[Poppler-bugs] [Bug 76442] Heap-buffer-overflow in TextPage::updateFont

Mon Mar 24 04:18:42 PDT 2014

https://bugs.freedesktop.org/show_bug.cgi?id=76442

--- Comment #2 from Antti Husa <a.husa at hushmail.com> ---
Even with the exports I was unable to get ASAN to show line numbers it only
showed the function names. However Valgrind did show line numbers with the same
compiler debug options so here's Valgrind report:

==15458== Invalid read of size 1
==15458==    at 0xEEC0255: TextPage::updateFont(GfxState*)
(TextOutputDev.cc:2199)
==15458==    by 0xEB2CB93: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:624)
==15458==    by 0xEE5A4BC: Gfx::opShowText(Object*, int) (Gfx.cc:3742)
==15458==    by 0xEE52A88: Gfx::go(bool) (Gfx.cc:712)
==15458==    by 0xEE52ECC: Gfx::display(Object*, bool) (Gfx.cc:678)
==15458==    by 0xEE94054: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (Page.cc:584)
==15458==    by 0xEB224F6: _poppler_page_render(_PopplerPage*, _cairo*, bool,
PopplerPrintFlags) (poppler-page.cc:362)
==15458==    by 0xE8FDCA4: pdf_page_render_cairo (pdf.c:809)
==15458==    by 0x41DCE7: render_job (render.c:183)
==15458==    by 0x627FEA5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
==15458==    by 0x627F4E4: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
==15458==    by 0x694CF39: start_thread (pthread_create.c:308)
==15458==  Address 0x115012f1 is 0 bytes after a block of size 1 alloc'd
==15458==    at 0x4C2C71B: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15458==    by 0xEE043AD: gmalloc (gmem.cc:110)
==15458==    by 0xEE04971: copyString (gmem.cc:316)
==15458==    by 0xEE5E5CD: Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref,
GooString*, GfxFontType, Ref, Dict*) (GfxFont.cc:1198)
==15458==    by 0xEE6187B: GfxFont::makeFont(XRef*, char const*, Ref, Dict*)
(GfxFont.cc:223)
==15458==    by 0xEE619A2: GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*)
(GfxFont.cc:2497)
==15458==    by 0xEE46EFE: GfxResources::GfxResources(XRef*, Dict*,
GfxResources*) (Gfx.cc:341)
==15458==    by 0xEE523D3: Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double,
double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*)
(Gfx.cc:554)
==15458==    by 0xEE93D85: Page::createGfx(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*)
(Page.cc:544)
==15458==    by 0xEE9401B: Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) (Page.cc:579)
==15458==    by 0xEB224F6: _poppler_page_render(_PopplerPage*, _cairo*, bool,
PopplerPrintFlags) (poppler-page.cc:362)
==15458==    by 0xE8FDCA4: pdf_page_render_cairo (pdf.c:809)
==15458== 
==15458== 
==15458== HEAP SUMMARY:
==15458==     in use at exit: 3,708,571 bytes in 19,892 blocks
==15458==   total heap usage: 112,237 allocs, 92,345 frees, 18,910,558 bytes
allocated
==15458== 
==15458== LEAK SUMMARY:
==15458==    definitely lost: 4,320 bytes in 9 blocks
==15458==    indirectly lost: 17,319 bytes in 684 blocks
==15458==      possibly lost: 28,608 bytes in 444 blocks
==15458==    still reachable: 3,527,140 bytes in 18,138 blocks
==15458==         suppressed: 0 bytes in 0 blocks
==15458== Rerun with --leak-check=full to see details of leaked memory

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20140324/8f64f270/attachment.html>