# poppler-0.74

## version 

    poppler 0.74 with cairo 1.17.2

## description

```txt
None
```

## download link

    None

---------------------

## _cairo_polygon_intersect@cairo-polygon-intersect.c:1171-6___out-of-bounds-read

### description

    An issue was discovered in poppler-0.74 0.74, There is a/an out-of-bounds-read in function _cairo_polygon_intersect at cairo-polygon-intersect.c:1171-6

### commandline

    pdftocairo @@ -png 1.png

### source

```c
src:/src/cairo/src/cairo-polygon-intersect.c:1171:6
1167 	    } while (1);
1168 
1169 	    right = left->next;
1170 	    do {
>1171 		if unlikely ((right->deferred.other))
1172 		    edges_end (right, top, polygon);
1173 
1174 		winding[right->a_or_b] += right->edge.dir;
1175 		if (is_zero (winding)) {
1176 		    if (right->next == NULL ||
```

gdb debug

```txt
gdb-peda$ p right
$2 = (cairo_bo_edge_t *) 0x0
gdb-peda$ list
1166                        return;
1167                } while (1);
1168
1169                right = left->next;
1170                do {
1171                    if unlikely ((right->deferred.other))
1172                        edges_end (right, top, polygon);
1173
1174                    winding[right->a_or_b] += right->edge.dir;
1175                    if (is_zero (winding)) {
```

### bug report

```txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f0995690904 bp 0x7ffc02a0cab0 sp 0x7ffc02a09940 T0)
==10290==The signal is caused by a READ memory access.
==10290==Hint: address points to the zero page.
    #0 0x7f0995690903 in _cairo_polygon_intersect /src/cairo/src/cairo-polygon-intersect.c:1171:6
    #1 0x7f09956efbdf in clip_and_composite_polygon /src/cairo/src/cairo-spans-compositor.c:946:12
    #2 0x7f09956eb73d in _cairo_spans_compositor_stroke /src/cairo/src/cairo-spans-compositor.c:1083:15
    #3 0x7f099558b48e in _cairo_compositor_stroke /src/cairo/src/cairo-compositor.c:157:11
    #4 0x7f09955f11b3 in _cairo_image_surface_stroke /src/cairo/src/cairo-image-surface.c:982:12
    #5 0x7f0995734725 in _cairo_surface_stroke /src/cairo/src/cairo-surface.c:2377:14
    #6 0x7f09955b3a63 in _cairo_gstate_stroke /src/cairo/src/cairo-gstate.c:1188:12
    #7 0x7f099559a66f in _cairo_default_context_stroke /src/cairo/src/cairo-default-context.c:1010:14
    #8 0x7f0995785349 in INT_cairo_stroke /src/cairo/src/cairo.c:2366:14
    #9 0x5419e2 in CairoOutputDev::stroke(GfxState*) /src/poppler-0.74/poppler/CairoOutputDev.cc:823:5
    #10 0x7f099471160a in Gfx::opStroke(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1776:7
    #11 0x7f099474d662 in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
    #12 0x7f09947496f7 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
    #13 0x7f09947485a3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
    #14 0x7f09947532e5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
    #15 0x7f09947843a0 in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
    #16 0x7f099470b0f0 in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
    #17 0x7f099474d662 in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
    #18 0x7f09947496f7 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
    #19 0x7f09947485a3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
    #20 0x7f099498312c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
    #21 0x7f09949a0891 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
    #22 0x52d976 in main /src/poppler-0.74/utils/pdftocairo.cc:730:8
    #23 0x7f0992daf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #24 0x4258b8 in _start (/src/aflbuild/installed/bin/pdftocairo+0x4258b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/cairo/src/cairo-polygon-intersect.c:1171:6 in _cairo_polygon_intersect
==10290==ABORTING

```

### others

    from fuzz project pwd-poppler-pdftocairo-00
    crash name pwd-poppler-pdftocairo-00-00000000-20190319.pdf
    Auto-generated by pyspider at 2019-03-19 10:31:22