pdfsig: Segfault in ~SignatureHandler / double-free
Submitted by Michael Joost
Assigned to poppler-bugs
pdfsig (from poppler-0.45) results in a segfault on any signed PDF document (e.g. the BUDGET-2015-BUD.pdf from gpo.gov). Reason is a double-destroy of a certificate in the destructor of SignatureHandler.
The segfault only comes to effect if nspr(-4.12) is compiled for DEBUG, which, sadly, is its default setting. The debug version of nspr causes freed memory to be filled with a 0xDA pattern, and the second destroy's acccess to this in nss(-3.25) fails. The release version, without the pattern, is somehow able to recover from the double-destroy.
Switching between release/debug configs of a component, or any of its dependencies, should only impact non-functional aspects (such as performance), but never the functional behavior.