102918 – heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0

Bug 102918 - heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0.59.0

Summary: heap overflow in FoFiType1C::convertToType0, FoFiType1C.cc:1038 of poppler 0...

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	utils (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-21 03:09 UTC by junchao luan
Modified:	2017-09-21 10:25 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
crash of poc (17.20 KB, application/pdf) 2017-09-21 03:09 UTC, junchao luan	Details
View All

Description junchao luan 2017-09-21 03:09:34 UTC

Created attachment 134398 [details]
crash of poc

I'm not sure if it's the same as I reported the bug 102900 before, they crush in the same function but in different position. And I wonder if the fix for 102900 works for this issue.

The fault information is as follows when I run pdftops crash.pdf 1:

==13500==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f738 at pc 0x0000004cb4df bp 0x7ffca39bc860 sp 0x7ffca39bc850
READ of size 4 at 0x61a00001f738 thread T0
    #0 0x4cb4de in FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038
    #1 0x470320 in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2656
    #2 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #3 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #4 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #5 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #6 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #7 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #8 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #9 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #10 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #11 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #12 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x406c58 in _start (/work/poppler_address/poppler-0.59.0/utils/pdftops+0x406c58)

0x61a00001f738 is located 8 bytes to the right of 1200-byte region [0x61a00001f280,0x61a00001f730)
allocated by thread T0 here:
    #0 0x7f46eff9d532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4c027b in FoFiType1C::make(char*, int) /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:50
    #2 0x47017b in PSOutputDev::setupEmbeddedCIDType0Font(GfxFont*, Ref*, GooString*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:2648
    #3 0x46a485 in PSOutputDev::setupFont(GfxFont*, Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1953
    #4 0x4699bb in PSOutputDev::setupFonts(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1885
    #5 0x4690c6 in PSOutputDev::setupResources(Dict*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1798
    #6 0x4682fc in PSOutputDev::writeDocSetup(PDFDoc*, Catalog*, std::vector<int, std::allocator<int> > const&, bool) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1696
    #7 0x465eb2 in PSOutputDev::postInit() /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:1455
    #8 0x47510b in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /work/poppler_address/poppler-0.59.0/poppler/PSOutputDev.cc:3246
    #9 0x6243a5 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:539
    #10 0x623a3b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/Page.cc:483
    #11 0x4195ae in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /work/poppler_address/poppler-0.59.0/poppler/PDFDoc.cc:488
    #12 0x408083 in main /work/poppler_address/poppler-0.59.0/utils/pdftops.cc:423
    #13 0x7f46ee50a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/poppler_address/poppler-0.59.0/fofi/FoFiType1C.cc:1038 FoFiType1C::convertToType0(char*, int*, int, void (*)(void*, char const*, int), void*)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one sha

dow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8

  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13500==ABORTING

And the poc of pdf is here.

Comment 1 Albert Astals Cid 2017-09-21 10:25:45 UTC

Duplicate of something else, fails on 0.59 works on master, i would appreciate if you used master instead of 0.59 to save both my and your time.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.