[poppler] SIGABRT by unwanted object type (Re: A few vulnerabilitiess in libpoppler)

mpsuzuki at hiroshima-u.ac.jp mpsuzuki at hiroshima-u.ac.jp
Fri Oct 22 22:59:15 PDT 2010 

On Fri, 22 Oct 2010 19:50:52 +0200
<robert at swiecki.net> wrote:
>http://alt.swiecki.net/j/poppler_2010.10.22.tbz

Now I'm checking PDFs in this tarball. SIGABRT for

  SIGABRT.PC.0x7ffff70a9a75.CODE.-6.ADDR.0x1102000000156.INSTR.cmp_rax,_0xfffff000.pdf

is designed behaviour. In poppler/Object.h, there is
a macro to check the object type and unwanted type
makes the program aborted, aslike:

     41 #define OBJECT_TYPE_CHECK(wanted_type) \
     42     if (unlikely(type != wanted_type)) { \
     43         error(0, (char *) "Call to Object where the object was type %d, " \
     44                  "not the expected type %d", type, wanted_type); \
     45         abort(); \
     46     }
     47 
     48 #define OBJECT_2TYPES_CHECK(wanted_type1, wanted_type2) \
     49     if (unlikely(type != wanted_type1) && unlikely(type != wanted_type2)) { \
     50         error(0, (char *) "Call to Object where the object was type %d, " \
     51                  "not the expected type %d or %d", type, wanted_type1, wanted_type2); \
     52         abort(); \
     53     }

This is consistent with the stracktrace attached in the
end of this message. I'm not sure if abort() is the best
way, but this is designed behaviour, not bug.

Regards,
mpsuzuki

Error (0): Call to Object where the object was type 10, not the expected type 1 or 2
[New Thread 0xb73106d0 (LWP 13026)]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb73106d0 (LWP 13026)]
0xffffe424 in __kernel_vsyscall ()
(gdb) where
#0  0xffffe424 in __kernel_vsyscall ()
#1  0xb7362751 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb7365b82 in *__GI_abort () at abort.c:92
#3  0x0804cbb4 in Object::getNum (this=0xbfb43b9c) at Object.h:192
#4  0x0811bdd7 in Gfx::doSoftMask (this=0x81d1690, str=0xbfb43cf8, alpha=false, blendingColorSpace=0x81e4110, isolated=false, knockout=false, transferFunc=0x0, backdropColor=0xbfb43c08)
    at Gfx.cc:1264
#5  0x0811b6ad in Gfx::opSetExtGState (this=0x81d1690, args=0xbfb43dbc, numArgs=1) at Gfx.cc:1143
#6  0x0811a522 in Gfx::execOp (this=0x81d1690, cmd=0xbfb43f5c, args=0xbfb43dbc, numArgs=1) at Gfx.cc:851
#7  0x08119ef4 in Gfx::go (this=0x81d1690, topLevel=true) at Gfx.cc:711
#8  0x08119d50 in Gfx::display (this=0x81d1690, obj=0xbfb44064, topLevel=true) at Gfx.cc:678
#9  0x080a0ccd in Page::displaySlice (this=0x81bdab0, out=0x81c5e18, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, sliceX=0, sliceY=0, sliceW=1241, sliceH=1754, printing=false,
    catalog=0x81b12b0, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:482
#10 0x080a2bca in PDFDoc::displayPageSlice (this=0x81ade30, out=0x81c5e18, page=6, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1241,
    sliceH=1754, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:424
#11 0x0804b771 in savePageSlice (doc=0x81ade30, splashOut=0x81c5e18, pg=6, x=0, y=0, w=1241, h=1754, pg_w=1240.1583333333335, pg_h=1753.9375, ppmFile=0xbfb44208 "/dev/null-06.ppm")
    at pdftoppm.cc:173
#12 0x0804c409 in main (argc=3, argv=0xbfb44514) at pdftoppm.cc:354

More information about the poppler mailing list