Bug 102724 - heap overflow in FoFiType1C::convertToType0, poppler 0.59.0
Summary: heap overflow in FoFiType1C::convertToType0, poppler 0.59.0
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: utils (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-14 06:43 UTC by junchao luan
Modified: 2017-09-14 17:39 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
a corpus of crash (11.98 KB, application/pdf)
2017-09-14 07:37 UTC, junchao luan
Details

Description junchao luan 2017-09-14 06:43:29 UTC

    
Comment 1 junchao luan 2017-09-14 07:37:49 UTC
Created attachment 134219 [details]
a corpus of crash
Comment 2 junchao luan 2017-09-14 07:40:05 UTC
The error output is here when I run pdftops with a specific pdf.

==50504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fbf8 at pc 0x0000004c9a18 bp 0x7fffffffd320 sp 0x7fffffffd310
READ of size 1 at 0x61600000fbf8 thread T0
    #0 0x4c9a17 in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:
    #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2656
    #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler
    #6 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot
    #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, v
    #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work
    #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
    #11 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
    #12 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x406c58 in _start (/work/down/poppler-0.59.0/utils/pdftops+0x406c58)

0x61600000fbf8 is located 48 bytes to the right of 584-byte region [0x61600000f980,0x61600000fbc8)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110
    #2 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120
    #3 0x4da337 in FoFiType1C::parse() /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:2010
    #4 0x4c02a5 in FoFiType1C::make(char*, int) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:51
    #5 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2648
    #6 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #7 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #8 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #9 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler
    #10 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #11 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Anno
    #12 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, 
    #13 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /wor
    #14 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
    #15 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
    #16 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:907 FoFiType1C::convertToType0(char*, int*, int, void (*)(
Shadow bytes around the buggy address:
  0x0c2c7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9f70: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa[fa]
  0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Global redzone:          f9                                      
  Global init order:       f6                                      
  Poisoned by user:        f7                                      
  Container overflow:      fc                                      
  Array cookie:            ac                                      
  Intra object redzone:    bb                                      
  ASan internal:           fe                                      
==50504==ABORTING  

I'm not sure if it's duplicate with my previous bug 102653 and if the fix for it does work for the bug.
Comment 3 Albert Astals Cid 2017-09-14 17:39:30 UTC
Fixed, thanks


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.