scientist2009 / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

segfault in pdfium_test with fuzzed pdf's #45

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Tinkering with Mr. Zalewski's American Fuzzy Lop fuzzer and found a few cases 
where the following segfault occurs (read on null ptr):

==26134== Process terminating with default action of signal 11 (SIGSEGV): 
dumping core
==26134==  Access not within mapped region at address 0x1C
==26134==    at 0x835D719: CFX_BaseSegmentedArray::Iterate(int (*)(void*, 
void*), void*) const (fx_basic_array.cpp:312)
==26134==    by 0x8372242: CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC 
const&, void*&) const (fx_basic_maps.cpp:507)
==26134==    by 0x813D959: CPDF_Dictionary::GetElement(CFX_ByteStringC const&) 
const (fpdf_parser_objects.cpp:595)
==26134==    by 0x81591A1: CPDF_DataAvail::CheckRoot(IFX_DownloadHints*) 
(fpdf_parser_parser.cpp:3173)
==26134==    by 0x81581CF: CPDF_DataAvail::CheckDocStatus(IFX_DownloadHints*) 
(fpdf_parser_parser.cpp:3000)
==26134==    by 0x8157A77: CPDF_DataAvail::IsDocAvail(IFX_DownloadHints*) 
(fpdf_parser_parser.cpp:2922)
==26134==    by 0x805808F: FPDFAvail_IsDocAvail (fpdf_dataavail.cpp:117)
==26134==    by 0x804CF35: RenderPdf(char const*, char const*, unsigned int, 
OutputFormat) (pdfium_test.cc:279)
==26134==    by 0x804DB71: main (pdfium_test.cc:397)

Collection of test files including the original (good.pdf) is attached

Original issue reported on code.google.com by bobr...@gmail.com on 22 Aug 2014 at 7:02

Attachments:

GoogleCodeExporter commented 9 years ago
Issue chromium:451052 has been merged into this issue.

Original comment by thestig@chromium.org on 7 Aug 2015 at 6:34