desktop-packages team mailing list archive

Thread
Date
[Bug 1505858] Re: Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 29 Oct 2015 18:26:24 -0000
Reply-to: Bug 1505858 <1505858@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Bug watch added: freedesktop.org Bugzilla #92450
   https://bugs.freedesktop.org/show_bug.cgi?id=92450

** Also affects: poppler via
   https://bugs.freedesktop.org/show_bug.cgi?id=92450
   Importance: Unknown
       Status: Unknown

** Information type changed from Private Security to Public Security

** Changed in: poppler (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to poppler in Ubuntu.
https://bugs.launchpad.net/bugs/1505858

Title:
  Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)

Status in Poppler:
  Unknown
Status in poppler package in Ubuntu:
  Confirmed

Bug description:
  Hello,

  I've found some vulnerabilities in pdf viewers using famous library
  named poppler such as evince, xpdf, okular and so on.

  This is my short report and I used latest version of poppler (poppler-0.37.0).
  Plus I've attached a finding as comment below

  To be honest, I already posted this bug on popplers' and developer answered the question (https://bugs.freedesktop.org/show_bug.cgi?id=92450#c1).
  As far as I can tell, all of these software what I tested such as evince, xpdf okular on Ubuntu system have same problem.
  So I'd like to post this issue in here.

  in details:

  alex@vm64 $ uname -a
  Linux vm64 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

  alex@vm64 $ cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=15.10
  DISTRIB_CODENAME=wily
  DISTRIB_DESCRIPTION="Ubuntu Wily Werewolf (development branch)"

  okular:
    Installed: 4:15.08.1-0ubuntu1
    Candidate: 4:15.08.1-0ubuntu1
    Version table:
   *** 4:15.08.1-0ubuntu1 0
          500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
          100 /var/lib/dpkg/status

  xpdf:
    Installed: 3.03-17ubuntu2
    Candidate: 3.03-17ubuntu2
    Version table:
   *** 3.03-17ubuntu2 0
          500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
          100 /var/lib/dpkg/status

  evince:
    Installed: 3.16.1-0ubuntu1
    Candidate: 3.16.1-0ubuntu1
    Version table:
   *** 3.16.1-0ubuntu1 0
          500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
          100 /var/lib/dpkg/status

  libpoppler-dev:
    Installed: 0.33.0-0ubuntu3
    Candidate: 0.33.0-0ubuntu3
    Version table:
   *** 0.33.0-0ubuntu3 0
          500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
          100 /var/lib/dpkg/status

  + I used latest version of poppler too.

  Application: Okular (okular), signal: Segmentation fault
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  [Current thread is 1 (Thread 0x7f640ae42840 (LWP 6180))]

  Thread 4 (Thread 0x7f63f36f1700 (LWP 6184)):
  #0  0x00007f6407db6743 in select () at ../sysdeps/unix/syscall-template.S:81
  #1  0x00007f64087ed51f in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #2  0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #3  0x00007f640537c6aa in start_thread (arg=0x7f63f36f1700) at pthread_create.c:333
  #4  0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

  Thread 3 (Thread 0x7f63f253c700 (LWP 6200)):
  [KCrash Handler]
  #6  0x00007f63f25f5619 in JPXStream::readTilePartData(unsigned int, unsigned int, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #7  0x00007f63f25f6b73 in JPXStream::readTilePart() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #8  0x00007f63f25f7a77 in JPXStream::readCodestream(unsigned int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #9  0x00007f63f25f9c95 in JPXStream::readBoxes() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #10 0x00007f63f25fa0d6 in JPXStream::reset() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #11 0x00007f63f25edbf9 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #12 0x00007f63f26419ca in Gfx::doImage(Object*, Stream*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #13 0x00007f63f2642ce8 in Gfx::opXObject(Object*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #14 0x00007f63f263cffe in Gfx::go(bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #15 0x00007f63f263d4a0 in Gfx::display(Object*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #16 0x00007f63f2683255 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
  #17 0x00007f63f29dadc6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const () from /usr/lib/x86_64-linux-gnu/libpoppler-qt4.so.4
  #18 0x00007f63f2c2be74 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
  #19 0x00007f63f738c613 in ?? () from /usr/lib/libokularcore.so.6
  #20 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #21 0x00007f640537c6aa in start_thread (arg=0x7f63f253c700) at pthread_create.c:333
  #22 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

  Thread 2 (Thread 0x7f63f1d3b700 (LWP 6201)):
  #0  syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
  #1  0x00007f6408701622 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #2  0x00007f64086fd8e5 in QMutex::lockInternal() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #3  0x00007f63f2c2acf4 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
  #4  0x00007f63f738bf12 in ?? () from /usr/lib/libokularcore.so.6
  #5  0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #6  0x00007f640537c6aa in start_thread (arg=0x7f63f1d3b700) at pthread_create.c:333
  #7  0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

  Thread 1 (Thread 0x7f640ae42840 (LWP 6180)):
  #0  pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
  #1  0x00007f6408703286 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #2  0x00007f64087028ae in QThread::wait(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #3  0x00007f64087ed0ad in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #4  0x00007f6407cf2d32 in __run_exit_handlers (status=1, listp=0x7f640807d698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
  #5  0x00007f6407cf2d85 in __GI_exit (status=<optimized out>) at exit.c:104
  #6  0x00007f640928e6a8 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
  #7  0x00007f6409f83370 in KApplication::xioErrhandler(_XDisplay*) () from /usr/lib/libkdeui.so.5
  #8  0x00007f64071cbcee in _XIOError () from /usr/lib/x86_64-linux-gnu/libX11.so.6
  #9  0x00007f64071c957d in _XEventsQueued () from /usr/lib/x86_64-linux-gnu/libX11.so.6
  #10 0x00007f64071a5832 in XCheckIfEvent () from /usr/lib/x86_64-linux-gnu/libX11.so.6
  #11 0x00007f64092923e9 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
  #12 0x00007f64092a26eb in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
  #13 0x00007f64092ccb52 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
  #14 0x00007f6404e96ff7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #15 0x00007f6404e97250 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #16 0x00007f6404e972fc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #17 0x00007f64088431ee in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #18 0x00007f64092ccc26 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
  #19 0x00007f64088110d1 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #20 0x00007f6408811445 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #21 0x00007f6408817429 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
  #22 0x0000000000409878 in ?? ()
  #23 0x00007f6407cd9a40 in __libc_start_main (main=0x409430, argc=2, argv=0x7ffd3a61ac18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd3a61ac08) at libc-start.c:289
  #24 0x000000000040b4a9 in _start ()

  evince 3.16.1 / xpdf version 3.03

  ********************************************************************************
  Segmentation fault
  ********************************************************************************

  crashed file: fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1

  Register dump:

   RAX: 0000000000000000   RBX: 0000000000000001   RCX: 0000000000000000
   RDX: 0000000000000006   RSI: 0000000000000002   RDI: 0000000000000000
   RBP: 0000000000000000   R8 : 0000000000000000   R9 : 0000000000000006
   R10: 0000000000000070   R11: 0000000000000000   R12: 00000000014af420
   R13: 00000000000018d2   R14: 00000000014af420   R15: 00000000014d7600
   RSP: 00007ffdede2b6b0

   RIP: 00007f28d94be0df   EFLAGS: 00010246

   CS: 0033   FS: 0000   GS: 0000

   Trap: 0000000e   Error: 00000004   OldMask: 00000000   CR2: 00000010

  stack trace:
  0x00007ffdede2b6b0: 10 fa 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 ..J.............
  0x00007ffdede2b6c0: 20 f4 4a 01 00 00 00 00 50 dc 4b 01 00 00 00 00  .J.....P.K.....
  0x00007ffdede2b6d0: 14 b7 e2 ed fd 7f 00 00 03 00 00 00 01 00 00 00 ................
  0x00007ffdede2b6e0: 90 d2 4b 01 00 00 00 00 00 00 00 00 01 00 00 00 ..K.............
  0x00007ffdede2b6f0: 01 00 00 00 00 00 00 00 20 f4 4a 01 00 00 00 00 ........ .J.....
  0x00007ffdede2b700: a0 41 54 01 00 00 00 00 01 00 00 00 00 00 00 00 .AT.............
  0x00007ffdede2b710: d0 52 54 01 01 00 00 00 00 48 38 da c1 7a d9 ac .RT......H8..z..
  0x00007ffdede2b720: 90 96 54 01 00 00 00 00 10 fa 4a 01 00 00 00 00 ..T.......J.....

  Backtrace:
  0x00007f28e4d22cc0: [catch_segfault():4000]
  0x00007f28e3512d10: [__restore_rt():0]
  0x00007f28d94be0df: [_ZN9JPXStream16readTilePartDataEjjb():287]
  0x00007f28d94bf688: [_ZN9JPXStream12readTilePartEv():2920]
  0x00007f28d94c1278: [_ZN9JPXStream14readCodestreamEj():248]
  0x00007f28d94c3ff1: [_ZN9JPXStream9readBoxesEv():1809]
  0x00007f28d94c4766: [_ZN9JPXStream5resetEv():22]
  0x00007f28d9c8d753: [_ZN14CairoOutputDev9drawImageEP8GfxStateP6ObjectP6StreamiiP16GfxImageColorMapbPib():323]
  0x00007f28d950ce45: [_ZN3Gfx7doImageEP6ObjectP6Streamb():3013]
  0x00007f28d950e143: [_ZN3Gfx9opXObjectEP6Objecti():627]
  0x00007f28d9508058: [_ZN3Gfx2goEb():344]
  0x00007f28d9508558: [_ZN3Gfx7displayEP6Objectb():280]
  0x00007f28d9550dc5: [_ZN4Page12displaySliceEP9OutputDevddibbiiiibPFbPvES2_PFbP5AnnotS2_ES2_b():357]
  0x00007f28d9c76522: [poppler_page_get_type():482]
  0x00007f28d9eb5ad3: [_init():13019]
  0x00007f28d9eb616e: [_init():14710]
  0x0000000000401a90: [_init():2368]
  0x000000000040172d: [_init():1501]
  0x00007f28e3158a40: [__libc_start_main():240]
  0x00000000004018a9: [_init():1881]

  Disassemble:
  0x00007f28d94be0df: add      rax, qword ptr [rdi + 0x10]
  0x00007f28d94be0e3: mov      r11d, dword ptr [rax + 0x14]
  0x00007f28d94be0e7: test     r11d, r11d
  0x00007f28d94be0ea: je       0x7f28d94be25d
  0x00007f28d94be0f0: mov      r8d, dword ptr [rax + 0x10]
  0x00007f28d94be0f4: mov      r13, qword ptr [rsp]
  0x00007f28d94be0f8: mov      r15, r14

  HASHTAG: 8DBAE794E10FF8F8CBF9AA94744D5759

  Thanks
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/poppler/+bug/1505858/+subscriptions