evince crashed with SIGSEGV in __memset_sse2() when opening a PDF

Bug #537331 reported by smpahlman on 2010-03-11
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Poppler
Fix Released
Medium
poppler (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: evince

evince (2.29.92-0ubuntu1 on Lucid alpha 2, i386) segfaults when opening a PDF with some corrupted JBIG2 content. The PDF is attached. I have not investigated whether this can be exploited to run code or if it's just a crash.

The backtrace is as follows:

(gdb) bt
#0 0xb7312f03 in __memset_sse2 ()
    at ../sysdeps/i386/i686/multiarch/memset-sse2.S:267
#1 0xb4e11e03 in JBIG2Bitmap::clearToZero (this=0xb502c4a0)
    at /usr/include/bits/string3.h:86
#2 0xb4e13425 in JBIG2Bitmap::getSlice (this=0xb5012bd8, x=1730813931,
    y=1727642229, wA=2497357600, hA=1833388479) at JBIG2Stream.cc:745
#3 0xb4e17955 in JBIG2Stream::readGenericRefinementRegionSeg (
    this=0xb5013270, segNum=4009247418, imm=0, lossless=0, length=2430036862,
    refSegs=0x0, nRefSegs=0) at JBIG2Stream.cc:3209
#4 0xb4e1c726 in JBIG2Stream::readSegments (this=0xb5013270)
    at JBIG2Stream.cc:1403
#5 0xb4e1c8b3 in JBIG2Stream::reset (this=0xb5013270) at JBIG2Stream.cc:1215
#6 0xb4e30323 in ImageStream::reset (this=0xb50138a0) at Stream.cc:421
#7 0xb515e90a in CairoOutputDev::drawImage (this=0xb5ad2200,
    state=0xb502c200, ref=0xb597ece0, str=0xb5013270, width=2560, height=3300,
    colorMap=0xb502e460, interpolate=0, maskColors=0x0, inlineImg=0)
    at CairoOutputDev.cc:1970
#8 0xb4de5326 in Gfx::doImage (this=0xb5013e90, ref=0xb597ece0,
    str=0xb5013270, inlineImg=0) at Gfx.cc:4129
#9 0xb4debad3 in Gfx::opXObject (this=0xb5013e90, args=0xb597edd4, numArgs=1)
    at Gfx.cc:3736
#10 0xb4dda716 in Gfx::execOp (this=0xb5013e90, cmd=0xb597ef74,
    args=0xb597edd4, numArgs=1) at Gfx.cc:800
#11 0xb4ddad79 in Gfx::go (this=0xb5013e90, topLevel=1) at Gfx.cc:671
#12 0xb4ddb7a9 in Gfx::display (this=0xb5013e90, obj=0xb597f074, topLevel=1)
    at Gfx.cc:640
#13 0xb4e28c40 in Page::displaySlice (this=0xb5b5bd00, out=0xb5ad2200,
    hDPI=11.718750000000002, vDPI=11.718750000000002, rotate=0, useMediaBox=0,
    crop=1, sliceX=0, sliceY=0, sliceW=100, sliceH=129, printing=0,
    catalog=0xb5aaf308, abortCheckCbk=0, abortCheckCbkData=0x0,
    annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:474
#14 0xb5156b81 in _poppler_page_render_to_pixbuf (page=0xb5ad1e00,
    src_x=-329950692, src_y=0, src_width=100, src_height=129,
    scale=0.16276041666666669, rotation=0, printing=0, pixbuf=0xb59d5160)
    at poppler-page.cc:778
#15 0xb5179fcd in make_thumbnail_for_page (poppler_page=<value optimized out>,
    rc=<value optimized out>, width=100, height=129) at ev-poppler.cc:1435
#16 0xb517a0b3 in pdf_document_thumbnails_get_thumbnail (
    document_thumbnails=0xb5d0f2e8, rc=0xb5ad1e20, border=1)
    at ev-poppler.cc:1498
#17 0x00829743 in ev_document_thumbnails_get_thumbnail (document=0xb5d0f2e8,
    rc=0xb5ad1e20, border=1) at ev-document-thumbnails.c:44
#18 0x003e8dc5 in ev_job_thumbnail_run (job=0xb5b30350) at ev-jobs.c:688
#19 0x003e6341 in ev_job_run (job=0xb5b30350) at ev-jobs.c:210
#20 0x003e9ef8 in ev_job_thread (data=0x0) at ev-job-scheduler.c:183
#21 ev_job_thread_proxy (data=0x0) at ev-job-scheduler.c:213
#22 0x0072cf5f in ?? () from /lib/libglib-2.0.so.0
#23 0x002b996e in start_thread (arg=0xb597fb70) at pthread_create.c:300
#24 0xb72d292e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

ProblemType: Crash
Architecture: i386
Date: Thu Mar 11 14:48:15 2010
DistroRelease: Ubuntu 10.04
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
KernLog:

Package: evince 2.29.92-0ubuntu1
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.32-10-generic root=UUID=a0f9a5ba-8891-4f4a-ae71-20b4a3e95b4c ro quiet splash
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.32-10.14-generic
SegvAnalysis:
 Segfault happened at: 0x36a1f03 <__memset_sse2+275>: add (%ebx,%ecx,4),%ebx
 PC (0x036a1f03) ok
 source "(%ebx,%ecx,4)" (0xb4c1f040) not located in a known VMA region (needed readable region)!
 destination "%ebx" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 __memset_sse2 ()
 JBIG2Bitmap::clearToZero (this=0x2d8ec78)
 JBIG2Bitmap::getSlice (this=0x2d902e0, x=1730813931,
 JBIG2Stream::readGenericRefinementRegionSeg (
 JBIG2Stream::readSegments (this=0x2cce368)
Title: evince crashed with SIGSEGV in __memset_sse2()
Uname: Linux 2.6.32-10-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:1413): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:1606): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

smpahlman (sauli-pahlman) wrote :

StacktraceTop:
 __mempcpy_ssse3_rep () from /lib/tls/i686/cmov/libc.so.6
 JBIG2Stream::close (this=0x66f9ba75) at JBIG2Stream.cc:1230
 JBIG2Bitmap::getSlice (this=0x2d902e0, x=1730813931,
 JBIG2Stream::readGenericRefinementRegionSeg (
 JBIG2Stream::readSegments (this=0x2cce368)

Changed in evince (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Kees Cook (kees) on 2010-03-31
security vulnerability: yes → no
visibility: private → public
Pedro Villavicencio (pedro) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please try to obtain a valgrind log following the instructions at https://wiki.ubuntu.com/Valgrind and attach the file to the bug report. This will greatly help us in tracking down your problem. Could you also attach the pdf document to the report? Thanks in advance.

Changed in evince (Ubuntu):
status: New → Incomplete
smpahlman (sauli-pahlman) wrote :

Valgrind output attached as valgrind-logs-evince.tar.gz. The PDF triggering this bug is already attached at sample.pdf.

Kees Cook (kees) on 2010-04-06
Changed in evince (Ubuntu):
status: Incomplete → New
Sergio Barjola (sbarjola) wrote :

I can reproduce it in Karmic too.

Changed in evince (Ubuntu):
status: New → Confirmed

Sauli Pahlman of CERT-FI provided us with a fuzzed PDF that causes poppler to crash. It triggers a NULL pointer dereference in JBIG2Bitmap::getSlice / JBIG2Bitmap::clearToZero.

More details copy-n-pasted from:
  https://bugzilla.redhat.com/show_bug.cgi?id=580105#c16

JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740

It calls JBIG2Bitmap::JBIG2Bitmap():

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700

which contains protection against integer overflow / under-allocation of the
data[] buffer, and leaves data set to NULL if integer overflow is detected.

JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which
does memset(data, ...), resulting in NULL pointer dereference crash.

Tomas Hoger (thoger) on 2010-05-19
affects: evince → poppler

Fixed in 30ea3ab

Tomas Hoger (thoger) on 2010-06-04
affects: evince (Ubuntu) → poppler (Ubuntu)
Tomas Hoger (thoger) wrote :

Upstream bug is resolved, following commit was applied in upstream git:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=30ea3ab

Sebastien Bacher (seb128) wrote :

the bug has been fixed upstream now

Changed in poppler (Ubuntu):
status: Confirmed → Fix Committed
Sebastien Bacher (seb128) wrote :

the issue is fixed in this upload now

 poppler (0.14.0-0ubuntu1) maverick; urgency=low
 .
   * New upstream version
   * debian/control:
     - updated glib and gtk requirements
     - updated binaries names for the soname changes
   * debian/libpoppler6.install, debian/libpoppler-glib5.install:
     - renamed due to the soname changes
   * debian/patches/11_column_selection.patch,
     debian/patches/backport-anti-alias.patch,
     debian/patches/backport-rotation-scaling.patch,
     debian/patches/psname-escape-backslash.patch:
     - the changes are in the new version
   * debian/rules:
     - don't build the cpp wrapper for now
     - updated for the soname change

Changed in poppler (Ubuntu):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

the issue is fixed in this upload now

 poppler (0.14.0-0ubuntu1) maverick; urgency=low
 .
   * New upstream version
   * debian/control:
     - updated glib and gtk requirements
     - updated binaries names for the soname changes
   * debian/libpoppler6.install, debian/libpoppler-glib5.install:
     - renamed due to the soname changes
   * debian/patches/11_column_selection.patch,
     debian/patches/backport-anti-alias.patch,
     debian/patches/backport-rotation-scaling.patch,
     debian/patches/psname-escape-backslash.patch:
     - the changes are in the new version
   * debian/rules:
     - don't build the cpp wrapper for now
     - updated for the soname change

Changed in poppler:
importance: Unknown → Medium
status: Unknown → Fix Released
Changed in poppler:
importance: Medium → Unknown
Changed in poppler:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.