[Poppler-bugs] [Bug 103583] poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Dec 4 21:39:29 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=103583

LE GARREC Vincent <legarrec.vincent at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|NOTABUG                     |---

--- Comment #5 from LE GARREC Vincent <legarrec.vincent at gmail.com> ---
Dear,

I found another pdf that address sanitizer doesn't like. I tested it this time
with the original source of poppler and the output is the same before asan
complains.

mkdir build
cd build
CFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer"
CXXFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer" cmake ..
make
./utils/pdftohtml PSTokenizer_getToken_address_sanitizer2.pdf /tmp/

Then:
Syntax Error (23012): Illegal character <ff> in hex string
Syntax Error (23013): Illegal character <ff> in hex string
Syntax Error (23014): Illegal character <ff> in hex string
Syntax Error (23015): Illegal character <7f> in hex string
Syntax Error (4323): Dictionary key must be a name object
Syntax Error (4331): Dictionary key must be a name object
Syntax Error (4163): Dictionary key must be a name object
Syntax Error (4165): Dictionary key must be a name object
Syntax Error (4176): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6366): Bad uncompressed block length in flate stream
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87:30:
runtime error: index -56 out of bounds for type 'char [256]'
=================================================================
==23470==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f45c6d68d08 at pc 0x7f45c68768a1 bp 0x7fffdb5c34d0 sp 0x7fffdb5c34c0
READ of size 1 at 0x7f45c6d68d08 thread T0
    #0 0x7f45c68768a0 in PSTokenizer::getToken(char*, int, int*)
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87
    #1 0x7f45c6469b80 in CharCodeToUnicode::parseCMap1(int (*)(void*), void*,
int)
/home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:313
    #2 0x7f45c646be75 in CharCodeToUnicode::mergeCMap(GooString*, int)
/home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:298
    #3 0x7f45c6609fc0 in GfxFont::readToUnicodeCMap(Dict*, int,
CharCodeToUnicode*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:584
    #4 0x7f45c661359d in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref,
GooString*, GfxFontType, Ref, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:1326
    #5 0x7f45c66320d1 in GfxFont::makeFont(XRef*, char const*, Ref, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:228
    #6 0x7f45c66327a0 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:2457
    #7 0x7f45c6550e93 in GfxResources::GfxResources(XRef*, Dict*,
GfxResources*) /home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:338
    #8 0x7f45c65b210f in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double,
double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:541
    #9 0x7f45c681dc7c in Page::createGfx(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:521
    #10 0x7f45c681efd1 in Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:552
    #11 0x7f45c681ff6b in Page::display(OutputDev*, double, double, int, bool,
bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:481
    #12 0x7f45c68425bc in PDFDoc::displayPages(OutputDev*, int, int, double,
double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*),
void*) /home/legarrec/info/programmation/popplerok/poppler/PDFDoc.cc:513
    #13 0x40c3ab in main
/home/legarrec/info/programmation/popplerok/utils/pdftohtml.cc:392
    #14 0x7f45c402df51 in __libc_start_main (/lib64/libc.so.6+0x20f51)
    #15 0x40d7e9 in _start
(/home/legarrec/info/programmation/popplerok/build/utils/pdftohtml+0x40d7e9)

0x7f45c6d68d08 is located 5 bytes to the right of global variable '*.LC0'
defined in '/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc'
(0x7f45c6d68cc0) of size 67
  '*.LC0' is ascii string
'/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc'
0x7f45c6d68d08 is located 56 bytes to the left of global variable
'specialChars' defined in
'/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:38:19'
(0x7f45c6d68d40) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87 in
PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0fe938da5150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe938da5160: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe938da5170: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0fe938da5180: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 06
  0x0fe938da5190: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe938da51a0: 03[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe938da51b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe938da51c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0fe938da51d0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe938da51e0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
  0x0fe938da51f0: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9


Please, could you check again ?

Thanks,

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20171204/4f1743ae/attachment-0001.html>

More information about the Poppler-bugs mailing list