<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0" href="https://bugs.freedesktop.org/show_bug.cgi?id=102918">102918</a> </td> </tr> <tr> <th>Summary</th> <td>heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0 </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>utils </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>luanjunchao@163.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=134398" name="attach_134398" title="crash of poc">attachment 134398</a> <a href="attachment.cgi?id=134398&action=edit" title="crash of poc">[details]</a></span> crash of poc I'm not sure if it's the same as I reported the <a class="bz_bug_link bz_status_NEW " title="NEW - stack overflow in FoFiType1C::cvtGlyph, poppler 0.59.0" href="show_bug.cgi?id=102900">bug 102900</a> before, they crush in the same function but in different position. And I wonder if the fix for 102900 works for this issue. The fault information is as follows when I run pdftops crash.pdf 1: ==13500==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f738 at pc 0x0000004cb4df bp 0x7ffca39bc860 sp 0x7ffca39bc850 READ of size 4 at 0x61a00001f738 thread T0 #0 0x4cb4de in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038 #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2656 #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953 #3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885 #4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798 #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696 #6 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455 #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246 #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539 #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483 #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488 #11 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423 #12 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x406c58 in _start (/work/poppler_address/poppler-0.59.0/utils/pdftops+0x406c58) 0x61a00001f738 is located 8 bytes to the right of 1200-byte region [0x61a00001f280,0x61a00001f730) allocated by thread T0 here: #0 0x7f46eff9d532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532) #1 0x4c027b in FoFiType1C::make(char*, int) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:50 #2 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2648 #3 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953 #4 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885 #5 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798 #6 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696 #7 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455 #8 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246 #9 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539 #10 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483 #11 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488 #12 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423 #13 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038 FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) Shadow bytes around the buggy address: 0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbee0: 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa 0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one sha dow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==13500==ABORTING And the poc of pdf is here.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>