696948 – crash for stack overflow

Bug 696948 - crash for stack overflow

Summary: crash for stack overflow

Status:	RESOLVED DUPLICATE of bug 696954

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	1.9
Hardware:	PC Linux

Importance:	P4 critical
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-25 20:03 UTC by redrain
Modified:	2016-08-04 09:06 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
the crash testcase (10.50 KB, application/pdf) 2016-07-25 20:03 UTC, redrain	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description redrain 2016-07-25 20:03:59 UTC

Created attachment 12721 [details]
the crash testcase

please check it with the attachment

mupdf-x11 p.pdf

gdb-peda$ r pdf_out/queue/id:000001,orig:p.pdf
Starting program: /home/redrain/code/mupdf/build/debug/mupdf-x11 pdf_out/queue/id:000001,orig:p.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x2 
RBX: 0x2dc7190 --> 0x0 
RCX: 0x0 
RDX: 0x527c40 (<fz_drop_shade_imp>:	lea    rsp,[rsp-0x98])
RSI: 0x0 
RDI: 0x7ffff7368760 --> 0x1 
RBP: 0x9410 
RSP: 0x7fffffffde40 --> 0x0 
RIP: 0x7ffff702901f (<_int_free+527>:	cmp    r13,QWORD PTR [rax+0x18])
R8 : 0x2cc58f0 --> 0x0 
R9 : 0x2cc5920 --> 0x0 
R10: 0x0 
R11: 0x4f4a30 (<fz_unlock_default>:	lea    rsp,[rsp-0x98])
R12: 0x7ffff7368760 --> 0x1 
R13: 0x2dd05a0 --> 0x0 
R14: 0x8600 
R15: 0x1
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7029011 <_int_free+513>:	jne    0x7ffff70293d0 <_int_free+1472>
   0x7ffff7029017 <_int_free+519>:	mov    rax,QWORD PTR [r13+0x10]
   0x7ffff702901b <_int_free+523>:	mov    rdx,QWORD PTR [r13+0x18]
=> 0x7ffff702901f <_int_free+527>:	cmp    r13,QWORD PTR [rax+0x18]
   0x7ffff7029023 <_int_free+531>:	jne    0x7ffff7029682 <_int_free+2162>
   0x7ffff7029029 <_int_free+537>:	cmp    r13,QWORD PTR [rdx+0x10]
   0x7ffff702902d <_int_free+541>:	jne    0x7ffff7029682 <_int_free+2162>
   0x7ffff7029033 <_int_free+547>:	cmp    QWORD PTR [r13+0x8],0x3ff
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde40 --> 0x0 
0008| 0x7fffffffde48 --> 0x2cf6010 --> 0x0 
0016| 0x7fffffffde50 --> 0x100000000 
0024| 0x7fffffffde58 --> 0xddaccbb936118100 
0032| 0x7fffffffde60 --> 0x2d66d10 --> 0x1 
0040| 0x7fffffffde68 --> 0x4f80a2 (<fz_free+34>:	mov    rax,QWORD PTR [rsp+0x10])
0048| 0x7fffffffde70 --> 0x7ffff7368778 --> 0x2d70a80 --> 0x0 
0056| 0x7fffffffde78 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff702901f in _int_free (av=0x7ffff7368760 <main_arena>, p=<optimized out>, have_lock=0x0)
    at malloc.c:3996
3996	malloc.c: No such file or directory.


gdb-peda$ bt
#0  0x00007ffff702901f in _int_free (av=0x7ffff7368760 <main_arena>, p=<optimized out>, have_lock=0x0)
    at malloc.c:3996
#1  0x00000000004f83ee in fz_free (ctx=0x2cf6010, p=0x2dc71a0) at source/fitz/memory.c:187
#2  0x00000000006d533a in pdf_drop_processor (ctx=0x2cf6010, proc=0x2d58530) at source/pdf/pdf-interpret.c:27
#3  0x000000000057cce8 in pdf_run_page_contents_with_usage (ctx=ctx@entry=0x2cf6010, doc=doc@entry=0x2d1c970, 
    page=page@entry=0x2d66d10, dev=dev@entry=0x2d851a0, ctm=ctm@entry=0xaac7f0 <fz_identity>, 
    event=event@entry=0x292afb2 "View", cookie=cookie@entry=0x7fffffffe0e0) at source/pdf/pdf-run.c:43
#4  0x000000000057d194 in pdf_run_page_contents (ctx=0x2cf6010, page=0x2d66d10, dev=0x2d851a0, 
    ctm=0xaac7f0 <fz_identity>, cookie=0x7fffffffe0e0) at source/pdf/pdf-run.c:62
#5  0x0000000000442af7 in fz_run_page_contents (ctx=0x2cf6010, page=0x2d66d10, dev=0x2d851a0, 
    transform=0xaac7f0 <fz_identity>, cookie=cookie@entry=0x7fffffffe0e0) at source/fitz/document.c:293
#6  0x000000000041a14d in pdfapp_loadpage (app=app@entry=0x2cd6e80 <gapp>, no_cache=0x0)
    at platform/x11/pdfapp.c:677
#7  0x000000000041b2df in pdfapp_showpage (app=0x2cd6e80 <gapp>, loadpage=0x1, drawpage=0x1, repaint=0x1, 
    transition=<optimized out>, searching=<optimized out>) at platform/x11/pdfapp.c:851
#8  0x000000000041cd5f in pdfapp_open_progressive (app=app@entry=0x2cd6e80 <gapp>, 
    filename=0x7fffffffe89d "pdf_out/queue/id:000001,orig:p.pdf", reload=reload@entry=0x0, bps=bps@entry=0x0)
    at platform/x11/pdfapp.c:443
#9  0x000000000041d4d7 in pdfapp_open (app=app@entry=0x2cd6e80 <gapp>, filename=<optimized out>, 
    reload=reload@entry=0x0) at platform/x11/pdfapp.c:213
#10 0x000000000040e419 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe628)
    at platform/x11/x11_main.c:888
#11 0x00007ffff6fcbf45 in __libc_start_main (main=0x40db70 <main>, argc=0x2, argv=0x7fffffffe628, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe618)
    at libc-start.c:287
#12 0x000000000040fb11 in _start ()

Comment 1 Sebastian Rasmussen 2016-08-04 09:06:54 UTC


*** This bug has been marked as a duplicate of bug 696954 ***