[poppler] poppler/UTF.cc poppler/UTF.h qt5/tests qt6/tests

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Fri Jun 16 09:07:07 UTC 2023 

 poppler/UTF.cc                     |    2 +-
 poppler/UTF.h                      |    2 +-
 qt5/tests/check_utf_conversion.cpp |    2 +-
 qt6/tests/check_utf_conversion.cpp |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

New commits:
commit e885124ab3b071b7fbb2f001e4a9a88b7e758605
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Thu Jun 15 20:25:24 2023 +0200

    utf8ToUtf16(): fix out-of-bounds write
    
    Fixes a regression introduced by recent
    9183da4fcb8d06360ed51f7f1131a14300008735 commit which caused the
    following Valgrind error:
    
    ```
    $ valgrind utils/pdftoppm /tmp/test.pdf
    ==3735668== Memcheck, a memory error detector
    ==3735668== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==3735668== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
    ==3735668== Command: utils/pdftoppm /tmp/test.pdf
    ==3735668==
    Syntax Warning: May not be a PDF file (continuing anyway)
    Syntax Error: Unterminated string
    ==3735668== Invalid write of size 2
    ==3735668==    at 0x4A3570C: utf8ToUtf16(char const*, unsigned short*, int, int) (poppler/UTF.cc:353)
    ==3735668==    by 0x4A3584C: utf8ToUtf16(char const*, int*) (poppler/UTF.cc:368)
    ==3735668==    by 0x4A358D4: utf8ToUtf16WithBom(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (poppler/UTF.cc:379)
    ==3735668==    by 0x49F2C97: Lexer::getObj(int) (poppler/Lexer.cc:424)
    ==3735668==    by 0x4A035C2: Parser::Parser(XRef*, Stream*, bool) (poppler/Parser.cc:50)
    ==3735668==    by 0x49F888B: Linearization::Linearization(BaseStream*) (poppler/Linearization.cc:28)
    ==3735668==    by 0x4A06D8D: getLinearization (poppler/PDFDoc.cc:648)
    ==3735668==    by 0x4A06D8D: PDFDoc::isLinearized(bool) (poppler/PDFDoc.cc:700)
    ==3735668==    by 0x4A0518D: PDFDoc::getStartXRef(bool) (poppler/PDFDoc.cc:2003)
    ==3735668==    by 0x4A04BB8: PDFDoc::setup(std::optional<GooString> const&, std::optional<GooString> const&, std::function<void ()> const&) (poppler/PDFDoc.cc:246)
    ==3735668==    by 0x4A04AAB: PDFDoc::PDFDoc(std::unique_ptr<GooString, std::default_delete<GooString> >&&, std::optional<GooString> const&, std::optional<GooString> const&, void*, std::function<void ()> const&) (poppler/PDFDoc.cc:160)
    ==3735668==    by 0x49F93EA: LocalPDFDocBuilder::buildPDFDoc(GooString const&, std::optional<GooString> const&, std::optional<GooString> const&, void*) (poppler/LocalPDFDocBuilder.cc:0)
    ==3735668==    by 0x4A1FBB5: PDFDocFactory::createPDFDoc(GooString const&, std::optional<GooString> const&, std::optional<GooString> const&, void*) (poppler/PDFDocFactory.cc:62)
    ==3735668==  Address 0x669cf54 is 0 bytes after a block of size 148 alloc'd
    ==3735668==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==3735668==    by 0x4A35815: gmalloc (goo/gmem.h:44)
    ==3735668==    by 0x4A35815: gmallocn (goo/gmem.h:121)
    ==3735668==    by 0x4A35815: utf8ToUtf16(char const*, int*) (poppler/UTF.cc:367)
    ==3735668==    by 0x4A358D4: utf8ToUtf16WithBom(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (poppler/UTF.cc:379)
    ==3735668==    by 0x49F2C97: Lexer::getObj(int) (poppler/Lexer.cc:424)
    ==3735668==    by 0x4A035C2: Parser::Parser(XRef*, Stream*, bool) (poppler/Parser.cc:50)
    ==3735668==    by 0x49F888B: Linearization::Linearization(BaseStream*) (poppler/Linearization.cc:28)
    ==3735668==    by 0x4A06D8D: getLinearization (poppler/PDFDoc.cc:648)
    ==3735668==    by 0x4A06D8D: PDFDoc::isLinearized(bool) (poppler/PDFDoc.cc:700)
    ==3735668==    by 0x4A0518D: PDFDoc::getStartXRef(bool) (poppler/PDFDoc.cc:2003)
    ==3735668==    by 0x4A04BB8: PDFDoc::setup(std::optional<GooString> const&, std::optional<GooString> const&, std::function<void ()> const&) (poppler/PDFDoc.cc:246)
    ==3735668==    by 0x4A04AAB: PDFDoc::PDFDoc(std::unique_ptr<GooString, std::default_delete<GooString> >&&, std::optional<GooString> const&, std::optional<GooString> const&, void*, std::function<void ()> const&) (poppler/PDFDoc.cc:160)
    ==3735668==    by 0x49F93EA: LocalPDFDocBuilder::buildPDFDoc(GooString const&, std::optional<GooString> const&, std::optional<GooString> const&, void*) (poppler/LocalPDFDocBuilder.cc:0)
    ==3735668==    by 0x4A1FBB5: PDFDocFactory::createPDFDoc(GooString const&, std::optional<GooString> const&, std::optional<GooString> const&, void*) (poppler/PDFDocFactory.cc:62)
    ```
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59840

diff --git a/poppler/UTF.cc b/poppler/UTF.cc
index 8cf8056c..5d971f9d 100644
--- a/poppler/UTF.cc
+++ b/poppler/UTF.cc
@@ -365,7 +365,7 @@ uint16_t *utf8ToUtf16(const char *utf8, int *len)
         *len = n;
     }
     uint16_t *utf16 = (uint16_t *)gmallocn(n + 1, sizeof(uint16_t));
-    utf8ToUtf16(utf8, utf16);
+    utf8ToUtf16(utf8, utf16, n + 1, INT_MAX);
     return utf16;
 }
 
diff --git a/poppler/UTF.h b/poppler/UTF.h
index cdcfb57a..8fec5a93 100644
--- a/poppler/UTF.h
+++ b/poppler/UTF.h
@@ -69,7 +69,7 @@ int POPPLER_PRIVATE_EXPORT utf8CountUtf16CodeUnits(const char *utf8);
 //  maxUtf8 - maximum number of UTF-8 bytes to convert. Conversion stops when
 //            either this count is reached or a null is encountered.
 // Returns number of UTF-16 code units written (excluding NULL).
-int POPPLER_PRIVATE_EXPORT utf8ToUtf16(const char *utf8, uint16_t *utf16, int maxUtf16 = INT_MAX, int maxUtf8 = INT_MAX);
+int POPPLER_PRIVATE_EXPORT utf8ToUtf16(const char *utf8, uint16_t *utf16, int maxUtf16, int maxUtf8);
 
 // Allocate utf16 string and convert utf8 into it.
 uint16_t POPPLER_PRIVATE_EXPORT *utf8ToUtf16(const char *utf8, int *len = nullptr);
diff --git a/qt5/tests/check_utf_conversion.cpp b/qt5/tests/check_utf_conversion.cpp
index 73c684ee..506a2a13 100644
--- a/qt5/tests/check_utf_conversion.cpp
+++ b/qt5/tests/check_utf_conversion.cpp
@@ -94,7 +94,7 @@ void TestUTFConversion::testUTF()
     QCOMPARE(len, s.size()); // QString size() returns number of code units, not code points
     Q_ASSERT(len < (int)sizeof(utf16Buf)); // if this fails, make utf16Buf larger
 
-    len = utf8ToUtf16(str, utf16Buf);
+    len = utf8ToUtf16(str, utf16Buf, sizeof(utf16Buf), INT_MAX);
     QVERIFY(compare(utf16Buf, s.utf16()));
     QCOMPARE(len, s.size());
 
diff --git a/qt6/tests/check_utf_conversion.cpp b/qt6/tests/check_utf_conversion.cpp
index 2cac7582..06366724 100644
--- a/qt6/tests/check_utf_conversion.cpp
+++ b/qt6/tests/check_utf_conversion.cpp
@@ -92,7 +92,7 @@ void TestUTFConversion::testUTF()
     QCOMPARE(len, s.size()); // QString size() returns number of code units, not code points
     Q_ASSERT(len < (int)sizeof(utf16Buf)); // if this fails, make utf16Buf larger
 
-    len = utf8ToUtf16(str, utf16Buf);
+    len = utf8ToUtf16(str, utf16Buf, sizeof(utf16Buf), INT_MAX);
     QVERIFY(compare(utf16Buf, s.utf16()));
     QCOMPARE(len, s.size());

More information about the poppler mailing list