The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:

--- cut ---
=================================================================
==16335==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7aedf89800 (pc 0x000000598373 bp 0x7fff03966370 sp 0x7fff039660a0 T0)
    #0 0x598372 in CPDF_SampledFunc::v_Call(float*, float*) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:429:13
    #1 0x59b486 in CPDF_Function::Call(float*, int, float*, int&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:874:5
    #2 0x58772d in CPDF_SeparationCS::GetRGB(float*, float&, float&, float&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:984:5
    #3 0x58a73e in CPDF_Color::GetRGB(int&, int&, int&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:1417:10
    #4 0x59f5c7 in CPDF_ColorState::SetColor(CPDF_Color&, unsigned int&, CPDF_ColorSpace*, float*, int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp:259:11
    #5 0x5b79ad in CPDF_StreamContentParser::Handle_SetColorPS_Fill() /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1072:9
    #6 0x5a78d9 in CPDF_StreamContentParser::OnOperator(char const*) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:341:13
    #7 0x5bf64f in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:62:21
    #8 0x5ca5ed in CPDF_ContentParser::Continue(IFX_Pause*) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1091:36
    #9 0x57aaaa in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:704:5
    #10 0x1cadf6a in CPDFXFA_Page::LoadPDFPage() /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfxfa/fpdfxfa_page.cpp:61:3
    #11 0x1ca4354 in CPDFXFA_Document::GetPage(int) /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:218:18
    #12 0x4a8886 in FPDF_LoadPage /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfview.cpp:447:9
    #13 0x4a48be in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, OutputFormat) /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:429:22
    #14 0x4a5537 in main /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:529:5
    #15 0x7f7b64c8eec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
--- cut ---

The crash was reported at https://code.google.com/p/chromium/issues/detail?id=471990. Attached is the PDF file which triggers the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 

signal_sigsegv_8a57d6_9705_fa7f7984_b494b941_3138d00d_591d2fbf_2e0e4bd2.pdf 462 KB Download