GNOME Bugzilla – Bug 786444
Valgrind: Invalid Read (24 bytes after block in arena)
Last modified: 2017-10-05 20:42:55 UTC
Created attachment 357839 [details] The PDF leading to invalid read and later segfault Hey, while fuzzing I found a pdf document that leads to the following valgrind messages: ==9190== Invalid read of size 8 ==9190== at 0x174C89B0: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0 ) ==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== Address 0x10cf4818 is 24 bytes after a block of size 96 in arena "client" And then crashes by: ==9190== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==9190== Access not within mapped region at address 0xA8 ==9190== at 0x174C8A29: TextPool::addWord(TextWord*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBB62: TextPage::endWord() (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x174CBFA8: TextPage::addChar(GfxState*, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16DAB386: CairoOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x1744B86F: Gfx::doShowText(GooString*) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744CB5D: Gfx::opShowSpaceText(Object*, int) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x17443B57: Gfx::go(bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1744404A: Gfx::display(Object*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x1748EE69: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/libpoppler.so.68.0.0) ==9190== by 0x16D98D8F: ??? (in /usr/lib/libpoppler-glib.so.8.9.0) ==9190== by 0x16B4C938: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) ==9190== by 0x16B4CB94: ??? (in /usr/lib/evince/4/backends/libpdfdocument.so) I will attach the PDF document. Cheers
I get this same crash when using 'pdftotext' so this looks like a bug in poppler, the library evince uses for PDFs. Please forward this poppler (https://bugs.freedesktop.org/enter_bug.cgi?product=poppler) using the instructions at http://live.gnome.org/Evince/PopplerBugs#poppler.
Forwarded to poppler here: https://bugs.freedesktop.org/show_bug.cgi?id=103116