[poppler] pdfsig: Segfault in ~SignatureHandler / double-free
Albert Astals Cid
aacid at kde.org
Sun Jul 24 21:46:49 UTC 2016
El diumenge, 24 de juliol de 2016, a les 8:09:36 CEST, Michael Joost va
escriure:
> For me, any use of pdfsig results in just a segfault. I am using
> poppler-0.45 with nss-3.25.
Can not reproduce, can you please open a bug in bugs.freedesktop.org and
attach one of the files you're using to have this crash?
Cheers,
Albert
> As far as I can tell, the signature verification itself run's ok (valid
> signature result), but there is some kind of double-delete error caused
> from the SignatureHandler destructor.
>
> The destructor first calls NSS_CMSSignerInfo_Destroy(CMSSignerInfo),
> which destroys CMSSignerInfo->cert, hence, fills it with dada pattern.
>
> in NSS_CMSSignerInfo_Destroy():
> --------------------------------
> print si->cert
> $74 = (CERTCertificate *) 0x6e8010
>
> Subsequently, the SignatureHandler destructor calls
> NSS_CMSSignedData_Destroy(CMSSignedData), which attempts to destroy
> CMSSignedData->tempCerts[*]
>
> But one of those tempCerts (in this case the one-and-only, but not
> necessarily the first) is the one previously destroyed with
> NSS_CMSSignerInfo_Destroy(), thus having the dada pattern cause the
> segfault.
>
> in SignatureHandler::~SignatureHandler():
> -----------------------------------------
> print (CMSSignedData->tempCerts[0])
> $76 = (CERTCertificate *) 0x6e8010
>
>
> There seems to be no obvious change in the destroy code in recent
> versions. Not sure why I'm the only one running into this problem.
>
>
> br,
>
> Michael Joost
> sonet at michael-joost dot de
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
More information about the poppler
mailing list