No text rendered at all #5
Comments
|
Wow; you're absolutely right. How weird! I'll try to find some time to look into it. |
giddie
pushed a commit
that referenced
this issue
Sep 11, 2020
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24772 When numInputSyms + numNewSyms is large enough, a fatal out of memory allocation can occur in JArithmeticDecoderStats() constructor per ``` #0 0xf7f6bf19 in [vdso] #1 0xf7d40d08 in gsignal (/lib32/libc.so.6+0x2bd08) #2 0xf7d42206 in abort (/lib32/libc.so.6+0x2d206) #3 0xbdc0049 in gmalloc(unsigned int, bool) gdal/poppler/goo/gmem.h:52:5 #4 0xbdf3c61 in gmallocn(int, int, bool) gdal/poppler/goo/gmem.h:119:12 #5 0xc1391fd in JArithmeticDecoderStats::JArithmeticDecoderStats(int) gdal/poppler/poppler/JArithmeticDecoder.cc:36:30 #6 0xc1130d5 in JBIG2Stream::resetIntStats(int) gdal/poppler/poppler/JBIG2Stream.cc:4052:25 #7 0xc1083df in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) gdal/poppler/poppler/JBIG2Stream.cc:1624:9 #8 0xc105305 in JBIG2Stream::readSegments() gdal/poppler/poppler/JBIG2Stream.cc:1318:18 #9 0xc103f5a in JBIG2Stream::reset() gdal/poppler/poppler/JBIG2Stream.cc:1142:5 ``` Avoid it and return nicely.
giddie
pushed a commit
that referenced
this issue
Oct 19, 2020
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25411 #0 0xf7ef8f19 in [vdso] #1 0xf7ccdd08 in gsignal (/lib32/libc.so.6+0x2bd08) #2 0xf7ccf206 in abort (/lib32/libc.so.6+0x2d206) #3 0xbdb9c2e in grealloc(void*, unsigned int, bool) gdal/poppler/goo/gmem.h:85:5 #4 0xbdd9e11 in greallocn(void*, int, int, bool, bool) gdal/poppler/goo/gmem.h:171:12 #5 0xc012373 in SplashPath::addStrokeAdjustHint(int, int, int, int) gdal/poppler/splash/SplashPath.cc:211:35 #6 0xbfd156f in Splash::makeStrokePath(SplashPath*, double, bool) gdal/poppler/splash/Splash.cc:5987:34 #7 0xbfcaec2 in Splash::strokeWide(SplashPath*, double) gdal/poppler/splash/Splash.cc:2028:13 #8 0xbfc8a4d in Splash::stroke(SplashPath*) /src/gdal/poppler/splash/Splash.cc Based on patch by Even Rouault
giddie
pushed a commit
that referenced
this issue
Mar 25, 2024
…odeMono8 case Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64471 ``` $ utils/pdftoppm clusterfuzz-testcase-minimized-gdal_fuzzer-6127122829410304 [...] ================================================================= ==1758602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024cd5 at pc 0x7fd5850e977d bp 0x7ffe0e007430 sp 0x7ffe0e007428 READ of size 1 at 0x602000024cd5 thread T0 #0 0x7fd5850e977c in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) /home/even/poppler/splash/Splash.cc:5778:24 #1 0x7fd58505e19d in SplashOutputDev::beginTransparencyGroup(GfxState*, double const*, GfxColorSpace*, bool, bool, bool) /home/even/poppler/poppler/SplashOutputDev.cc:3998:17 #2 0x7fd5850451c3 in SplashOutputDev::setSoftMaskFromImageMask(GfxState*, Object*, Stream*, int, int, bool, bool, double*) /home/even/poppler/poppler/SplashOutputDev.cc:2692:5 #3 0x7fd584c3f6a7 in Gfx::doPatternImageMask(Object*, Stream*, int, int, bool, bool) /home/even/poppler/poppler/Gfx.cc:1964:10 #4 0x7fd584c5cc26 in Gfx::doImage(Object*, Stream*, bool) /home/even/poppler/poppler/Gfx.cc:4304:17 #5 0x7fd584c1827a in Gfx::opBeginImage(Object*, int) /home/even/poppler/poppler/Gfx.cc:4900:9 #6 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #7 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #8 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #9 0x7fd58506713d in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4424:10 #10 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53 #11 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9 #12 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17 #13 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #14 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #15 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #16 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14 #17 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24 #18 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10 #19 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9 #20 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #21 0x41d61d in _start (/home/even/poppler/build/utils/pdftoppm+0x41d61d) 0x602000024cd5 is located 1 bytes to the right of 4-byte region [0x602000024cd0,0x602000024cd4) allocated by thread T0 here: #0 0x495d5d in malloc (/home/even/poppler/build/utils/pdftoppm+0x495d5d) #1 0x7fd5849f1d54 in gmalloc(unsigned long, bool) /home/even/poppler/goo/gmem.h:44:19 #2 0x7fd5849f0ed0 in gmallocn(int, int, bool) /home/even/poppler/goo/gmem.h:121:12 #3 0x7fd584c1384d in gmallocn_checkoverflow(int, int) /home/even/poppler/goo/gmem.h:126:12 #4 0x7fd5850f7ec5 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, std::vector<GfxSeparationColorSpace*, std::allocator<GfxSeparationColorSpace*> > const*) /home/even/poppler/splash/SplashBitmap.cc:111:28 #5 0x7fd585066631 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4398:18 #6 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53 #7 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9 #8 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17 #9 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #10 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #11 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #12 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14 #13 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24 #14 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10 #15 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9 #16 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/even/poppler/splash/Splash.cc:5778:24 in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With this pdf there is no text rendered at all: http://www.cse.chalmers.se/~rjmh/Papers/arrows.pdf
It's about "arrows" from haskell language.
The text was updated successfully, but these errors were encountered: