Reachable abort in gmem.h:116, pdfimages
Hi, there.
There is a reachable abort in gmem.h:116 in the newest commit 29c3fc62.
To reproduce, run
pdfimages -f 1 -l 1 -opw testing -upw testing -j -p -q POC /dev/null
This is the backtrace reported by GDB:
#0 0x00007ffff5b26438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff5b2803a in __GI_abort () at abort.c:89
#2 0x0000000000405f33 in gmallocn (checkoverflow=false, size=<optimized out>, count=-12608) at poppler/goo/gmem.h:116
#3 ImageOutputDev::writeImageFile (this=this@entry=0x60e00000df60, writer=writer@entry=0x6030000045a0, format=<optimized out>, ext=<optimized out>, str=str@entry=0x61300000b480,
width=width@entry=555555555, height=5, colorMap=0x7fffffffd500) at poppler/utils/ImageOutputDev.cc:389
#4 0x000000000040752b in ImageOutputDev::writeImage (this=0x60e00000df60, state=<optimized out>, ref=<optimized out>, str=0x61300000b480, width=555555555, height=5,
colorMap=0x7fffffffd500, inlineImg=false) at poppler/utils/ImageOutputDev.cc:652
#5 0x00007ffff67f8e3b in Gfx::doImage (this=this@entry=0x61200000ba40, ref=ref@entry=0x7fffffffdb80, str=0x61300000b480, inlineImg=inlineImg@entry=false)
at poppler/poppler/Gfx.cc:4553
#6 0x00007ffff67fe0fd in Gfx::opXObject (this=0x61200000ba40, args=<optimized out>, numArgs=<optimized out>) at poppler/poppler/Gfx.cc:4095
#7 0x00007ffff67e97ba in Gfx::go (this=this@entry=0x61200000ba40, topLevel=topLevel@entry=true) at poppler/poppler/Gfx.cc:681
#8 0x00007ffff67ea400 in Gfx::display (this=this@entry=0x61200000ba40, obj=obj@entry=0x7fffffffe160, topLevel=topLevel@entry=true) at poppler/poppler/Gfx.cc:642
#9 0x00007ffff68b36ba in Page::displaySlice (this=<optimized out>, out=0x60e00000df60, out@entry=0x0, hDPI=hDPI@entry=6.9533479696278002e-310, vDPI=vDPI@entry=-nan(0xfffffffffffff),
rotate=rotate@entry=-1, useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at poppler/poppler/Page.cc:576
#10 0x00007ffff68b3cd8 in Page::display (this=<optimized out>, out=out@entry=0x0, hDPI=hDPI@entry=6.9533479696278002e-310, vDPI=vDPI@entry=-nan(0xfffffffffffff), rotate=rotate@entry=-1,
useMediaBox=useMediaBox@entry=255, crop=crop@entry=255, printing=printing@entry=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at poppler/poppler/Page.cc:521
#11 0x00007ffff68c0b46 in PDFDoc::displayPage (this=this@entry=0x610000007f40, out=0x0, out@entry=0x60e00000df60, page=page@entry=1, hDPI=6.9533479696278002e-310, hDPI@entry=72,
vDPI=-nan(0xfffffffffffff), vDPI@entry=72, rotate=-1, rotate@entry=0, useMediaBox=useMediaBox@entry=true, crop=crop@entry=false, printing=false, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at poppler/poppler/PDFDoc.cc:643
#12 0x00007ffff68c0c49 in PDFDoc::displayPages (this=0x610000007f40, out=out@entry=0x60e00000df60, firstPage=<optimized out>, lastPage=1, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72,
rotate=rotate@entry=0, useMediaBox=useMediaBox@entry=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0) at /aflgo/scripts/fuzz/poppler/poppler/PDFDoc.cc:652
#13 0x0000000000402d4f in main (argc=3, argv=<optimized out>) at poppler/utils/pdfimages.cc:199
Here is the file to reproduce the bug. abort_gmem_h_116