Bug 102918

Summary: heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0
Product: poppler Reporter: junchao luan <luanjunchao>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: crash of poc

Description junchao luan 2017-09-21 03:09:34 UTC 
Created attachment 134398 [details]
crash of poc

I'm not sure if it's the same as I reported the bug 102900 before, they crush in the same function but in different position. And I wonder if the fix for 102900 works for this issue.

The fault information is as follows when I run pdftops crash.pdf 1:

==13500==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f738 at pc 0x0000004cb4df bp 0x7ffca39bc860 sp 0x7ffca39bc850
READ of size 4 at 0x61a00001f738 thread T0
    #0 0x4cb4de in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038
    #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2656
    #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #6 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #11 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #12 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x406c58 in _start (/work/poppler_address/poppler-0.59.0/utils/pdftops+0x406c58)

0x61a00001f738 is located 8 bytes to the right of 1200-byte region [0x61a00001f280,0x61a00001f730)
allocated by thread T0 here:
    #0 0x7f46eff9d532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4c027b in FoFiType1C::make(char*, int) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:50
    #2 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2648
    #3 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #4 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #5 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #6 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #7 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #8 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #9 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #10 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #11 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #12 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #13 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038 FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one sha

dow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8

  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13500==ABORTING

And the poc of pdf is here.
Comment 1 Albert Astals Cid 2017-09-21 10:25:45 UTC 
Duplicate of something else, fails on 0.59 works on master, i would appreciate if you used master instead of 0.59 to save both my and your time.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.