[poppler] pdfsig: Segfault in ~SignatureHandler / double-free

Michael Joost sonet at michael-joost.de
Sun Jul 24 06:09:36 UTC 2016


For me, any use of pdfsig results in just a segfault. I am using
poppler-0.45 with nss-3.25.
As far as I can tell, the signature verification itself run's ok (valid
signature result), but there is some kind of double-delete error caused
from the SignatureHandler destructor.

The destructor first calls NSS_CMSSignerInfo_Destroy(CMSSignerInfo),
which destroys CMSSignerInfo->cert, hence, fills it with dada pattern.

in NSS_CMSSignerInfo_Destroy():
--------------------------------
print si->cert
$74 = (CERTCertificate *) 0x6e8010

Subsequently, the SignatureHandler destructor calls
NSS_CMSSignedData_Destroy(CMSSignedData), which attempts to destroy
CMSSignedData->tempCerts[*]

But one of those tempCerts (in this case the one-and-only, but not
necessarily the first) is the one previously destroyed with
NSS_CMSSignerInfo_Destroy(), thus having the dada pattern cause the
segfault.

in SignatureHandler::~SignatureHandler():
-----------------------------------------
print (CMSSignedData->tempCerts[0])
$76 = (CERTCertificate *) 0x6e8010


There seems to be no obvious change in the destroy code in recent
versions. Not sure why I'm the only one running into this problem.


br,

Michael Joost
sonet at michael-joost dot de


More information about the poppler mailing list