<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - NULL pointer dereference in AnnotPath::getCoordsLength of poppler 0.24.5" href="https://bugs.freedesktop.org/show_bug.cgi?id=106408">106408</a> </td> </tr> <tr> <th>Summary</th> <td>NULL pointer dereference in AnnotPath::getCoordsLength of poppler 0.24.5 </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>x86 (IA32) </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>pdftohtml </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>bugzilla.freedesktop@qiushi.ac.cn </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=139367" name="attach_139367" title="poc">attachment 139367</a> <a href="attachment.cgi?id=139367&action=edit" title="poc">[details]</a></span> poc There is a null pointer dereference in libpoppler 0.24.5 on ubuntu 14.04.5. How to reproduce? On Ubuntu 14.04.5 32bit: $ apt-get source libpoppler44:i386 $ apt-get install autoconf $ cd poppler-0.24.5 $ ./configure --disable-shared CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb" $ make $ gdb utils/pdftohtml (gdb) set args ./POC_poppler.pdf Starting program: poppler-0.24.5/utils/pdftohtml POC_poppler.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error: Bad Annot Path Syntax Error: Bad Annot Path Program received signal SIGSEGV, Segmentation fault. 0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109 109 int getCoordsLength() const { return coordsLength; } (gdb) bt #0 0x080c76c2 in AnnotPath::getCoordsLength (this=0x0) at Annot.h:109 #1 0x080c02f3 in AnnotInk::draw (this=0xb611a3e0, gfx=0xb3503e40, printing=false) at Annot.cc:6059 #2 0x0819c3a1 in Page::displaySlice (this=0xb2f03370, out=0xb3b03060, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:605 #3 0x0819b7ea in Page::display (this=0xb2f03370, out=0xb3b03060, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:506 #4 0x081a2a85 in PDFDoc::displayPage (this=0xb3f01fa0, out=0xb3b03060, page=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:464 #5 0x081a2b3d in PDFDoc::displayPages (this=0xb3f01fa0, out=0xb3b03060, firstPage=1, lastPage=1, hDPI=108, vDPI=108, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:480 #6 0x0804cce7 in main (argc=2, argv=0xbffff0d4) at pdftohtml.cc:387</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>