Skip to content

GitLab

Closed
Created by Dhiraj@Dhiraj

Nullpointer dereference

Summary

While re-fuzzing evince, a null-pointer dereference was observed. Initially this report was submitted to evince where the evince (https://gitlab.gnome.org/GNOME/evince/issues/1024) team says:

The issue is in Poppler, the library used by Evince to render PDF, and it seems it has already been addressed.See https://gitlab.freedesktop.org/poppler/poppler/merge_requests/93
Nevertheless, if the issue is still present, please file a bug in https://gitlab.freedesktop.org/poppler/poppler/

Steps to reproduce

  1. Open NullPointerDeference.h_134 with evince.
  2. Segmentation fault (core dumped)

Debug

(gdb) run NullPointerDeference.h_134
Starting program: /usr/bin/evince NullPointerDeference.h_134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f9a71f06700 (LWP 12825)]
[New Thread 0x7f9a71705700 (LWP 12826)]
[New Thread 0x7f9a6bdf6700 (LWP 12827)]
[New Thread 0x7f9a6b186700 (LWP 12832)]
[New Thread 0x7f9a6a741700 (LWP 12834)]
[New Thread 0x7f9a68acd700 (LWP 12835)]

Thread 7 "EvJobScheduler" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9a68acd700 (LWP 12835)]
0x00007f9a5622429a in _poppler_attachment_new(FileSpec*) () from /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
(gdb) bt
#0  0x00007f9a5622429a in _poppler_attachment_new(FileSpec*) () at /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#1  0x00007f9a5622814a in poppler_annot_file_attachment_get_attachment () at /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#2  0x00007f9a680c573d in  () at /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#3  0x00007f9a7ddfabfa in  () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
#4  0x00007f9a7ddfcc02 in  () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
#5  0x00007f9a7b6f5e85 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007f9a7b0cc6db in start_thread (arg=0x7f9a68acd700) at pthread_create.c:463
#7  0x00007f9a7adf588f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)

Tested on

uname -a - Linux zero 4.15.0-38-generic #41 (closed)-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Evince version: 3.28.4

Additional stacktrace

Trace_2 Trace_1

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information