SIGABRT at poppler/gmem.h:170
Hi, we found a bug in gmem.h:170. When the bug is triggered, the program would crash with the following backtrace.
To reproduce, run pdfseparate poc 1.pdf
(gdb) bt
#0 0x00007ffff78ff7bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff78ea535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff7e377de in greallocn (count=1114602025, size=40, free_p=true,
checkoverflow=false, p=<optimized out>) at /home/users/chluo/pop/goo/gmem.h:170
#3 greallocn (free_p=true, checkoverflow=false, size=40, count=1114602025,
p=<optimized out>) at /home/users/chluo/pop/goo/gmem.h:150
#4 XRef::add (this=0x555555636b60, num=1114602024, gen=0, offs=0, used=<optimized out>)
at /home/users/chluo/pop/poppler/XRef.cc:1388
#5 0x00007ffff7e081b7 in PDFDoc::markObject (this=this@entry=0x5555555af870,
obj=obj@entry=0x7fffffffae20, xRef=xRef@entry=0x555555636b60,
countRef=countRef@entry=0x555555636cf0, numOffset=numOffset@entry=0,
oldRefNum=oldRefNum@entry=24, newRefNum=259, alreadyMarkedDicts=0x55555572b120)
at /home/users/chluo/pop/poppler/PDFDoc.cc:1699
#6 0x00007ffff7e07f48 in PDFDoc::markDictionnary (this=this@entry=0x5555555af870,
dict=<optimized out>, xRef=xRef@entry=0x555555636b60,
countRef=countRef@entry=0x555555636cf0, numOffset=numOffset@entry=0,
oldRefNum=oldRefNum@entry=24, newRefNum=259, alreadyMarkedDicts=<optimized out>)
at /home/users/chluo/pop/poppler/PDFDoc.cc:1661
#7 0x00007ffff7e0839e in PDFDoc::markObject (this=0x5555555af870, obj=0x7fffffffaf00,
xRef=0x555555636b60, countRef=0x555555636cf0, numOffset=0, oldRefNum=24,
newRefNum=259, alreadyMarkedDicts=0x55555572b120)
at /home/users/chluo/pop/poppler/PDFDoc.cc:1688
#8 0x00007ffff7e08310 in PDFDoc::markObject (this=this@entry=0x5555555af870,
obj=obj@entry=0x7fffffffaf80, xRef=xRef@entry=0x555555636b60,
countRef=countRef@entry=0x555555636cf0, numOffset=numOffset@entry=0,
oldRefNum=oldRefNum@entry=24, newRefNum=259, alreadyMarkedDicts=0x55555572b120)
at /home/users/chluo/pop/poppler/PDFDoc.cc:1684
#9 0x00007ffff7e07f48 in PDFDoc::markDictionnary (this=this@entry=0x5555555af870,
dict=<optimized out>, xRef=xRef@entry=0x555555636b60,
countRef=countRef@entry=0x555555636cf0, numOffset=numOffset@entry=0,
oldRefNum=oldRefNum@entry=24, newRefNum=259, alreadyMarkedDicts=<optimized out>)
at /home/users/chluo/pop/poppler/PDFDoc.cc:1661
Root cause:
The program invokes std::abort()
in gmem.h:170, yet this line is reachable given some crafted inputs.
Edited by crt