[poppler] SIGABRT by unwanted object type (Re: A few vulnerabilitiess in libpoppler)
Albert Astals Cid
aacid at kde.org
Sat Oct 23 13:45:00 PDT 2010
A Dissabte, 23 d'octubre de 2010, mpsuzuki at hiroshima-u.ac.jp va escriure:
> On Fri, 22 Oct 2010 19:50:52 +0200
>
> <robert at swiecki.net> wrote:
> >http://alt.swiecki.net/j/poppler_2010.10.22.tbz
>
> Now I'm checking PDFs in this tarball. SIGABRT for
>
>
> SIGABRT.PC.0x7ffff70a9a75.CODE.-6.ADDR.0x1102000000156.INSTR.cmp_rax,_0xff
> fff000.pdf
>
> is designed behaviour. In poppler/Object.h, there is
> a macro to check the object type and unwanted type
> makes the program aborted, aslike:
>
> 41 #define OBJECT_TYPE_CHECK(wanted_type) \
> 42 if (unlikely(type != wanted_type)) { \
> 43 error(0, (char *) "Call to Object where the object was type
> %d, " \ 44 "not the expected type %d", type,
> wanted_type); \ 45 abort(); \
> 46 }
> 47
> 48 #define OBJECT_2TYPES_CHECK(wanted_type1, wanted_type2) \
> 49 if (unlikely(type != wanted_type1) && unlikely(type !=
> wanted_type2)) { \ 50 error(0, (char *) "Call to Object where the
> object was type %d, " \ 51 "not the expected type %d or
> %d", type, wanted_type1, wanted_type2); \ 52 abort(); \
> 53 }
>
> This is consistent with the stracktrace attached in the
> end of this message. I'm not sure if abort() is the best
> way, but this is designed behaviour, not bug.
Yes this is a bug, it should check for isNum before calling getNum.
Albert
More information about the poppler
mailing list