desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #146167
[Bug 1505858] Re: Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)
** Bug watch added: freedesktop.org Bugzilla #92450
https://bugs.freedesktop.org/show_bug.cgi?id=92450
** Also affects: poppler via
https://bugs.freedesktop.org/show_bug.cgi?id=92450
Importance: Unknown
Status: Unknown
** Information type changed from Private Security to Public Security
** Changed in: poppler (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to poppler in Ubuntu.
https://bugs.launchpad.net/bugs/1505858
Title:
Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)
Status in Poppler:
Unknown
Status in poppler package in Ubuntu:
Confirmed
Bug description:
Hello,
I've found some vulnerabilities in pdf viewers using famous library
named poppler such as evince, xpdf, okular and so on.
This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached a finding as comment below
To be honest, I already posted this bug on popplers' and developer answered the question (https://bugs.freedesktop.org/show_bug.cgi?id=92450#c1).
As far as I can tell, all of these software what I tested such as evince, xpdf okular on Ubuntu system have same problem.
So I'd like to post this issue in here.
in details:
alex@vm64 $ uname -a
Linux vm64 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
alex@vm64 $ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu Wily Werewolf (development branch)"
okular:
Installed: 4:15.08.1-0ubuntu1
Candidate: 4:15.08.1-0ubuntu1
Version table:
*** 4:15.08.1-0ubuntu1 0
500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
100 /var/lib/dpkg/status
xpdf:
Installed: 3.03-17ubuntu2
Candidate: 3.03-17ubuntu2
Version table:
*** 3.03-17ubuntu2 0
500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
100 /var/lib/dpkg/status
evince:
Installed: 3.16.1-0ubuntu1
Candidate: 3.16.1-0ubuntu1
Version table:
*** 3.16.1-0ubuntu1 0
500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
100 /var/lib/dpkg/status
libpoppler-dev:
Installed: 0.33.0-0ubuntu3
Candidate: 0.33.0-0ubuntu3
Version table:
*** 0.33.0-0ubuntu3 0
500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
100 /var/lib/dpkg/status
+ I used latest version of poppler too.
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
[Current thread is 1 (Thread 0x7f640ae42840 (LWP 6180))]
Thread 4 (Thread 0x7f63f36f1700 (LWP 6184)):
#0 0x00007f6407db6743 in select () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f64087ed51f in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f640537c6aa in start_thread (arg=0x7f63f36f1700) at pthread_create.c:333
#4 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Thread 3 (Thread 0x7f63f253c700 (LWP 6200)):
[KCrash Handler]
#6 0x00007f63f25f5619 in JPXStream::readTilePartData(unsigned int, unsigned int, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#7 0x00007f63f25f6b73 in JPXStream::readTilePart() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#8 0x00007f63f25f7a77 in JPXStream::readCodestream(unsigned int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#9 0x00007f63f25f9c95 in JPXStream::readBoxes() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#10 0x00007f63f25fa0d6 in JPXStream::reset() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#11 0x00007f63f25edbf9 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#12 0x00007f63f26419ca in Gfx::doImage(Object*, Stream*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#13 0x00007f63f2642ce8 in Gfx::opXObject(Object*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#14 0x00007f63f263cffe in Gfx::go(bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#15 0x00007f63f263d4a0 in Gfx::display(Object*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#16 0x00007f63f2683255 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#17 0x00007f63f29dadc6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const () from /usr/lib/x86_64-linux-gnu/libpoppler-qt4.so.4
#18 0x00007f63f2c2be74 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
#19 0x00007f63f738c613 in ?? () from /usr/lib/libokularcore.so.6
#20 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007f640537c6aa in start_thread (arg=0x7f63f253c700) at pthread_create.c:333
#22 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Thread 2 (Thread 0x7f63f1d3b700 (LWP 6201)):
#0 syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1 0x00007f6408701622 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f64086fd8e5 in QMutex::lockInternal() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f63f2c2acf4 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
#4 0x00007f63f738bf12 in ?? () from /usr/lib/libokularcore.so.6
#5 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#6 0x00007f640537c6aa in start_thread (arg=0x7f63f1d3b700) at pthread_create.c:333
#7 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Thread 1 (Thread 0x7f640ae42840 (LWP 6180)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007f6408703286 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f64087028ae in QThread::wait(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f64087ed0ad in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#4 0x00007f6407cf2d32 in __run_exit_handlers (status=1, listp=0x7f640807d698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
#5 0x00007f6407cf2d85 in __GI_exit (status=<optimized out>) at exit.c:104
#6 0x00007f640928e6a8 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#7 0x00007f6409f83370 in KApplication::xioErrhandler(_XDisplay*) () from /usr/lib/libkdeui.so.5
#8 0x00007f64071cbcee in _XIOError () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#9 0x00007f64071c957d in _XEventsQueued () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#10 0x00007f64071a5832 in XCheckIfEvent () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#11 0x00007f64092923e9 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#12 0x00007f64092a26eb in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#13 0x00007f64092ccb52 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#14 0x00007f6404e96ff7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007f6404e97250 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x00007f6404e972fc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007f64088431ee in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#18 0x00007f64092ccc26 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#19 0x00007f64088110d1 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#20 0x00007f6408811445 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007f6408817429 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#22 0x0000000000409878 in ?? ()
#23 0x00007f6407cd9a40 in __libc_start_main (main=0x409430, argc=2, argv=0x7ffd3a61ac18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd3a61ac08) at libc-start.c:289
#24 0x000000000040b4a9 in _start ()
evince 3.16.1 / xpdf version 3.03
********************************************************************************
Segmentation fault
********************************************************************************
crashed file: fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
Register dump:
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000000 R8 : 0000000000000000 R9 : 0000000000000006
R10: 0000000000000070 R11: 0000000000000000 R12: 00000000014af420
R13: 00000000000018d2 R14: 00000000014af420 R15: 00000000014d7600
RSP: 00007ffdede2b6b0
RIP: 00007f28d94be0df EFLAGS: 00010246
CS: 0033 FS: 0000 GS: 0000
Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000010
stack trace:
0x00007ffdede2b6b0: 10 fa 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 ..J.............
0x00007ffdede2b6c0: 20 f4 4a 01 00 00 00 00 50 dc 4b 01 00 00 00 00 .J.....P.K.....
0x00007ffdede2b6d0: 14 b7 e2 ed fd 7f 00 00 03 00 00 00 01 00 00 00 ................
0x00007ffdede2b6e0: 90 d2 4b 01 00 00 00 00 00 00 00 00 01 00 00 00 ..K.............
0x00007ffdede2b6f0: 01 00 00 00 00 00 00 00 20 f4 4a 01 00 00 00 00 ........ .J.....
0x00007ffdede2b700: a0 41 54 01 00 00 00 00 01 00 00 00 00 00 00 00 .AT.............
0x00007ffdede2b710: d0 52 54 01 01 00 00 00 00 48 38 da c1 7a d9 ac .RT......H8..z..
0x00007ffdede2b720: 90 96 54 01 00 00 00 00 10 fa 4a 01 00 00 00 00 ..T.......J.....
Backtrace:
0x00007f28e4d22cc0: [catch_segfault():4000]
0x00007f28e3512d10: [__restore_rt():0]
0x00007f28d94be0df: [_ZN9JPXStream16readTilePartDataEjjb():287]
0x00007f28d94bf688: [_ZN9JPXStream12readTilePartEv():2920]
0x00007f28d94c1278: [_ZN9JPXStream14readCodestreamEj():248]
0x00007f28d94c3ff1: [_ZN9JPXStream9readBoxesEv():1809]
0x00007f28d94c4766: [_ZN9JPXStream5resetEv():22]
0x00007f28d9c8d753: [_ZN14CairoOutputDev9drawImageEP8GfxStateP6ObjectP6StreamiiP16GfxImageColorMapbPib():323]
0x00007f28d950ce45: [_ZN3Gfx7doImageEP6ObjectP6Streamb():3013]
0x00007f28d950e143: [_ZN3Gfx9opXObjectEP6Objecti():627]
0x00007f28d9508058: [_ZN3Gfx2goEb():344]
0x00007f28d9508558: [_ZN3Gfx7displayEP6Objectb():280]
0x00007f28d9550dc5: [_ZN4Page12displaySliceEP9OutputDevddibbiiiibPFbPvES2_PFbP5AnnotS2_ES2_b():357]
0x00007f28d9c76522: [poppler_page_get_type():482]
0x00007f28d9eb5ad3: [_init():13019]
0x00007f28d9eb616e: [_init():14710]
0x0000000000401a90: [_init():2368]
0x000000000040172d: [_init():1501]
0x00007f28e3158a40: [__libc_start_main():240]
0x00000000004018a9: [_init():1881]
Disassemble:
0x00007f28d94be0df: add rax, qword ptr [rdi + 0x10]
0x00007f28d94be0e3: mov r11d, dword ptr [rax + 0x14]
0x00007f28d94be0e7: test r11d, r11d
0x00007f28d94be0ea: je 0x7f28d94be25d
0x00007f28d94be0f0: mov r8d, dword ptr [rax + 0x10]
0x00007f28d94be0f4: mov r13, qword ptr [rsp]
0x00007f28d94be0f8: mov r15, r14
HASHTAG: 8DBAE794E10FF8F8CBF9AA94744D5759
Thanks
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/poppler/+bug/1505858/+subscriptions