<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=103583">103583</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>legarrec.vincent@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=135249" name="attach_135249" title="PSTokenizer_getToken_address_sanitizer.pdf">attachment 135249</a> <a href="attachment.cgi?id=135249&action=edit" title="PSTokenizer_getToken_address_sanitizer.pdf">[details]</a></span>
PSTokenizer_getToken_address_sanitizer.pdf

This error only appears with address sanitizer.

In PSTokenizer::getToken, specialChars[c] should be specialChars[(unsigned
char)c] or something closed to.

pdftohtml PSTokenizer_getToken_address_sanitizer.pdf /tmp/

/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87:30: runtime
error: index -44 out of bounds for type 'char [256]'
=================================================================
==1208==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f8a59d93a14 at pc 0x7f8a58a7060d bp 0x7ffd6018f7c0 sp 0x7ffd6018f7b0
READ of size 1 at 0x7f8a59d93a14 thread T0
    #0 0x7f8a58a7060c in PSTokenizer::getToken(char*, int, int*)
/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87
    #1 0x7f8a577a8424 in CharCodeToUnicode::parseCMap1(int (*)(void*), void*,
int) /home/legarrec/info/programmation/poppler/poppler/CharCodeToUnicode.cc:311
    #2 0x7f8a577b54f7 in CharCodeToUnicode::mergeCMap(GooString*, int)
/home/legarrec/info/programmation/poppler/poppler/CharCodeToUnicode.cc:296
    #3 0x7f8a57fb811e in GfxFont::readToUnicodeCMap(Dict*, int,
CharCodeToUnicode*)
/home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:584
    #4 0x7f8a57fe4870 in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref,
GooString*, GfxFontType, Ref, Dict*)
/home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:1326
    #5 0x7f8a580689fd in GfxFont::makeFont(XRef*, char const*, Ref, Dict*)
/home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:228
    #6 0x7f8a5806a7d9 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*)
/home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:2457
    #7 0x7f8a57cadf05 in GfxResources::GfxResources(XRef*, Dict*,
GfxResources*) /home/legarrec/info/programmation/poppler/poppler/Gfx.cc:338
    #8 0x7f8a57e03b4e in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double,
double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/poppler/poppler/Gfx.cc:541
    #9 0x7f8a588bf75e in Page::createGfx(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/poppler/poppler/Page.cc:521
    #10 0x7f8a588c3068 in Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool)
/home/legarrec/info/programmation/poppler/poppler/Page.cc:552
    #11 0x7f8a588c8d64 in Page::display(OutputDev*, double, double, int, bool,
bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/home/legarrec/info/programmation/poppler/poppler/Page.cc:481
    #12 0x7f8a58971f6e in PDFDoc::displayPages(OutputDev*, int, int, double,
double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*),
void*) /home/legarrec/info/programmation/poppler/poppler/PDFDoc.cc:503
    #13 0x4159cc in main
/home/legarrec/info/programmation/poppler/utils/pdftohtml.cc:389
    #14 0x7f8a54be8461 in __libc_start_main (/lib64/libc.so.6+0x20461)
    #15 0x41bb19 in _start
(/home/legarrec/info/programmation/poppler/build/utils/pdftohtml+0x41bb19)

0x7f8a59d93a14 is located 19 bytes to the right of global variable '*.LC0'
defined in '/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc'
(0x7f8a59d939c0) of size 65
  '*.LC0' is ascii string
'/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc'
0x7f8a59d93a14 is located 44 bytes to the left of global variable
'specialChars' defined in
'/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:38:19'
(0x7f8a59d93a40) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87 in
PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0ff1cb3aa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1cb3aa700: 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
  0x0ff1cb3aa710: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa720: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0ff1cb3aa730: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff1cb3aa740: 01 f9[f9]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff1cb3aa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1cb3aa760: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa770: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa780: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
  0x0ff1cb3aa790: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1208==ABORTING</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>