<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><span class="vcard"><a class="email" href="mailto:legarrec.vincent@gmail.com" title="LE GARREC Vincent <legarrec.vincent@gmail.com>"> <span class="fn">LE GARREC Vincent</span></a>
</span> changed
<a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103583">bug 103583</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>RESOLVED
</td>
<td>REOPENED
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>NOTABUG
</td>
<td>---
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103583#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'"
href="https://bugs.freedesktop.org/show_bug.cgi?id=103583">bug 103583</a>
from <span class="vcard"><a class="email" href="mailto:legarrec.vincent@gmail.com" title="LE GARREC Vincent <legarrec.vincent@gmail.com>"> <span class="fn">LE GARREC Vincent</span></a>
</span></b>
<pre>Dear,
I found another pdf that address sanitizer doesn't like. I tested it this time
with the original source of poppler and the output is the same before asan
complains.
mkdir build
cd build
CFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer"
CXXFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer" cmake ..
make
./utils/pdftohtml PSTokenizer_getToken_address_sanitizer2.pdf /tmp/
Then:
Syntax Error (23012): Illegal character <ff> in hex string
Syntax Error (23013): Illegal character <ff> in hex string
Syntax Error (23014): Illegal character <ff> in hex string
Syntax Error (23015): Illegal character <7f> in hex string
Syntax Error (4323): Dictionary key must be a name object
Syntax Error (4331): Dictionary key must be a name object
Syntax Error (4163): Dictionary key must be a name object
Syntax Error (4165): Dictionary key must be a name object
Syntax Error (4176): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6366): Bad uncompressed block length in flate stream
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87:30:
runtime error: index -56 out of bounds for type 'char [256]'
=================================================================
==23470==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f45c6d68d08 at pc 0x7f45c68768a1 bp 0x7fffdb5c34d0 sp 0x7fffdb5c34c0
READ of size 1 at 0x7f45c6d68d08 thread T0
#0 0x7f45c68768a0 in PSTokenizer::getToken(char*, int, int*)
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87
#1 0x7f45c6469b80 in CharCodeToUnicode::parseCMap1(int (*)(void*), void*,
int)
/home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:313
#2 0x7f45c646be75 in CharCodeToUnicode::mergeCMap(GooString*, int)
/home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:298
#3 0x7f45c6609fc0 in GfxFont::readToUnicodeCMap(Dict*, int,
CharCodeToUnicode*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:584
#4 0x7f45c661359d in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref,
GooString*, GfxFontType, Ref, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:1326
#5 0x7f45c66320d1 in GfxFont::makeFont(XRef*, char const*, Ref, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:228
#6 0x7f45c66327a0 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*)
/home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:2457
#7 0x7f45c6550e93 in GfxResources::GfxResources(XRef*, Dict*,
GfxResources*) /home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:338
#8 0x7f45c65b210f in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double,
double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:541
#9 0x7f45c681dc7c in Page::createGfx(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:521
#10 0x7f45c681efd1 in Page::displaySlice(OutputDev*, double, double, int,
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:552
#11 0x7f45c681ff6b in Page::display(OutputDev*, double, double, int, bool,
bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/home/legarrec/info/programmation/popplerok/poppler/Page.cc:481
#12 0x7f45c68425bc in PDFDoc::displayPages(OutputDev*, int, int, double,
double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*),
void*) /home/legarrec/info/programmation/popplerok/poppler/PDFDoc.cc:513
#13 0x40c3ab in main
/home/legarrec/info/programmation/popplerok/utils/pdftohtml.cc:392
#14 0x7f45c402df51 in __libc_start_main (/lib64/libc.so.6+0x20f51)
#15 0x40d7e9 in _start
(/home/legarrec/info/programmation/popplerok/build/utils/pdftohtml+0x40d7e9)
0x7f45c6d68d08 is located 5 bytes to the right of global variable '*.LC0'
defined in '/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc'
(0x7f45c6d68cc0) of size 67
'*.LC0' is ascii string
'/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc'
0x7f45c6d68d08 is located 56 bytes to the left of global variable
'specialChars' defined in
'/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:38:19'
(0x7f45c6d68d40) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87 in
PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
0x0fe938da5150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe938da5160: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe938da5170: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0fe938da5180: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 06
0x0fe938da5190: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe938da51a0: 03[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe938da51b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe938da51c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0fe938da51d0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe938da51e0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
0x0fe938da51f0: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
Please, could you check again ?
Thanks,</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>