Use-after-free bug, array-member freeed too early
Hello,
Some Background on this bug report:
I'm the original reporter of https://rt.cpan.org/Public/Bug/Display.html?id=130280 and https://mail.gnome.org/archives/gtk-perl-list/2019-September/msg00005.html. Thank you for resolving that double free! :)
However, unfortunately there seems to be an additional, related bug, most likely also stemming from G::O::I. This bug once more occurs when using G::O::I using the Poppler bindings. There is something fishy about the objects returned from (probably flat?) arrays. When acting upon those objects returned, transitive objects (in this case the points within the quadrilaterals) themselves seem to be freed too early while they are still in use from the perl side, causing invalid reads. I've attached an slightly revised example of the original test code (pdfextract_invalid_read.pl) to this message, which exhibits the issue with the test pdf (test_annot.pdf) using current git-master of G::O::I (revision 42cdec8f).
This is the relevant valgrind output snippet, the full log is attached as valgrind:
==25785== Invalid read of size 8
==25785== at 0x650CF50: g_field_info_get_field (in /usr/lib/libgirepository-1.0.so.1.0.0)
==25785== by 0x64EECBF: get_field.constprop.0 (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x64EF02C: XS_Glib__Object__Introspection__get_field (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x4953220: Perl_pp_entersub (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x4949785: Perl_runops_standard (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x48BE2A5: perl_run (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x1091A6: main (in /usr/bin/perl)
==25785== Address 0x8cbf920 is 0 bytes inside a block of size 64 free'd
==25785== at 0x48399AB: free (vg_replace_malloc.c:530)
==25785== by 0x63DD112: ??? (in /usr/lib/libglib-2.0.so.0.6200.0)
==25785== by 0x64EFE2C: arg_to_sv (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x64F1327: invoke_c_code.isra.0 (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x64F1836: XS_Glib__Object__Introspection_invoke (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x4953220: Perl_pp_entersub (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x4949785: Perl_runops_standard (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x48BE2A5: perl_run (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x1091A6: main (in /usr/bin/perl)
==25785== Block was alloc'd at
==25785== at 0x48386AF: malloc (vg_replace_malloc.c:298)
==25785== by 0x483ADE7: realloc (vg_replace_malloc.c:826)
==25785== by 0x63AE728: g_realloc (in /usr/lib/libglib-2.0.so.0.6200.0)
==25785== by 0x63E346B: ??? (in /usr/lib/libglib-2.0.so.0.6200.0)
==25785== by 0x63E3929: g_array_sized_new (in /usr/lib/libglib-2.0.so.0.6200.0)
==25785== by 0x6E9266E: poppler_annot_text_markup_get_quadrilaterals (in /usr/lib/libpoppler-glib.so.8.14.0)
==25785== by 0x4BE26CF: ffi_call_unix64 (in /usr/lib/libffi.so.6.0.4)
==25785== by 0x4BE209F: ffi_call (in /usr/lib/libffi.so.6.0.4)
==25785== by 0x64F0E4A: invoke_c_code.isra.0 (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x64F1836: XS_Glib__Object__Introspection_invoke (in /tmp/poppler-test/local/lib/perl5/x86_64-linux-thread-multi/auto/Glib/Object/Introspection/Introspection.so)
==25785== by 0x4953220: Perl_pp_entersub (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
==25785== by 0x4949785: Perl_runops_standard (in /usr/lib/perl5/5.30/core_perl/CORE/libperl.so)
When removing the print $p1->x
line, the invalid read disappears, so it is most likely the culprit.
Thank you once more for fixing the original issue and for reading this bug report! Please tell me if you need more information or when I could help in any way in troubleshooting this issue.
~Simon
Possibly relevant library information:
- CPAN Module Poppler: 1.0101
- Distro: Archlinux
- Perl Version 5.30.0-3
- Glib2 version: 2.62.0-1
- glib-perl/gtk2-perl version: 1.329-2
- Glib::Object::Introspection git revision 42cdec8f
- gcc version: 9.1.0
- glibc version: 2.29-4
- Kernel: 5.2.14-arch2-1-ARCH