Ubuntu
poppler package

Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)

Bug #1505858 reported by alex.park on 2015-10-14

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Poppler	Unknown	High	freedesktop-bugs #92450
	poppler (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Hello,

I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.

This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached a finding as comment below

To be honest, I already posted this bug on popplers' and developer answered the question (https://bugs.freedesktop.org/show_bug.cgi?id=92450#c1).
As far as I can tell, all of these software what I tested such as evince, xpdf okular on Ubuntu system have same problem.
So I'd like to post this issue in here.

in details:

alex@vm64 $ uname -a
Linux vm64 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

alex@vm64 $ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.10
DISTRIB_CODENAME=wily
DISTRIB_DESCRIPTION="Ubuntu Wily Werewolf (development branch)"

okular:
  Installed: 4:15.08.1-0ubuntu1
  Candidate: 4:15.08.1-0ubuntu1
  Version table:
*** 4:15.08.1-0ubuntu1 0
        500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
        100 /var/lib/dpkg/status

xpdf:
  Installed: 3.03-17ubuntu2
  Candidate: 3.03-17ubuntu2
  Version table:
*** 3.03-17ubuntu2 0
        500 http://kr.archive.ubuntu.com/ubuntu/ wily/universe amd64 Packages
        100 /var/lib/dpkg/status

evince:
  Installed: 3.16.1-0ubuntu1
  Candidate: 3.16.1-0ubuntu1
  Version table:
*** 3.16.1-0ubuntu1 0
        500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

libpoppler-dev:
  Installed: 0.33.0-0ubuntu3
  Candidate: 0.33.0-0ubuntu3
  Version table:
*** 0.33.0-0ubuntu3 0
        500 http://kr.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

+ I used latest version of poppler too.

Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
[Current thread is 1 (Thread 0x7f640ae42840 (LWP 6180))]

Thread 4 (Thread 0x7f63f36f1700 (LWP 6184)):
#0 0x00007f6407db6743 in select () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f64087ed51f in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f640537c6aa in start_thread (arg=0x7f63f36f1700) at pthread_create.c:333
#4 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 3 (Thread 0x7f63f253c700 (LWP 6200)):
[KCrash Handler]
#6 0x00007f63f25f5619 in JPXStream::readTilePartData(unsigned int, unsigned int, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#7 0x00007f63f25f6b73 in JPXStream::readTilePart() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#8 0x00007f63f25f7a77 in JPXStream::readCodestream(unsigned int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#9 0x00007f63f25f9c95 in JPXStream::readBoxes() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#10 0x00007f63f25fa0d6 in JPXStream::reset() () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#11 0x00007f63f25edbf9 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#12 0x00007f63f26419ca in Gfx::doImage(Object*, Stream*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#13 0x00007f63f2642ce8 in Gfx::opXObject(Object*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#14 0x00007f63f263cffe in Gfx::go(bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#15 0x00007f63f263d4a0 in Gfx::display(Object*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#16 0x00007f63f2683255 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.52
#17 0x00007f63f29dadc6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const () from /usr/lib/x86_64-linux-gnu/libpoppler-qt4.so.4
#18 0x00007f63f2c2be74 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
#19 0x00007f63f738c613 in ?? () from /usr/lib/libokularcore.so.6
#20 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007f640537c6aa in start_thread (arg=0x7f63f253c700) at pthread_create.c:333
#22 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 2 (Thread 0x7f63f1d3b700 (LWP 6201)):
#0 syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1 0x00007f6408701622 in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f64086fd8e5 in QMutex::lockInternal() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f63f2c2acf4 in ?? () from /usr/lib/kde4/okularGenerator_poppler.so
#4 0x00007f63f738bf12 in ?? () from /usr/lib/libokularcore.so.6
#5 0x00007f6408702d1c in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#6 0x00007f640537c6aa in start_thread (arg=0x7f63f1d3b700) at pthread_create.c:333
#7 0x00007f6407dbfeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 1 (Thread 0x7f640ae42840 (LWP 6180)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007f6408703286 in QWaitCondition::wait(QMutex*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#2 0x00007f64087028ae in QThread::wait(unsigned long) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3 0x00007f64087ed0ad in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#4 0x00007f6407cf2d32 in __run_exit_handlers (status=1, listp=0x7f640807d698 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
#5 0x00007f6407cf2d85 in __GI_exit (status=<optimized out>) at exit.c:104
#6 0x00007f640928e6a8 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#7 0x00007f6409f83370 in KApplication::xioErrhandler(_XDisplay*) () from /usr/lib/libkdeui.so.5
#8 0x00007f64071cbcee in _XIOError () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#9 0x00007f64071c957d in _XEventsQueued () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#10 0x00007f64071a5832 in XCheckIfEvent () from /usr/lib/x86_64-linux-gnu/libX11.so.6
#11 0x00007f64092923e9 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#12 0x00007f64092a26eb in QApplication::x11ProcessEvent(_XEvent*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#13 0x00007f64092ccb52 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#14 0x00007f6404e96ff7 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007f6404e97250 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x00007f6404e972fc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007f64088431ee in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#18 0x00007f64092ccc26 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
#19 0x00007f64088110d1 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#20 0x00007f6408811445 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#21 0x00007f6408817429 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#22 0x0000000000409878 in ?? ()
#23 0x00007f6407cd9a40 in __libc_start_main (main=0x409430, argc=2, argv=0x7ffd3a61ac18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd3a61ac08) at libc-start.c:289
#24 0x000000000040b4a9 in _start ()

evince 3.16.1 / xpdf version 3.03

********************************************************************************
Segmentation fault
********************************************************************************

crashed file: fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000000 R8 : 0000000000000000 R9 : 0000000000000006
R10: 0000000000000070 R11: 0000000000000000 R12: 00000000014af420
R13: 00000000000018d2 R14: 00000000014af420 R15: 00000000014d7600
RSP: 00007ffdede2b6b0

RIP: 00007f28d94be0df EFLAGS: 00010246

CS: 0033 FS: 0000 GS: 0000

Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000010

stack trace:
0x00007ffdede2b6b0: 10 fa 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 ..J.............
0x00007ffdede2b6c0: 20 f4 4a 01 00 00 00 00 50 dc 4b 01 00 00 00 00 .J.....P.K.....
0x00007ffdede2b6d0: 14 b7 e2 ed fd 7f 00 00 03 00 00 00 01 00 00 00 ................
0x00007ffdede2b6e0: 90 d2 4b 01 00 00 00 00 00 00 00 00 01 00 00 00 ..K.............
0x00007ffdede2b6f0: 01 00 00 00 00 00 00 00 20 f4 4a 01 00 00 00 00 ........ .J.....
0x00007ffdede2b700: a0 41 54 01 00 00 00 00 01 00 00 00 00 00 00 00 .AT.............
0x00007ffdede2b710: d0 52 54 01 01 00 00 00 00 48 38 da c1 7a d9 ac .RT......H8..z..
0x00007ffdede2b720: 90 96 54 01 00 00 00 00 10 fa 4a 01 00 00 00 00 ..T.......J.....

Backtrace:
0x00007f28e4d22cc0: [catch_segfault():4000]
0x00007f28e3512d10: [__restore_rt():0]
0x00007f28d94be0df: [_ZN9JPXStream16readTilePartDataEjjb():287]
0x00007f28d94bf688: [_ZN9JPXStream12readTilePartEv():2920]
0x00007f28d94c1278: [_ZN9JPXStream14readCodestreamEj():248]
0x00007f28d94c3ff1: [_ZN9JPXStream9readBoxesEv():1809]
0x00007f28d94c4766: [_ZN9JPXStream5resetEv():22]
0x00007f28d9c8d753: [_ZN14CairoOutputDev9drawImageEP8GfxStateP6ObjectP6StreamiiP16GfxImageColorMapbPib():323]
0x00007f28d950ce45: [_ZN3Gfx7doImageEP6ObjectP6Streamb():3013]
0x00007f28d950e143: [_ZN3Gfx9opXObjectEP6Objecti():627]
0x00007f28d9508058: [_ZN3Gfx2goEb():344]
0x00007f28d9508558: [_ZN3Gfx7displayEP6Objectb():280]
0x00007f28d9550dc5: [_ZN4Page12displaySliceEP9OutputDevddibbiiiibPFbPvES2_PFbP5AnnotS2_ES2_b():357]
0x00007f28d9c76522: [poppler_page_get_type():482]
0x00007f28d9eb5ad3: [_init():13019]
0x00007f28d9eb616e: [_init():14710]
0x0000000000401a90: [_init():2368]
0x000000000040172d: [_init():1501]
0x00007f28e3158a40: [__libc_start_main():240]
0x00000000004018a9: [_init():1881]

Disassemble:
0x00007f28d94be0df: add rax, qword ptr [rdi + 0x10]
0x00007f28d94be0e3: mov r11d, dword ptr [rax + 0x14]
0x00007f28d94be0e7: test r11d, r11d
0x00007f28d94be0ea: je 0x7f28d94be25d
0x00007f28d94be0f0: mov r8d, dword ptr [rax + 0x10]
0x00007f28d94be0f4: mov r13, qword ptr [rsp]
0x00007f28d94be0f8: mov r15, r14

HASHTAG: 8DBAE794E10FF8F8CBF9AA94744D5759

Thanks
-Alex

See original description

Revision history for this message

In freedesktop.org Bugzilla #92450, Saintlinu (saintlinu) wrote on 2015-10-13:

Download full text (7.8 KiB)

Created attachment 118861
Use of this file could lead to crash the products using poppler library

Hello,

I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.

This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached some findings.

Thanks
-Alex

in details:

alex@vm64:$ LD_LIBRARY_PATH=/usr/local/lib gdb --args ./evince ~/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./evince...done.
gdb$ r
Starting program: /home/alex/hack/project/evince/evince-3.18.0/shell/.libs/evince /home/alex/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffece5e700 (LWP 17556)]
[New Thread 0x7fffec65d700 (LWP 17557)]
[New Thread 0x7fffebe5c700 (LWP 17558)]
[New Thread 0x7fffeb038700 (LWP 17563)]
[New Thread 0x7fffe9a4e700 (LWP 17564)]
[New Thread 0x7fffda2ab700 (LWP 17565)]

Created attachment 118861
Use of this file could lead to crash the products using poppler library

Hello,

I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.

This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached some findings.

Thanks
-Alex

in details:

alex@vm64:$ LD_LIBRARY_PATH=/usr/local/lib gdb --args ./evince ~/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./evince...done.
gdb$ r
Starting program: /home/alex/hack/project/evince/evince-3.18.0/shell/.libs/evince /home/alex/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffece5e700 (LWP 17556)]
[New Thread 0x7fffec65d700 (LWP 17557)]
[New Thread 0x7fffebe5c700 (LWP 17558)]
[New Thread 0x7fffeb038700 (LWP 17563)]
[New Thread 0x7fffe9a4e700 (LWP 17564)]
[New Thread 0x7fffda2ab700 (LWP 17565)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a4e700 (LWP 17564)]
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x0000000000000000  RBX: 0x0000000000000000  RBP: 0x00007FFFD005DA40  RSP: 0x00007FFFE9A4CF50  o d I t s z A p c 
  RDI: 0x00007FFFD0042BA0  RSI: 0x0000000000000000  RDX: 0x0000000000000018  RCX: 0x0000000000000001  RIP: 0x00007FFFE8A04C49
  R8 : 0x0000000000000000  R9 : 0x0000000000000006  R10: 0x00000000000000A8  R11: 0x00007FFFD005DAB0  R12: 0x00007FFFD0042850
  R13: 0x00007FFFD005A0E0  R14: 0x00007FFFD005DAB0  R15: 0x0000000000001923
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
[0x002B:0x00007FFFE9A4CF50]-------------------------------------------------------------------------------------------[stack]
0x00007FFFE9A4CFA0 : 01 00 00 00 FF 7F 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF90 : 00 00 00 00 03 00 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF80 : 50 A1 05 D0 FF 7F 00 00 - 90 BA 06 D0 FF 7F 00 00 P...............
0x00007FFFE9A4CF70 : B4 CF A4 E9 FF 7F 00 00 - 03 00 00 00 00 00 00 00 ................
0x00007FFFE9A4CF60 : 50 28 04 D0 FF 7F 00 00 - 80 C2 05 D0 FF 7F 00 00 P(..............
0x00007FFFE9A4CF50 : 40 2D 04 D0 FF 7F 00 00 - 00 00 00 00 00 00 00 00 @-..............
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffe8a04c49 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+265>:  mov    rbp,QWORD PTR [rax+0x10]
   0x7fffe8a04c4d <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+269>:  lea    r11,[rbp+rbx*1+0x0]
   0x7fffe8a04c52 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+274>:  mov    r9d,DWORD PTR [r11+0x14]
   0x7fffe8a04c56 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+278>:  test   r9d,r9d
   0x7fffe8a04c59 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+281>:  je     0x7fffe8a04ca3 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+355>
   0x7fffe8a04c5b <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+283>:  mov    r8d,DWORD PTR [r11+0x10]
   0x7fffe8a04c5f <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+287>:  xor    eax,eax
   0x7fffe8a04c61 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+289>:  xor    edi,edi
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
2142        if (!bits) {

gdb$ bt
#0  0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
#1  0x00007fffe8a05f89 in JPXStream::readTilePart (this=this@entry=0x7fffd0042d40) at JPXStream.cc:2100
#2  0x00007fffe8a06f17 in JPXStream::readCodestream (this=this@entry=0x7fffd0042d40, len=<optimized out>) at JPXStream.cc:1488
#3  0x00007fffe8a08df1 in JPXStream::readBoxes (this=this@entry=0x7fffd0042d40) at JPXStream.cc:780
#4  0x00007fffe8a09036 in JPXStream::reset (this=0x7fffd0042d40) at JPXStream.cc:275
#5  0x00007fffe8e1c812 in RescaleDrawImage::getSourceImage (this=this@entry=0x7fffe9a4d310, str=str@entry=0x7fffd0042d40, widthA=widthA@entry=0x66, height=height@entry=0xf1, scaledWidth=0x2f9, scaledHeight=0x6fd, printing=0x0, colorMapA=0x7fffd0042f30, maskColorsA=0x0) at CairoOutputDev.cc:2881
#6  0x00007fffe8e1ae21 in CairoOutputDev::drawImage (this=0x7fffd003e030, state=0x7fffd00421c0, ref=0x7fffe9a4d640, str=0x7fffd0042d40, widthA=0x66, heightA=0xf1, colorMap=0x7fffd0042f30, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at CairoOutputDev.cc:3028
#7  0x00007fffe8a4ba9e in Gfx::doImage (this=this@entry=0x7fffd0041f60, ref=ref@entry=0x7fffe9a4d640, str=0x7fffd0042d40, inlineImg=inlineImg@entry=0x0) at Gfx.cc:4663
#8  0x00007fffe8a4c6af in Gfx::opXObject (this=0x7fffd0041f60, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4189
#9  0x00007fffe8a46f26 in Gfx::go (this=this@entry=0x7fffd0041f60, topLevel=topLevel@entry=0x1) at Gfx.cc:763
#10 0x00007fffe8a47409 in Gfx::display (this=this@entry=0x7fffd0041f60, obj=obj@entry=0x7fffe9a4da40, topLevel=topLevel@entry=0x1) at Gfx.cc:729
#11 0x00007fffe8a85c28 in Page::displaySlice (this=0x7fffd00407e0, out=out@entry=0x7fffd003e030, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at Page.cc:599
#12 0x00007fffe8e03ace in _poppler_page_render (page=0xa8c6c0, cairo=0xa30510, printing=<optimized out>, print_flags=<optimized out>) at poppler-page.cc:362
#13 0x00007fffe90450b3 in pdf_page_render (page=page@entry=0xa8c6c0, width=0x2f9, height=0x6fd, rc=rc@entry=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:415
#14 0x00007fffe90452f1 in pdf_document_render (document=<optimized out>, rc=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:442
#15 0x00007ffff7968832 in ev_job_render_run (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-jobs.c:638
#16 0x00007ffff796a68a in ev_job_thread (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:184
#17 ev_job_thread_proxy (data=<optimized out>) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:217
#18 0x00007ffff5714965 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007ffff51856aa in start_thread (arg=0x7fffe9a4e700) at pthread_create.c:333
#20 0x00007ffff4ebaeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Revision history for this message

In freedesktop.org Bugzilla #92450, Albert Astals Cid (aacid) wrote on 2015-10-13:

You should be using the openjpeg version of the JPXStream, the other version is basically unmaintained and just there for convenience.

Meaning i won't be working on fixing this, but of course patches are welcome.

Revision history for this message

In freedesktop.org Bugzilla #92450, Saintlinu (saintlinu) wrote on 2015-10-14:

Created attachment 118869
removed a finding file

Revision history for this message

In freedesktop.org Bugzilla #92450, Saintlinu (saintlinu) wrote on 2015-10-14:

Oh, I see. Thank you for quick response

-Alex

Revision history for this message

In freedesktop.org Bugzilla #92450, Adrian Johnson (ajohnson-redneon) wrote on 2015-10-14:

Created attachment 118877
Warn that the DCT/JPX internal decoders are unmaintained

Revision history for this message

In freedesktop.org Bugzilla #92450, Adrian Johnson (ajohnson-redneon) wrote on 2015-10-14:

Created attachment 118878
Synchronize cmake warnings with configure warnings

Revision history for this message

In freedesktop.org Bugzilla #92450, Albert Astals Cid (aacid) wrote on 2015-10-14:

looks good to me.

Revision history for this message

alex.park (saintlinu07) wrote on 2015-10-14:

fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1 Edit (10.6 KiB, application/octet-stream)

attached the testcase file

description:

updated

Marc Deslauriers (mdeslaur) on 2015-10-29

information type:	Private Security → Public Security
Changed in poppler (Ubuntu):
status:	New → Confirmed

Bug Watch Updater (bug-watch-updater) on 2015-10-29

Changed in poppler:
importance:	Unknown → High
status:	Unknown → Confirmed

Revision history for this message

In freedesktop.org Bugzilla #92450, Gitlab-migration (gitlab-migration) wrote on 2018-08-20:

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/86.