[Poppler-bugs] [Bug 102900] stack overflow in FoFiType1C::cvtGlyph, poppler 0.59.0
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Sep 20 14:26:36 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=102900
junchao luan <luanjunchao at 163.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
Summary|0.59 |stack overflow in
| |FoFiType1C::cvtGlyph,
| |poppler 0.59.0
--- Comment #1 from junchao luan <luanjunchao at 163.com> ---
When I run pdftops with a specific pdf file, it shows
#./utils/pdftops crash.pdf a
ASAN:DEADLYSIGNAL
=================================================================
==5527==ERROR: AddressSanitizer: stack-overflow on address 0x7fff4ec5ef78 (pc
0x560dfe39a582 bp 0x7fff4ec5f0b0 sp 0x7fff4ec5ef60 T0)
#0 0x560dfe39a581 in FoFiType1C::getOp(int, bool, bool*)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:2548
#1 0x560dfe386a07 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1215
#2 0x560dfe38d069 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1592
#3 0x560dfe38d069 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1592
#4 0x560dfe38d069 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1592
#5 0x560dfe38d069 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1592
#6 0x560dfe38d069 in FoFiType1C::cvtGlyph(int, int, GooString*,
Type1CIndex*, Type1CPrivateDict*, bool)
/root/Desktop/poppler-0.59.0/fofi/FoFiType1C.cc:1592
....
And here is the backtrace of gdb:
(gdb) bt -18
#24935 0x000055555573c06a in FoFiType1C::cvtGlyph (this=0x61a00001f280,
offset=15028, nBytes=4, charBuf=0x603000014650,
subrIdx=0x7fffffffcde0, pDict=0x61600000f080, top=false) at
FoFiType1C.cc:1592
#24936 0x000055555573c06a in FoFiType1C::cvtGlyph (this=0x61a00001f280,
offset=15028, nBytes=4, charBuf=0x603000014650,
subrIdx=0x7fffffffcde0, pDict=0x61600000f080, top=false) at
FoFiType1C.cc:1592
#24937 0x000055555573c06a in FoFiType1C::cvtGlyph (this=0x61a00001f280,
offset=10866, nBytes=6, charBuf=0x603000014650,
subrIdx=0x7fffffffcde0, pDict=0x61600000f080, top=false) at
FoFiType1C.cc:1592
#24938 0x000055555573c06a in FoFiType1C::cvtGlyph (this=0x61a00001f280,
offset=392146, nBytes=6458, charBuf=0x603000014650,
subrIdx=0x7fffffffcde0, pDict=0x61600000f080, top=true) at
FoFiType1C.cc:1592
#24939 0x0000555555735678 in FoFiType1C::eexecCvtGlyph (this=0x61a00001f280,
eb=0x7fffffffce20, glyphName=0x603000014680 "c36",
offset=392146, nBytes=6458, subrIdx=0x7fffffffcde0, pDict=0x61600000f080)
at FoFiType1C.cc:1178
#24940 0x0000555555734eab in FoFiType1C::convertToType0 (this=0x61a00001f280,
psName=0x603000018bb0 "Arial", codeMap=0x0, nCodes=0,
outputFunc=0x5555556cc8a8 <outputToFile(void*, char const*, int)>,
outputStream=0x61600000f380) at FoFiType1C.cc:1109
#24941 0x000055555571d785 in FoFiTrueType::convertToType0 (this=0x60b00000af90,
psName=0x603000018bb0 "Arial", cidMap=0x0, nCIDs=0,
outputFunc=0x5555556cc8a8 <outputToFile(void*, char const*, int)>,
outputStream=0x61600000f380) at FoFiTrueType.cc:856
#24942 0x00005555556db416 in PSOutputDev::setupEmbeddedOpenTypeCFFFont
(this=0x61800000fc80, font=0x61200000bbc0, id=0x60400000b658,
psName=0x603000018bb0) at PSOutputDev.cc:2758
#24943 0x00005555556d4655 in PSOutputDev::setupFont (this=0x61800000fc80,
font=0x61200000bbc0, parentResDict=0x60700000d610)
at PSOutputDev.cc:1963
#24944 0x00005555556d3ae7 in PSOutputDev::setupFonts (this=0x61800000fc80,
resDict=0x60700000d610) at PSOutputDev.cc:1885
#24945 0x00005555556d3214 in PSOutputDev::setupResources (this=0x61800000fc80,
resDict=0x60700000d610) at PSOutputDev.cc:1798
#24946 0x00005555556d246c in PSOutputDev::writeDocSetup (this=0x61800000fc80,
doc=0x60f00000ef50, catalog=0x61300000de80,
pages=std::vector of length 1, capacity 1 = {...}, duplexA=false) at
PSOutputDev.cc:1696
#24947 0x00005555556d0078 in PSOutputDev::postInit (this=0x61800000fc80) at
PSOutputDev.cc:1455
#24948 0x00005555556deff1 in PSOutputDev::checkPageSlice (this=0x61800000fc80,
page=0x611000009c80, rotateA=0, useMediaBox=false, crop=true,
sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0) at PSOutputDev.cc:3246
#24949 0x0000555555888737 in Page::displaySlice (this=0x611000009c80,
out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false,
crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=true,
abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false)
at Page.cc:539
#24950 0x0000555555887e72 in Page::display (this=0x611000009c80,
out=0x61800000fc80, hDPI=72, vDPI=72, rotate=0, useMediaBox=false,
crop=true, printing=true, abortCheckCbk=0x0, abortCheckCbkData=0x0,
annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0,
copyXRef=false) at Page.cc:483
#24951 0x0000555555684675 in PDFDoc::displayPage (this=0x60f00000ef50,
out=0x61800000fc80, page=1, hDPI=72, vDPI=72, rotate=0,
useMediaBox=false, crop=true, printing=true, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:488
#24952 0x00005555556733ce in main (argc=3, argv=0x7fffffffe0e8) at
pdftops.cc:423
We can see clearly that there is an infinite loop in FoFiType1C::cvtGlyph.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170920/dc52362a/attachment.html>
More information about the Poppler-bugs
mailing list