[Poppler-bugs] [Bug 102918] New: heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 21 03:09:34 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102918

            Bug ID: 102918
           Summary: heap overflow in  FoFiType1C::convertToType0,
                    FoFiType1C.cc:1038 of poppler 0.59.0
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: utils
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: luanjunchao at 163.com

Created attachment 134398
  --> https://bugs.freedesktop.org/attachment.cgi?id=134398&action=edit
crash of poc

I'm not sure if it's the same as I reported the bug 102900 before, they crush
in the same function but in different position. And I wonder if the fix for
102900 works for this issue.

The fault information is as follows when I run pdftops crash.pdf 1:

==13500==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61a00001f738 at pc 0x0000004cb4df bp 0x7ffca39bc860 sp 0x7ffca39bc850
READ of size 4 at 0x61a00001f738 thread T0
    #0 0x4cb4de in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*,
char const*, int), void*)
/work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038
    #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*,
GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2656
    #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #3 0x4699bb in PSOutputDev::setupFonts(Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #4 0x4690c6 in PSOutputDev::setupResources(Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #6 0x465eb2 in PSOutputDev::postInit()
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int,
bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #11 0x408083 in main
/work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #12 0x7f46ee50a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x406c58 in _start
(/work/poppler_address/poppler-0.59.0/utils/pdftops+0x406c58)

0x61a00001f738 is located 8 bytes to the right of 1200-byte region
[0x61a00001f280,0x61a00001f730)
allocated by thread T0 here:
    #0 0x7f46eff9d532 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4c027b in FoFiType1C::make(char*, int)
/work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:50
    #2 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*,
GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2648
    #3 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #4 0x4699bb in PSOutputDev::setupFonts(Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #5 0x4690c6 in PSOutputDev::setupResources(Dict*)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #6 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #7 0x465eb2 in PSOutputDev::postInit()
/work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #8 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #9 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #10 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #11 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int,
bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #12 0x408083 in main
/work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #13 0x7f46ee50a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038
FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int),
void*)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one sha

dow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8

  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13500==ABORTING

And the poc of pdf is here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170921/a8133206/attachment-0001.html>

More information about the Poppler-bugs mailing list