| Summary: | heap overflow in FoFiType1C::convertToType0, poppler 0.59.0 | ||
|---|---|---|---|
| Product: | poppler | Reporter: | junchao luan <luanjunchao> |
| Component: | utils | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | a corpus of crash | ||
|
Description
junchao luan
2017-09-14 06:43:29 UTC
Created attachment 134219 [details]
a corpus of crash
The error output is here when I run pdftops with a specific pdf.
==50504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fbf8 at pc 0x0000004c9a18 bp 0x7fffffffd320 sp 0x7fffffffd310
READ of size 1 at 0x61600000fbf8 thread T0
#0 0x4c9a17 in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:
#1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2656
#2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
#3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
#4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
#5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler
#6 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
#7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot
#8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, v
#9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work
#10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
#11 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
#12 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x406c58 in _start (/work/down/poppler-0.59.0/utils/pdftops+0x406c58)
0x61600000fbf8 is located 48 bytes to the right of 584-byte region [0x61600000f980,0x61600000fbc8)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110
#2 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120
#3 0x4da337 in FoFiType1C::parse() /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:2010
#4 0x4c02a5 in FoFiType1C::make(char*, int) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:51
#5 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2648
#6 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
#7 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
#8 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
#9 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler
#10 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
#11 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Anno
#12 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
#13 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /wor
#14 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
#15 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
#16 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:907 FoFiType1C::convertToType0(char*, int*, int, void (*)(
Shadow bytes around the buggy address:
0x0c2c7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9f70: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa[fa]
0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==50504==ABORTING
I'm not sure if it's duplicate with my previous bug 102653 and if the fix for it does work for the bug.
Fixed, thanks |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.