Bug#942391: marked as done (poppler-utils: pdfinfo Jessie crash (double free))

Thu, 22 Oct 2020 06:09:59 -0700 

Your message dated Thu, 22 Oct 2020 14:48:17 +0200
with message-id <[email protected]>
and subject line Re: Bug#942391: poppler-utils: pdfinfo Jessie crash (double 
free)
has caused the Debian Bug report #942391,
regarding poppler-utils: pdfinfo Jessie crash (double free)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
942391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942391
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: poppler-util
Version: 0.26.5-2+deb8u11

Dear Maintainer,

pdfinfo on Debian Jessie crashes when analyzing the following file (crash.pdf). 
pdfinfo is not crashing on latest pdfinfo (0.81.0) or on Debian Stretch Package 
(0.48.0-2+deb9u2).

Package info:
ace@debian:~$ dpkg --list poppler-utils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                          Version       
                      Architecture                        Description
+++-=============================================================-===================================-===================================-================================================================================================================================
ii  poppler-utils                                                 
0.26.5-2+deb8u11                    amd64                               PDF 
utilities (based on Poppler)

File info:
$ md5sum crash.pdf
e575e9fc4149cbdabd9818e1b8f08a5c  crash.pdf
$ sha1sum crash.pdf
2299b30e46c7b14e0be4e94eba0c4b154dc4c79e  crash.pdf
$ sha256sum crash.pdf
22f9ecc60d557099a2316c3aea3001a692ebe0e2a5652b06801f1acb02d4794b  crash.pdf
$ file crash.pdf
crash.pdf: PDF document, version 1.4

Crash:
$  pdfinfo crash.pdf
Syntax Error: Top-level pages object is wrong type (name)
Segmentation fault

Trace from crash (gdb with peda plugin):

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff763d620 --> 0x1
RCX: 0x5555006a626f ('obj')
RDX: 0x7ffff763d628 --> 0x5555006a626f ('obj')
RSI: 0x7ffff763d620 --> 0x1
RDI: 0x7ffff763d620 --> 0x1
RBP: 0x20 (' ')
RSP: 0x7fffffffe010 --> 0x55555578da70 --> 0x7fff0000005b
RIP: 0x7ffff7311d8f (<_int_malloc+95>:    mov    rdi,QWORD PTR [rcx+0x10])
R8 : 0x0
R9 : 0xc3250a34
R10: 0x5555557983a8 --> 0x280d ('\r(')
R11: 0x7ffff73f6e40 --> 0xfff38110fff38100
R12: 0xa ('\n')
R13: 0x55555578daa3 --> 0x4b50000555500
R14: 0xb ('\x0b')
R15: 0x7ffff7b32a80 --> 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7311d86 <_int_malloc+86>:    lea    rdx,[rsi+0x8]
   0x7ffff7311d8a <_int_malloc+90>:    test   rcx,rcx
   0x7ffff7311d8d <_int_malloc+93>:    je     0x7ffff7311de1 <_int_malloc+177>
=> 0x7ffff7311d8f <_int_malloc+95>:    mov    rdi,QWORD PTR [rcx+0x10]
   0x7ffff7311d93 <_int_malloc+99>:    mov    rax,rcx
   0x7ffff7311d96 <_int_malloc+102>:    cmp    DWORD PTR fs:0x18,0x0
   0x7ffff7311d9f <_int_malloc+111>:    je     0x7ffff7311da2 <_int_malloc+114>
   0x7ffff7311da1 <_int_malloc+113>:    lock cmpxchg QWORD PTR [rsi+0x8],rdi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe010 --> 0x55555578da70 --> 0x7fff0000005b
0008| 0x7fffffffe018 --> 0x55555578da99 ("OpenAction")
0016| 0x7fffffffe020 --> 0x55555578d248 --> 0x4
0024| 0x7fffffffe028 --> 0x7ffff7ae9c4e (<gmalloc+14>:    test   rax,rax)
0032| 0x7fffffffe030 --> 0x4
0040| 0x7fffffffe038 --> 0x7ffff7aea28d (<copyString+29>:    pop    rbx)
0048| 0x7fffffffe040 --> 0x55555578da70 --> 0x7fff0000005b
0056| 0x7fffffffe048 --> 0x7ffff7a98427 (<_ZN5Lexer6getObjEP6Objecti+2439>:    
mov    QWORD PTR [rbp+0x8],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
_int_malloc (av=0x7ffff763d620 <main_arena>, bytes=0xb) at malloc.c:3351
3351    malloc.c: No such file or directory.

Trace from crash (Debian package with patches compiled with Address Sanitizer 
on another computer):

=================================================================
==9336==ERROR: AddressSanitizer: attempting double-free on 0x60200001e630 in 
thread T0:
    #0 0x7f873170a7b8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7f87310e84d0 in Object::free() 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:149
    #2 0x7f8730f5a664 in Dict::~Dict() 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Dict.cc:126
    #3 0x7f87310e862b in Object::free() 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:140
    #4 0x7f8730f25719 in Catalog::Catalog(PDFDoc*) 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Catalog.cc:140
    #5 0x7f873110ee47 in PDFDoc::setup(GooString*, GooString*) 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/PDFDoc.cc:281
    #6 0x7f873110f20b in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, 
void*) /media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/PDFDoc.cc:165
    #7 0x7f87310e2824 in LocalPDFDocBuilder::buildPDFDoc(GooString const&, 
GooString*, GooString*, void*) 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/LocalPDFDocBuilder.cc:31
    #8 0x559aba61d931 in main 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/utils/pdfinfo.cc:185
    #9 0x7f87309f4b96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x559aba61f729 in _start 
(/media/cvs/GSM/fuzz/poppler/poppler-0.26.5-asan/utils/.libs/pdfinfo+0x5729)

0x60200001e630 is located 0 bytes inside of 8-byte region 
[0x60200001e630,0x60200001e638)
freed by thread T0 here:
    #0 0x7f873170a7b8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7f87310e84d0 in Object::free() 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:149

previously allocated by thread T0 here:
    #0 0x7f873170ab50 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f8731277634 in gmalloc 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/goo/gmem.cc:110
    #2 0x7f8731277634 in gmalloc 
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/goo/gmem.cc:120

SUMMARY: AddressSanitizer: double-free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) in __interceptor_free
==9336==ABORTING

As double free is considered as a security issue, this crash may be patch 
regarding the LTS of Debian Jessie.


Kind regards,
Antoine

Attachment: crash.pdf
Description: crash.pdf


--- End Message ---
--- Begin Message --- 
Hello,

On Tue, 15 Oct 2019, Antoine Cervoise wrote:
> pdfinfo on Debian Jessie crashes when analyzing the following file 
> (crash.pdf). pdfinfo is not crashing on latest pdfinfo (0.81.0) or on Debian 
> Stretch Package (0.48.0-2+deb9u2).

Debian is no longer supporting Debian 8 Jessie and given that you can't
reproduce the issue with stretch or newer, there's no point to keep
this bug report open. I'm thus closing it with this mail.

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <[email protected]>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

--- End Message ---

Reply via email to