<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - heap overflow in FoFiType1C::convertToType0"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102724#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - heap overflow in FoFiType1C::convertToType0"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102724">bug 102724</a>
from <span class="vcard"><a class="email" href="mailto:luanjunchao@163.com" title="junchao luan <luanjunchao@163.com>"> <span class="fn">junchao luan</span></a>
</span></b>
<pre>The error output is here when I run pdftops with a specific pdf.
==50504==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61600000fbf8 at pc 0x0000004c9a18 bp 0x7fffffffd320 sp 0x7fffffffd310
READ of size 1 at 0x61600000fbf8 thread T0
#0 0x4c9a17 in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*,
char const*, int), void*) /work/down/poppler-0.59.0/fofi/FoFiType1C.cc:
#1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*,
GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2656
#2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
#3 0x4699bb in PSOutputDev::setupFonts(Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
#4 0x4690c6 in PSOutputDev::setupResources(Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
#5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/down/poppler-0.59.0/poppler
#6 0x465eb2 in PSOutputDev::postInit()
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
#7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot
#8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, v
#9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work
#10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int,
bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
#11 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
#12 0x7ffff547082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x406c58 in _start (/work/down/poppler-0.59.0/utils/pdftops+0x406c58)
0x61600000fbf8 is located 48 bytes to the right of 584-byte region
[0x61600000f980,0x61600000fbc8)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4af2f3 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:110
#2 0x4af389 in gmalloc /work/down/poppler-0.59.0/goo/gmem.cc:120
#3 0x4da337 in FoFiType1C::parse()
/work/down/poppler-0.59.0/fofi/FoFiType1C.cc:2010
#4 0x4c02a5 in FoFiType1C::make(char*, int)
/work/down/poppler-0.59.0/fofi/FoFiType1C.cc:51
#5 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*,
GooString*) /work/down/poppler-0.59.0/poppler/PSOutputDev.cc:2648
#6 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1953
#7 0x4699bb in PSOutputDev::setupFonts(Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1885
#8 0x4690c6 in PSOutputDev::setupResources(Dict*)
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1798
#9 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*,
std::vector<int, std::allocator<int> > const&, bool)
/work/down/poppler-0.59.0/poppler
#10 0x465eb2 in PSOutputDev::postInit()
/work/down/poppler-0.59.0/poppler/PSOutputDev.cc:1455
#11 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Anno
#12 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
#13 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /wor
#14 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int,
bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*,
#15 0x408083 in main /work/down/poppler-0.59.0/utils/pdftops.cc:423
#16 0x7ffff547082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/work/down/poppler-0.59.0/fofi/FoFiType1C.cc:907
FoFiType1C::convertToType0(char*, int*, int, void (*)(
Shadow bytes around the buggy address:
0x0c2c7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9f70: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa[fa]
0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==50504==ABORTING
I'm not sure if it's duplicate with my previous <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - NULL pointer dereference vulnerability in poppler 0.59.0 FoFiType1C::convertToType0:907"
href="show_bug.cgi?id=102653">bug 102653</a> and if the fix for
it does work for the bug.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>