<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Valgrind: Invalid Read (24 bytes after block in arena)"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=103116">103116</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Valgrind: Invalid Read (24 bytes after block in arena)
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>critical
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>jason@inspiresomeone.us
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=134690" name="attach_134690" title="0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault">attachment 134690</a> <a href="attachment.cgi?id=134690&action=edit" title="0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault">[details]</a></span>
0JBYrSy8_CRASHED.pdf - leads to invalid read and segfault

Forwarding from <a href="https://bugzilla.gnome.org/show_bug.cgi?id=786444">https://bugzilla.gnome.org/show_bug.cgi?id=786444</a>

------------------------------

while fuzzing I found a pdf document that leads to the following valgrind
messages:

==9190== Invalid read of size 8                                                 
==9190==    at 0x174C89B0: TextPool::addWord(TextWord*) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x174CBB62: TextPage::endWord() (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double,
double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double,
double, double, double, double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)     
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0
)                                                                               
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)           
==9190==    by 0x16B4C938: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)                                   
==9190==    by 0x16B4CB94: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==  Address 0x10cf4818 is 24 bytes after a block of size 96 in arena
"client"  


And then crashes by:

==9190== Process terminating with default action of signal 11 (SIGSEGV):
dumping core                     
==9190==  Access not within mapped region at address 0xA8                       
==9190==    at 0x174C8A29: TextPool::addWord(TextWord*) (in
/usr/lib/libpoppler.so.68.0.0)                
==9190==    by 0x174CBB62: TextPage::endWord() (in
/usr/lib/libpoppler.so.68.0.0)                         
==9190==    by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double,
double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler.so.68.0.0)                                                  
==9190==    by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double,
double, double, double, double, unsigned int, int, unsigned int*, int) (in
/usr/lib/libpoppler-glib.so.8.9.0)                        
==9190==    by 0x1744B86F: Gfx::doShowText(GooString*) (in
/usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in
/usr/lib/libpoppler.so.68.0.0)          
==9190==    by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0)     
==9190==    by 0x1744404A: Gfx::display(Object*, bool) (in
/usr/lib/libpoppler.so.68.0.0)                 
==9190==    by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0)                         
==9190==    by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0)           
==9190==    by 0x16B4C938: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)                          
==9190==    by 0x16B4CB94: ??? (in
/usr/lib/evince/4/backends/libpdfdocument.so)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>