-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.
You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/86. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/1505858 Title: Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142) Status in Poppler: Unknown Status in poppler package in Ubuntu: Confirmed Bug description: Hello, I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on. This is my short report and I used latest version of poppler (poppler-0.37.0). Plus I've attached a finding as comment below To be honest, I already posted this bug on popplers' and developer answered the question (https://bugs.freedesktop.org/show_bug.cgi?id=92450#c1). As far as I can tell, all of these software what I tested such as evince, xpdf okular on Ubuntu system have same problem. So I'd like to post this issue in here. in details: alex@vm64 $ uname -a Linux vm64 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux alex@vm64 $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=15.10 DISTRIB_CODENAME=wily DISTRIB_DESCRIPTION="Ubuntu Wily Werewolf (development branch)" okular: Installed: 4:15.08.1-0ubuntu1 Candidate: 4:15.08.1-0ubuntu1 Version table: *** 4:15.08.1-0ubuntu1 0 500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages 100 /var/lib/dpkg/status xpdf: Installed: 3.03-17ubuntu2 Candidate: 3.03-17ubuntu2 Version table: *** 3.03-17ubuntu2 0 500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages 100 /var/lib/dpkg/status evince: Installed: 3.16.1-0ubuntu1 Candidate: 3.16.1-0ubuntu1 Version table: *** 3.16.1-0ubuntu1 0 500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages 100 /var/lib/dpkg/status libpoppler-dev: Installed: 0.33.0-0ubuntu3 Candidate: 0.33.0-0ubuntu3 Version table: *** 0.33.0-0ubuntu3 0 500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages 100 /var/lib/dpkg/status + I used latest version of poppler too. Application: Okular (okular), signal: Segmentation fault Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 [Current thread is 1 (Thread 0x7f640ae42840 (LWP 6180))] Thread 4 (Thread 0x7f63f36f1700 (LWP 6184)): #0 0x00007f6407db6743 in select () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007f64087ed51f in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #2 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #3 0x00007f640537c6aa in start_thread (arg=0x7f63f36f1700) at pthread_create.c:333 #4 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 Thread 3 (Thread 0x7f63f253c700 (LWP 6200)): [KCrash Handler] #6 0x00007f63f25f5619 in JPXStream::readTilePartData(unsigned int, unsigned int, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #7 0x00007f63f25f6b73 in JPXStream::readTilePart() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #8 0x00007f63f25f7a77 in JPXStream::readCodestream(unsigned int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #9 0x00007f63f25f9c95 in JPXStream::readBoxes() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #10 0x00007f63f25fa0d6 in JPXStream::reset() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #11 0x00007f63f25edbf9 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #12 0x00007f63f26419ca in Gfx::doImage(Object*, Stream*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #13 0x00007f63f2642ce8 in Gfx::opXObject(Object*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #14 0x00007f63f263cffe in Gfx::go(bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #15 0x00007f63f263d4a0 in Gfx::display(Object*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #16 0x00007f63f2683255 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52 #17 0x00007f63f29dadc6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const () from /usr/lib/x86_64-linux-gnu/libpoppler-qt4.so.4 #18 0x00007f63f2c2be74 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so #19 0x00007f63f738c613 in ?? () from /usr/lib/libokularcore.so.6 #20 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #21 0x00007f640537c6aa in start_thread (arg=0x7f63f253c700) at pthread_create.c:333 #22 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 Thread 2 (Thread 0x7f63f1d3b700 (LWP 6201)): #0 syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38 #1 0x00007f6408701622 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #2 0x00007f64086fd8e5 in QMutex::lockInternal() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #3 0x00007f63f2c2acf4 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so #4 0x00007f63f738bf12 in ?? () from /usr/lib/libokularcore.so.6 #5 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #6 0x00007f640537c6aa in start_thread (arg=0x7f63f1d3b700) at pthread_create.c:333 #7 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 Thread 1 (Thread 0x7f640ae42840 (LWP 6180)): #0 pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 #1 0x00007f6408703286 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #2 0x00007f64087028ae in QThread::wait(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #3 0x00007f64087ed0ad in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #4 0x00007f6407cf2d32 in __run_exit_handlers (status=1, listp=0x7f640807d698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82 #5 0x00007f6407cf2d85 in __GI_exit (status=<optimized out>) at exit.c:104 #6 0x00007f640928e6a8 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #7 0x00007f6409f83370 in KApplication::xioErrhandler(_XDisplay*) () from /usr/lib/libkdeui.so.5 #8 0x00007f64071cbcee in _XIOError () from /usr/lib/x86_64-linux-gnu/libX11.so.6 #9 0x00007f64071c957d in _XEventsQueued () from /usr/lib/x86_64-linux-gnu/libX11.so.6 #10 0x00007f64071a5832 in XCheckIfEvent () from /usr/lib/x86_64-linux-gnu/libX11.so.6 #11 0x00007f64092923e9 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #12 0x00007f64092a26eb in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #13 0x00007f64092ccb52 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #14 0x00007f6404e96ff7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #15 0x00007f6404e97250 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #16 0x00007f6404e972fc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #17 0x00007f64088431ee in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #18 0x00007f64092ccc26 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #19 0x00007f64088110d1 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #20 0x00007f6408811445 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #21 0x00007f6408817429 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #22 0x0000000000409878 in ?? () #23 0x00007f6407cd9a40 in __libc_start_main (main=0x409430, argc=2, argv=0x7ffd3a61ac18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd3a61ac08) at libc-start.c:289 #24 0x000000000040b4a9 in _start () evince 3.16.1 / xpdf version 3.03 ******************************************************************************** Segmentation fault ******************************************************************************** crashed file: fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1 Register dump: RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000006 RSI: 0000000000000002 RDI: 0000000000000000 RBP: 0000000000000000 R8 : 0000000000000000 R9 : 0000000000000006 R10: 0000000000000070 R11: 0000000000000000 R12: 00000000014af420 R13: 00000000000018d2 R14: 00000000014af420 R15: 00000000014d7600 RSP: 00007ffdede2b6b0 RIP: 00007f28d94be0df EFLAGS: 00010246 CS: 0033 FS: 0000 GS: 0000 Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000010 stack trace: 0x00007ffdede2b6b0: 10 fa 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 ..J............. 0x00007ffdede2b6c0: 20 f4 4a 01 00 00 00 00 50 dc 4b 01 00 00 00 00 .J.....P.K..... 0x00007ffdede2b6d0: 14 b7 e2 ed fd 7f 00 00 03 00 00 00 01 00 00 00 ................ 0x00007ffdede2b6e0: 90 d2 4b 01 00 00 00 00 00 00 00 00 01 00 00 00 ..K............. 0x00007ffdede2b6f0: 01 00 00 00 00 00 00 00 20 f4 4a 01 00 00 00 00 ........ .J..... 0x00007ffdede2b700: a0 41 54 01 00 00 00 00 01 00 00 00 00 00 00 00 .AT............. 0x00007ffdede2b710: d0 52 54 01 01 00 00 00 00 48 38 da c1 7a d9 ac .RT......H8..z.. 0x00007ffdede2b720: 90 96 54 01 00 00 00 00 10 fa 4a 01 00 00 00 00 ..T.......J..... Backtrace: 0x00007f28e4d22cc0: [catch_segfault():4000] 0x00007f28e3512d10: [__restore_rt():0] 0x00007f28d94be0df: [_ZN9JPXStream16readTilePartDataEjjb():287] 0x00007f28d94bf688: [_ZN9JPXStream12readTilePartEv():2920] 0x00007f28d94c1278: [_ZN9JPXStream14readCodestreamEj():248] 0x00007f28d94c3ff1: [_ZN9JPXStream9readBoxesEv():1809] 0x00007f28d94c4766: [_ZN9JPXStream5resetEv():22] 0x00007f28d9c8d753: [_ZN14CairoOutputDev9drawImageEP8GfxStateP6ObjectP6StreamiiP16GfxImageColorMapbPib():323] 0x00007f28d950ce45: [_ZN3Gfx7doImageEP6ObjectP6Streamb():3013] 0x00007f28d950e143: [_ZN3Gfx9opXObjectEP6Objecti():627] 0x00007f28d9508058: [_ZN3Gfx2goEb():344] 0x00007f28d9508558: [_ZN3Gfx7displayEP6Objectb():280] 0x00007f28d9550dc5: [_ZN4Page12displaySliceEP9OutputDevddibbiiiibPFbPvES2_PFbP5AnnotS2_ES2_b():357] 0x00007f28d9c76522: [poppler_page_get_type():482] 0x00007f28d9eb5ad3: [_init():13019] 0x00007f28d9eb616e: [_init():14710] 0x0000000000401a90: [_init():2368] 0x000000000040172d: [_init():1501] 0x00007f28e3158a40: [__libc_start_main():240] 0x00000000004018a9: [_init():1881] Disassemble: 0x00007f28d94be0df: add rax, qword ptr [rdi + 0x10] 0x00007f28d94be0e3: mov r11d, dword ptr [rax + 0x14] 0x00007f28d94be0e7: test r11d, r11d 0x00007f28d94be0ea: je 0x7f28d94be25d 0x00007f28d94be0f0: mov r8d, dword ptr [rax + 0x10] 0x00007f28d94be0f4: mov r13, qword ptr [rsp] 0x00007f28d94be0f8: mov r15, r14 HASHTAG: 8DBAE794E10FF8F8CBF9AA94744D5759 Thanks -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/poppler/+bug/1505858/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
