Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 657
    • Issues 657
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 39
    • Merge requests 39
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #748
Closed
Open
Created Apr 01, 2019 by pwd@YourButterfly

null-pointer-deference in function SplashClip::clipAALine

poppler-0.74

version

poppler-0.74 0.74

description

None

download link

None

SplashClip::clipAALine@SplashClip.cc:382-18___out-of-bounds-read

description

An issue was discovered in poppler-0.74 0.74, There is a/an null-pointer-deference in function SplashClip::clipAALine at SplashClip.cc:382-18

commandline

pdftoppm -cropbox -jpeg -freetype yes @@ tmp

source

None

debug

In file: /src/poppler-0.74.0/splash/SplashXPathScanner.cc
   453     xx = *x0 * splashAASize;
   454     if (yy >= yyMin && yy <= yyMax) {
   455       const auto& line = allIntersections[splashAASize * y + yy - yMin];
   456       interIdx = 0;
   457       interCount = 0;
 ► 458       while (interIdx < line.size() && xx < (*x1 + 1) * splashAASize) {
   459 	xx0 = line[interIdx].x0;
   460 	xx1 = line[interIdx].x1;
   461 	interCount += line[interIdx].count;
   462 	++interIdx;
   463 	while (interIdx < line.size() &&

pwndbg> p line
$9 = <error reading variable: Cannot access memory at address 0x8>

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==5850==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fef9780428e bp 0x00000075f720 sp 0x7fffa84784c0 T0)
==5850==The signal is caused by a READ memory access.
==5850==Hint: address points to the zero page.
    #0 0x7fef9780428d in SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h
    #1 0x7fef977cdc54 in SplashClip::clipAALine(SplashBitmap*, int*, int*, int, bool) /src/poppler-0.74/splash/SplashClip.cc:382:18
    #2 0x7fef977b6c73 in Splash::shadedFill(SplashPath*, bool, SplashPattern*) /src/poppler-0.74/splash/Splash.cc:6439:24
    #3 0x7fef9774fb50 in SplashOutputDev::univariateShadedFill(GfxState*, SplashUnivariatePattern*, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4820:21
    #4 0x7fef9775119a in SplashOutputDev::axialShadedFill(GfxState*, GfxAxialShading*, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4894:17
    #5 0x7fef97235292 in Gfx::doAxialShFill(GfxAxialShading*) /src/poppler-0.74/poppler/Gfx.cc:2648:12
    #6 0x7fef972329f6 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /src/poppler-0.74/poppler/Gfx.cc:2364:5
    #7 0x7fef9722daeb in Gfx::doPatternFill(bool) /src/poppler-0.74/poppler/Gfx.cc:1943:5
    #8 0x7fef971e6906 in Gfx::opFill(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1809:2
    #9 0x7fef9722666f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
    #10 0x7fef97222707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
    #11 0x7fef972215b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
    #12 0x7fef9722c2f5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
    #13 0x7fef9725d3ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
    #14 0x7fef971e40fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
    #15 0x7fef9722666f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
    #16 0x7fef97222707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
    #17 0x7fef972215b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
    #18 0x7fef9745c14c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
    #19 0x7fef974798b1 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
    #20 0x521264 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /src/poppler-0.74/utils/pdftoppm.cc:287:8
    #21 0x521264 in main /src/poppler-0.74/utils/pdftoppm.cc:600
    #22 0x7fef95adf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #23 0x41b838 in _start (/src/aflbuild/installed/bin/pdftoppm+0x41b838)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h in SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int)
==5850==ABORTING

others

from fuzz project pwd-poppler-pdftoppm-03
crash name pwd-poppler-pdftoppm-03-00000000-20190331.pdf
Auto-generated by pyspider at 2019-03-31 04:07:31

poc.tar.gz

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking