displayPage (this=0x60f00000ef50, out=0x61800000fc80, page=1, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:488 #14175 0x0000000000408084 in main (argc=3, argv=0x7fffffffe658) at pdftops.cc:423 So I think there is lack of verification in some function.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>