Package: poppler-util Version: 0.26.5-2+deb8u11 Dear Maintainer,
pdfinfo on Debian Jessie crashes when analyzing the following file (crash.pdf).
pdfinfo is not crashing on latest pdfinfo (0.81.0) or on Debian Stretch Package
(0.48.0-2+deb9u2).
Package info:
ace@debian:~$ dpkg --list poppler-utils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-=============================================================-===================================-===================================-================================================================================================================================
ii poppler-utils
0.26.5-2+deb8u11 amd64 PDF
utilities (based on Poppler)
File info:
$ md5sum crash.pdf
e575e9fc4149cbdabd9818e1b8f08a5c crash.pdf
$ sha1sum crash.pdf
2299b30e46c7b14e0be4e94eba0c4b154dc4c79e crash.pdf
$ sha256sum crash.pdf
22f9ecc60d557099a2316c3aea3001a692ebe0e2a5652b06801f1acb02d4794b crash.pdf
$ file crash.pdf
crash.pdf: PDF document, version 1.4
Crash:
$ pdfinfo crash.pdf
Syntax Error: Top-level pages object is wrong type (name)
Segmentation fault
Trace from crash (gdb with peda plugin):
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff763d620 --> 0x1
RCX: 0x5555006a626f ('obj')
RDX: 0x7ffff763d628 --> 0x5555006a626f ('obj')
RSI: 0x7ffff763d620 --> 0x1
RDI: 0x7ffff763d620 --> 0x1
RBP: 0x20 (' ')
RSP: 0x7fffffffe010 --> 0x55555578da70 --> 0x7fff0000005b
RIP: 0x7ffff7311d8f (<_int_malloc+95>: mov rdi,QWORD PTR [rcx+0x10])
R8 : 0x0
R9 : 0xc3250a34
R10: 0x5555557983a8 --> 0x280d ('\r(')
R11: 0x7ffff73f6e40 --> 0xfff38110fff38100
R12: 0xa ('\n')
R13: 0x55555578daa3 --> 0x4b50000555500
R14: 0xb ('\x0b')
R15: 0x7ffff7b32a80 --> 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7311d86 <_int_malloc+86>: lea rdx,[rsi+0x8]
0x7ffff7311d8a <_int_malloc+90>: test rcx,rcx
0x7ffff7311d8d <_int_malloc+93>: je 0x7ffff7311de1 <_int_malloc+177>
=> 0x7ffff7311d8f <_int_malloc+95>: mov rdi,QWORD PTR [rcx+0x10]
0x7ffff7311d93 <_int_malloc+99>: mov rax,rcx
0x7ffff7311d96 <_int_malloc+102>: cmp DWORD PTR fs:0x18,0x0
0x7ffff7311d9f <_int_malloc+111>: je 0x7ffff7311da2 <_int_malloc+114>
0x7ffff7311da1 <_int_malloc+113>: lock cmpxchg QWORD PTR [rsi+0x8],rdi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe010 --> 0x55555578da70 --> 0x7fff0000005b
0008| 0x7fffffffe018 --> 0x55555578da99 ("OpenAction")
0016| 0x7fffffffe020 --> 0x55555578d248 --> 0x4
0024| 0x7fffffffe028 --> 0x7ffff7ae9c4e (<gmalloc+14>: test rax,rax)
0032| 0x7fffffffe030 --> 0x4
0040| 0x7fffffffe038 --> 0x7ffff7aea28d (<copyString+29>: pop rbx)
0048| 0x7fffffffe040 --> 0x55555578da70 --> 0x7fff0000005b
0056| 0x7fffffffe048 --> 0x7ffff7a98427 (<_ZN5Lexer6getObjEP6Objecti+2439>:
mov QWORD PTR [rbp+0x8],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
_int_malloc (av=0x7ffff763d620 <main_arena>, bytes=0xb) at malloc.c:3351
3351 malloc.c: No such file or directory.
Trace from crash (Debian package with patches compiled with Address Sanitizer
on another computer):
=================================================================
==9336==ERROR: AddressSanitizer: attempting double-free on 0x60200001e630 in
thread T0:
#0 0x7f873170a7b8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7f87310e84d0 in Object::free()
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:149
#2 0x7f8730f5a664 in Dict::~Dict()
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Dict.cc:126
#3 0x7f87310e862b in Object::free()
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:140
#4 0x7f8730f25719 in Catalog::Catalog(PDFDoc*)
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Catalog.cc:140
#5 0x7f873110ee47 in PDFDoc::setup(GooString*, GooString*)
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/PDFDoc.cc:281
#6 0x7f873110f20b in PDFDoc::PDFDoc(GooString*, GooString*, GooString*,
void*) /media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/PDFDoc.cc:165
#7 0x7f87310e2824 in LocalPDFDocBuilder::buildPDFDoc(GooString const&,
GooString*, GooString*, void*)
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/LocalPDFDocBuilder.cc:31
#8 0x559aba61d931 in main
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/utils/pdfinfo.cc:185
#9 0x7f87309f4b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x559aba61f729 in _start
(/media/cvs/GSM/fuzz/poppler/poppler-0.26.5-asan/utils/.libs/pdfinfo+0x5729)
0x60200001e630 is located 0 bytes inside of 8-byte region
[0x60200001e630,0x60200001e638)
freed by thread T0 here:
#0 0x7f873170a7b8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7f87310e84d0 in Object::free()
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/poppler/Object.cc:149
previously allocated by thread T0 here:
#0 0x7f873170ab50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f8731277634 in gmalloc
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/goo/gmem.cc:110
#2 0x7f8731277634 in gmalloc
/media/cvs/GSM/fuzz/poppler/poppler-0.26.5/goo/gmem.cc:120
SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) in __interceptor_free
==9336==ABORTING
As double free is considered as a security issue, this crash may be patch
regarding the LTS of Debian Jessie.
Kind regards,
Antoine
crash.pdf
Description: crash.pdf
