Created attachment 134219 [details] a corpus of crash
The error output is here when I run pdftops with a specific pdf. ==50504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fbf8 at pc 0x0000004c9a18 bp 0x7fffffffd320 sp 0x7fffffffd310 READ of size 1 at 0x61600000fbf8 thread T0 #0 0x4c9a17 in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc: #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2656 #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953 #3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885 #4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798 #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler #6 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455 #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, v #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, #11 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423 #12 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x406c58 in _start (/work/down/poppler-0.59.0/utils/pdftops+0x406c58) 0x61600000fbf8 is located 48 bytes to the right of 584-byte region [0x61600000f980,0x61600000fbc8) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110 #2 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120 #3 0x4da337 in FoFiType1C::parse() /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:2010 #4 0x4c02a5 in FoFiType1C::make(char*, int) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:51 #5 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2648 #6 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953 #7 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885 #8 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798 #9 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/down/poppler-0.59.0/poppler #10 0x465eb2 in PSOutputDev::postInit() /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455 #11 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Anno #12 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, #13 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /wor #14 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, #15 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423 #16 0x7ffff547082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:907 FoFiType1C::convertToType0(char*, int*, int, void (*)( Shadow bytes around the buggy address: 0x0c2c7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2c7fff9f70: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa[fa] 0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==50504==ABORTING I'm not sure if it's duplicate with my previous bug 102653 and if the fix for it does work for the bug.
Fixed, thanks
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.