null pointer dereference in XRef::getEntry
pdfdetach crashes when it's feeded with a specific pdf file.
The command I run with is pdfdetach -save 1 test.pdf
.
The backtrace is here:
Program received signal SIGSEGV, Segmentation fault.
0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
85 flags &= ~mask;
(gdb) bt
#0 0x082994de in XRefEntry::setFlag (this=0xe0, flag=XRefEntry::Parsing, value=false) at /work/poppler/poppler/XRef.h:85
#1 0x08295fd1 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
strict=false) at /work/poppler/poppler/Parser.cc:303
#2 0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
at /work/poppler/poppler/Parser.cc:134
#3 0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
at /work/poppler/poppler/Parser.cc:93
#4 0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
at /work/poppler/poppler/Parser.cc:120
#5 0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6 0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7 0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8 0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9 0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150
I analyse the code and find in some situation, entry is null:
#0 XRef::getEntry (this=0x8652328, i=7, complainIfMissing=false) at /work/poppler/poppler/XRef.cc:1552
#1 0x08295f8b in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (this=0x8651ff8,
dict=<unknown type in /work/poppler/build/utils/pdfdetach, CU 0x225680, DIE 0x23466c>, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=3,
strict=false) at /work/poppler/poppler/Parser.cc:301
#2 0x08296cd8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=2, strict=false)
at /work/poppler/poppler/Parser.cc:134
#3 0x08296ab8 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=1, strict=false)
at /work/poppler/poppler/Parser.cc:93
#4 0x08296fa6 in Parser::getObj (this=0x8651ff8, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptNone, keyLength=1211043104, objNum=7, objGen=0, recursion=0, strict=false)
at /work/poppler/poppler/Parser.cc:120
#5 0x083895fe in XRef::fetch (this=0x8652328, num=7, gen=0, recursion=0) at /work/poppler/poppler/XRef.cc:1132
#6 0x0838b199 in XRef::getCatalog (this=0x8652328) at /work/poppler/poppler/XRef.cc:1064
#7 0x08121c54 in Catalog::Catalog (this=0x8652820, docA=0x8652148) at /work/poppler/poppler/Catalog.cc:94
#8 0x082b6280 in PDFDoc::setup (this=0x8652148, ownerPassword=0x0, userPassword=0x0) at /work/poppler/poppler/PDFDoc.cc:292
#9 0x082b663a in PDFDoc::PDFDoc (this=0x8652148, fileNameA=0x8652038, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/PDFDoc.cc:170
#10 0x084f9eda in LocalPDFDocBuilder::buildPDFDoc (this=0x86520b0, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at /work/poppler/poppler/LocalPDFDocBuilder.cc:31
#11 0x08113a6a in main (argc=4, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:150
(gdb) p entries
$19 = (XRefEntry *) 0x0
The problem is in XRef::getEntry
XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
{
if (i >= size || entries[i].type == xrefEntryNone) {
if ((!xRefStream) && mainXRefEntriesOffset) {
if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
}
There is lack of check where size is 0 and entries is nullnullpointerdereference.pdf