jhcloos / xpdf Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
xpdf's Issues
heap-buffer-overflow_in_readHuffSym
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id0_heap-buffer-overflow_in_readHuffSym.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==108391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001782 at pc 0x000000759029 bp 0x7ffd51edc550 sp 0x7ffd51edc548
READ of size 2 at 0x620000001782 thread T0
#0 0x759028 in DCTStream::readHuffSym(DCTHuffTable*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16
#1 0x7548ba in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2624:17
#2 0x751b27 in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2392:9
#3 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
#4 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#5 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#6 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#7 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#8 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#9 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#10 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#11 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#12 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#13 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#14 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#15 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#16 0x7f3b180d3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#17 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x620000001782 is located 2314 bytes to the right of 3576-byte region [0x620000000080,0x620000000e78)
allocated by thread T0 here:
#0 0x4f5768 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
#1 0x7259bc in Stream::makeFilter(char*, Stream*, Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:269:11
#2 0x72459a in Stream::addFilters(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:141:11
#3 0x6ad41e in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:214:14
#4 0x6ab6f6 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:101:18
#5 0x781a3a in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:1028:13
#6 0x6a7611 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:357:12
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16 in DCTStream::readHuffSym(DCTHuffTable*)
Shadow bytes around the buggy address:
0x0c407fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff82f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==108391==ABORTING
heap_buffer_overflow_in_readScan
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id103_heap_buffer_overflow_in_readScan.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
#0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
#1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115797==ABORTING
heap_buffer_overflow_in_getChar
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id93_heap_buffer_overflow_in_getChar.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
READ of size 4 at 0x7f54608ff800 thread T0
#0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
#1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
#5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
#6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
#7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
Shadow bytes around the buggy address:
0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115941==ABORTING
Asap
Xpdf pdf
SEGV_in_readMCURow
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000751cdd bp 0x7fffab2f8a10 sp 0x7fffab2f8640 T0)
==115909==The signal is caused by a WRITE memory access.
==115909==Hint: address points to the zero page.
#0 0x751cdd in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23
#1 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
#2 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#3 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#4 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#5 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#6 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#14 0x7fabd9c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23 in DCTStream::readMCURow()
==115909==ABORTING
heap_buffer_overflow_in_lookChar
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id148_heap_buffer_overflow_in_lookChar.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
READ of size 4 at 0x631000038800 thread T0
#0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
#1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
#2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
#3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
#4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
#5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
#6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
#7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
#8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
Shadow bytes around the buggy address:
0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115813==ABORTING
global-buffer-overflow on binary pdfimages
SUMMARY
Hi there, I use my fuzzer for fuzzing the binary pdfIamges, and this binary crashes with the following:
Syntax Error (2227): Unexpected end of file in flate stream
=================================================================
==2226711==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e91fe296ef at pc 0x55e91fa2428c bp 0x7ffdd3190680 sp 0x7ffdd3190670
READ of size 1 at 0x55e91fe296ef thread T0
#0 0x55e91fa2428b in PSTokenizer::getToken(char*, int, int*) /xpdf-master/xpdf/PSTokenizer.cc:72
#1 0x55e91f8fecec in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:264
#2 0x55e91f8fe97a in CharCodeToUnicode::parseCMap(GString*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:241
#3 0x55e91f95a1be in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /xpdf-master/xpdf/GfxFont.cc:512
#4 0x55e91f9635f8 in GfxCIDFont::GfxCIDFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:1618
#5 0x55e91f95846f in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:194
#6 0x55e91f9674cd in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /xpdf-master/xpdf/GfxFont.cc:2001
#7 0x55e91f925d5c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /xpdf-master/xpdf/Gfx.cc:291
#8 0x55e91f926dcc in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /xpdf-master/xpdf/Gfx.cc:508
#9 0x55e91fa1cc4f in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:356
#10 0x55e91fa1c53c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:308
#11 0x55e91fa225fb in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:384
#12 0x55e91fa22684 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:397
#13 0x55e91fa70d19 in main /xpdf-master/xpdf/pdfimages.cc:138
#14 0x7f48c0353c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#15 0x55e91f8e1739 in _start (/xpdf-master/xpdf/pdfimages+0xe1739)
0x55e91fe296ef is located 15 bytes to the right of global variable 'pdfDocEncoding' defined in 'PDFDocEncoding.cc:11:9' (0x55e91fe292e0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /xpdf-master/xpdf/PSTokenizer.cc:72 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
0x0abda3fbd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abda3fbd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
0x0abda3fbd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0abda3fbd310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2226711==ABORTING
poc
Environment
Ubuntu 18.04(docker)
clang/clang++ 12.0.1
version:commit ffaf11c
COMPILE
export CC = gcc
export CXX=g++
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure --disable-shared
make
Credit
Zhao Jiayu (NCNIPC)
Han Zheng (NCNIPC, Hexhive)
Yin Li, Xiaotong Jiao (NCNIPC of China)
Thanks for your time!
A/C No: 84303508Name: Tawan SrithongCurrency: USD2022.10.31 23:59Orders: Open TimeTicketTypeSizeItemPriceS / LT / PTimeState
global_buffer_overflow_in_getObj
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id65_global_buffer_overflow_in_getObj.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
==115893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000093aadc at pc 0x000000689c9a bp 0x7ffe79eed770 sp 0x7ffe79eed768
READ of size 1 at 0x00000093aadc thread T0
#0 0x689c99 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
#1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#10 0x7f2de419dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x00000093aadc is located 4 bytes to the left of global variable 'specialChars' defined in 'Lexer.cc:26:13' (0x93aae0) of size 256
0x00000093aadc is located 55 bytes to the right of global variable '<string literal>' defined in 'Lexer.cc:471:52' (0x93aaa0) of size 5
'<string literal>' is ascii string 'null'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
Shadow bytes around the buggy address:
0x00008011f500: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
0x00008011f510: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x00008011f520: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
0x00008011f530: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 07 f9
0x00008011f540: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x00008011f550: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x00008011f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f570: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x00008011f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f5a0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 02 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115893==ABORTING
FPE_in_decodeImage
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115861==ERROR: AddressSanitizer: FPE on unknown address 0x0000007476d3 (pc 0x0000007476d3 bp 0x7fff22d95b40 sp 0x7fff22d952c0 T0)
#0 0x7476d3 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19
#1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7ffb8625dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19 in DCTStream::decodeImage()
==115861==ABORTING
SEGV in DCTStream::readHuffSym
SEGV
env
ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
XPDF commit ffaf11c
sample
reproduce
CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" ./configure
make
./pdftotext poc
crash
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3166724==ERROR: AddressSanitizer: SEGV on unknown address 0x61a8d2d2d54c (pc 0x55b73eee93da bp 0x7ffde628f900 sp 0x7ffde628f8e0 T0)
==3166724==The signal is caused by a READ memory access.
#0 0x55b73eee93d9 in DCTStream::readHuffSym(DCTHuffTable*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119
#1 0x55b73eee35e8 in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2607
#2 0x55b73eedf36c in DCTStream::readMCURow() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2392
#3 0x55b73eede3a2 in DCTStream::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2316
#4 0x55b73eeb6869 in Object::streamGetChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Object.h:288
#5 0x55b73eeaacf5 in Lexer::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:92
#6 0x55b73eeaaebf in Lexer::getObj(Object*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:124
#7 0x55b73eec21e9 in Parser::Parser(XRef*, Lexer*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Parser.cc:33
#8 0x55b73edce0d1 in Gfx::display(Object*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Gfx.cc:641
#9 0x55b73eebfe4a in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:360
#10 0x55b73eebf6ce in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:308
#11 0x55b73eec5806 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:384
#12 0x55b73eec588e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:397
#13 0x55b73ef38671 in main /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext.cc:241
#14 0x7fb136de7082 in __libc_start_main ../csu/libc-start.c:308
#15 0x55b73ed87ecd in _start (/mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext+0xe4ecd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119 in DCTStream::readHuffSym(DCTHuffTable*)
==3166724==ABORTING
Command Injection in Xpdf-4.04
Overview
A command injection vulnerability was discovered in the Xpdf-4.04 PDF viewer software. The vulnerability exists within the PSOutputDev::PSOutputDev() function located in the xpdf-4.04/xpdf/PSOutputDev.cc file.
The affected function is responsible for initializing the PostScript output device with user-defined parameters, including a file name and custom code callback function. An attacker can exploit this vulnerability by injecting arbitrary commands into the fileName parameter with prefix |, which can be executed in following popen function.
Impact
This vulnerability presents a impact for other projects utilizing Xpdf-4.04 as their PDF parser and using user-supplied inputs as <PS-file>. When executing Xpdf, an attacker can inject arbitrary commands into the filename parameter, leading to command execution with the privileges of the user running the application. As a result, sensitive data could be compromised, files could be modified, or further attacks on the system could be launched.
Exploit Details
There is a command injection vulnerability present in the code when the | operator is combined with a subsequent command. This occurs within a conditional branch of the following C++ code:
cppCopy Code if (argc == 3) {
psFileName = new GString(argv[2]);Subsequently, within the constructor for PSOutputDev, if the first character of fileName is |, the program enters the popen function, resulting in a command injection vulnerability:
cppCopy Code } else if (fileName[0] == '|') {
fileTypeA = psPipe;
······
if (!(f = popen(fileName + 1, "w"))) {
error(errIO, -1, "Couldn't run print command '{0:s}'", fileName);
ok = gFalse;
return;
}Poc
./build/xpdf/pdftops ./in/helloworld.pdf '|`cat /etc/passwd > ./txt`'Conclusion
The command injection vulnerability discovered in Xpdf-4.04 could allow an attacker to execute arbitrary code with the privileges of the user running the application.
heap_buffer_overflow_in_readScan
crash sample
8id103_heap_buffer_overflow_in_readScan.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
#0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
#1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115797==ABORTING
stack overflow
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115829==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9aa21f18 (pc 0x0000004ae77a bp 0x7ffc9aa22780 sp 0x7ffc9aa21f20 T0)
#0 0x4ae77a in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#1 0x6a0d5b in Object::copy(Object*) /home/bupt/Desktop/xpdf/xpdf/Object.cc:75:8
#2 0x7804e8 in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:991:25
#3 0x51e08c in Object::arrayGet(int, Object*) /home/bupt/Desktop/xpdf/xpdf/./Object.h:231:19
#4 0x51e08c in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:441:12
#5 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#6 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#7 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#8 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#9 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#10 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#11 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#12 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#13 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#14 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#15 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#16 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#17 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#18 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#19 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#20 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#21 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#22 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#23 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#24 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#25 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#26 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#27 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#28 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#29 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#30 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#31 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#32 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#33 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#34 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#35 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#36 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#37 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#38 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#39 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#40 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#41 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#42 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#43 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#44 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#45 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#46 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#47 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#48 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#49 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#50 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#51 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#52 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#53 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#54 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#55 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#56 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#57 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#58 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#59 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#60 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#61 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#62 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#63 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#64 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#65 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#66 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#67 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#68 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#69 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#70 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#71 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#72 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#73 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#74 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#75 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#76 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#77 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#78 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#79 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#80 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#81 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#82 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#83 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#84 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#85 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#86 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#87 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#88 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#89 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#90 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#91 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#92 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#93 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#94 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#95 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#96 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#97 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#98 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#99 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#100 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#101 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#102 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#103 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#104 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#105 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#106 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#107 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#108 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#109 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#110 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#111 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#112 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#113 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#114 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#115 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#116 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#117 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#118 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#119 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#120 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#121 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#122 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#123 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#124 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#125 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#126 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#127 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#128 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#129 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#130 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#131 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#132 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#133 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#134 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#135 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#136 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#137 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#138 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#139 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#140 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#141 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#142 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#143 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#144 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#145 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#146 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#147 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#148 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#149 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#150 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#151 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#152 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#153 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#154 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#155 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#156 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#157 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#158 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#159 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#160 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#161 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#162 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#163 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#164 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#165 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#166 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#167 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#168 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#169 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#170 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#171 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#172 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#173 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#174 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#175 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#176 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#177 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#178 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#179 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#180 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#181 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#182 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#183 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#184 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#185 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#186 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#187 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#188 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#189 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#190 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#191 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#192 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#193 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#194 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#195 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#196 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#197 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#198 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#199 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#200 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#201 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#202 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#203 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#204 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#205 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#206 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#207 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#208 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#209 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#210 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#211 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#212 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#213 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#214 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#215 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#216 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#217 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#218 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#219 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#220 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#221 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#222 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#223 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#224 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#225 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#226 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#227 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#228 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#229 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#230 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#231 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#232 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#233 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#234 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#235 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#236 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#237 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#238 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#239 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#240 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#241 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#242 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#243 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#244 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#245 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#246 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#247 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#248 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#249 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#250 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
SUMMARY: AddressSanitizer: stack-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==115829==ABORTING
heap_buffer_overflow_in_decodeImage
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id77_heap_buffer_overflow_in_decodeImage.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d61be800 at pc 0x0000007501b0 bp 0x7fff7ae393d0 sp 0x7fff7ae393c8
READ of size 4 at 0x7ff6d61be800 thread T0
#0 0x7501af in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22
#1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7ff6d8d70c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7ff6d61be800 is located 0 bytes to the right of 245760-byte region [0x7ff6d6182800,0x7ff6d61be800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22 in DCTStream::decodeImage()
Shadow bytes around the buggy address:
0x0fff5ac2fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff5ac2fd00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115925==ABORTING
Txt
ytl #1.0
SEGV_in_getChar
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
==115845==The signal is caused by a READ memory access.
==115845==Hint: address points to the zero page.
#0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
#1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
==115845==ABORTING
⭐
heap_buffer_overflow_in_transformDataUnit
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id64_heap_buffer_overflow_in_transformDataUnit.zip
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
=================================================================
==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
READ of size 2 at 0x6200000080e0 thread T0
#0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
#1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
#2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
Address 0x6200000080e0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
Shadow bytes around the buggy address:
0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115877==ABORTING
SEGV_in_getObj
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
command to reproduce
./pdftops -q [crash sample] /dev/null
crash detail
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000689bd4 bp 0x0000957f8ba1 sp 0x7ffd52912760 T0)
==115957==The signal is caused by a READ memory access.
==115957==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x689bd4 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
#1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#10 0x7f84f066ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
==115957==ABORTING
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.