Bug 103583 - poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'
Summary: poppler-0.61: PSTokenizer.cc:87:30: runtime error: index -44 out of bounds fo...
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-05 19:02 UTC by LE GARREC Vincent
Modified: 2017-12-20 23:58 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
PSTokenizer_getToken_address_sanitizer.pdf (153 bytes, application/pdf)
2017-11-05 19:02 UTC, LE GARREC Vincent 		Details
PSTokenizer_getToken_address_sanitizer2.pdf (22.54 KB, application/pdf)
2017-12-04 21:40 UTC, LE GARREC Vincent 		Details
0001-Fix-index-out-of-bounds-in-PSTokenizer.patch (1.41 KB, patch)
2017-12-15 19:27 UTC, LE GARREC Vincent 		Details | Splinter Review
PSTokenizer_getToken_address_sanitizer2_small.pdf (158 bytes, application/pdf)
2017-12-15 19:28 UTC, LE GARREC Vincent 		Details
Show Obsolete (2) View All

Description LE GARREC Vincent 2017-11-05 19:02:04 UTC 
Created attachment 135249 [details]
PSTokenizer_getToken_address_sanitizer.pdf

This error only appears with address sanitizer.

In PSTokenizer::getToken, specialChars[c] should be specialChars[(unsigned char)c] or something closed to.

pdftohtml PSTokenizer_getToken_address_sanitizer.pdf /tmp/

/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87:30: runtime error: index -44 out of bounds for type 'char [256]'
=================================================================
==1208==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8a59d93a14 at pc 0x7f8a58a7060d bp 0x7ffd6018f7c0 sp 0x7ffd6018f7b0
READ of size 1 at 0x7f8a59d93a14 thread T0
    #0 0x7f8a58a7060c in PSTokenizer::getToken(char*, int, int*) /home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87
    #1 0x7f8a577a8424 in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /home/legarrec/info/programmation/poppler/poppler/CharCodeToUnicode.cc:311
    #2 0x7f8a577b54f7 in CharCodeToUnicode::mergeCMap(GooString*, int) /home/legarrec/info/programmation/poppler/poppler/CharCodeToUnicode.cc:296
    #3 0x7f8a57fb811e in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:584
    #4 0x7f8a57fe4870 in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref, GooString*, GfxFontType, Ref, Dict*) /home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:1326
    #5 0x7f8a580689fd in GfxFont::makeFont(XRef*, char const*, Ref, Dict*) /home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:228
    #6 0x7f8a5806a7d9 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /home/legarrec/info/programmation/poppler/poppler/GfxFont.cc:2457
    #7 0x7f8a57cadf05 in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /home/legarrec/info/programmation/poppler/poppler/Gfx.cc:338
    #8 0x7f8a57e03b4e in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*) /home/legarrec/info/programmation/poppler/poppler/Gfx.cc:541
    #9 0x7f8a588bf75e in Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) /home/legarrec/info/programmation/poppler/poppler/Page.cc:521
    #10 0x7f8a588c3068 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/legarrec/info/programmation/poppler/poppler/Page.cc:552
    #11 0x7f8a588c8d64 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/legarrec/info/programmation/poppler/poppler/Page.cc:481
    #12 0x7f8a58971f6e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /home/legarrec/info/programmation/poppler/poppler/PDFDoc.cc:503
    #13 0x4159cc in main /home/legarrec/info/programmation/poppler/utils/pdftohtml.cc:389
    #14 0x7f8a54be8461 in __libc_start_main (/lib64/libc.so.6+0x20461)
    #15 0x41bb19 in _start (/home/legarrec/info/programmation/poppler/build/utils/pdftohtml+0x41bb19)

0x7f8a59d93a14 is located 19 bytes to the right of global variable '*.LC0' defined in '/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc' (0x7f8a59d939c0) of size 65
  '*.LC0' is ascii string '/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc'
0x7f8a59d93a14 is located 44 bytes to the left of global variable 'specialChars' defined in '/home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:38:19' (0x7f8a59d93a40) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow /home/legarrec/info/programmation/poppler/poppler/PSTokenizer.cc:87 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0ff1cb3aa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1cb3aa700: 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9
  0x0ff1cb3aa710: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa720: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0ff1cb3aa730: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff1cb3aa740: 01 f9[f9]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff1cb3aa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff1cb3aa760: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa770: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff1cb3aa780: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
  0x0ff1cb3aa790: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1208==ABORTING
Comment 1 Albert Astals Cid 2017-11-12 23:43:12 UTC 
i just get

Syntax Warning: May not be a PDF file (continuing anyway)
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Couldn't read xref table

are you sure this is the file you used?
Comment 2 LE GARREC Vincent 2017-11-13 08:21:57 UTC 
Did you compile poppler with CFLAGS and CXXFLAGS = "-fsanitize=address" ?
Comment 3 Albert Astals Cid 2017-11-13 21:30:57 UTC 
(In reply to LE GARREC Vincent from comment #2)
> Did you compile poppler with CFLAGS and CXXFLAGS = "-fsanitize=address" ?

Yes
Comment 4 LE GARREC Vincent 2017-11-14 21:48:23 UTC 
Sorry, the custom function I used to replace the system's strncmp was buggy with 0-length arg. I will be more careful next time :(
Comment 5 LE GARREC Vincent 2017-12-04 21:39:29 UTC 
Dear,

I found another pdf that address sanitizer doesn't like. I tested it this time with the original source of poppler and the output is the same before asan complains.

mkdir build
cd build
CFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer" CXXFLAGS="-fsanitize=address,undefined -g -fno-omit-frame-pointer" cmake ..
make
./utils/pdftohtml PSTokenizer_getToken_address_sanitizer2.pdf /tmp/

Then:
Syntax Error (23012): Illegal character <ff> in hex string
Syntax Error (23013): Illegal character <ff> in hex string
Syntax Error (23014): Illegal character <ff> in hex string
Syntax Error (23015): Illegal character <7f> in hex string
Syntax Error (4323): Dictionary key must be a name object
Syntax Error (4331): Dictionary key must be a name object
Syntax Error (4163): Dictionary key must be a name object
Syntax Error (4165): Dictionary key must be a name object
Syntax Error (4176): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6030): Dictionary key must be a name object
Syntax Error (6035): Dictionary key must be a name object
Syntax Error (6042): Dictionary key must be a name object
Syntax Error (6366): Bad uncompressed block length in flate stream
/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87:30: runtime error: index -56 out of bounds for type 'char [256]'
=================================================================
==23470==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f45c6d68d08 at pc 0x7f45c68768a1 bp 0x7fffdb5c34d0 sp 0x7fffdb5c34c0
READ of size 1 at 0x7f45c6d68d08 thread T0
    #0 0x7f45c68768a0 in PSTokenizer::getToken(char*, int, int*) /home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87
    #1 0x7f45c6469b80 in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:313
    #2 0x7f45c646be75 in CharCodeToUnicode::mergeCMap(GooString*, int) /home/legarrec/info/programmation/popplerok/poppler/CharCodeToUnicode.cc:298
    #3 0x7f45c6609fc0 in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:584
    #4 0x7f45c661359d in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref, GooString*, GfxFontType, Ref, Dict*) /home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:1326
    #5 0x7f45c66320d1 in GfxFont::makeFont(XRef*, char const*, Ref, Dict*) /home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:228
    #6 0x7f45c66327a0 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /home/legarrec/info/programmation/popplerok/poppler/GfxFont.cc:2457
    #7 0x7f45c6550e93 in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:338
    #8 0x7f45c65b210f in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*) /home/legarrec/info/programmation/popplerok/poppler/Gfx.cc:541
    #9 0x7f45c681dc7c in Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) /home/legarrec/info/programmation/popplerok/poppler/Page.cc:521
    #10 0x7f45c681efd1 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/legarrec/info/programmation/popplerok/poppler/Page.cc:552
    #11 0x7f45c681ff6b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/legarrec/info/programmation/popplerok/poppler/Page.cc:481
    #12 0x7f45c68425bc in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /home/legarrec/info/programmation/popplerok/poppler/PDFDoc.cc:513
    #13 0x40c3ab in main /home/legarrec/info/programmation/popplerok/utils/pdftohtml.cc:392
    #14 0x7f45c402df51 in __libc_start_main (/lib64/libc.so.6+0x20f51)
    #15 0x40d7e9 in _start (/home/legarrec/info/programmation/popplerok/build/utils/pdftohtml+0x40d7e9)

0x7f45c6d68d08 is located 5 bytes to the right of global variable '*.LC0' defined in '/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc' (0x7f45c6d68cc0) of size 67
  '*.LC0' is ascii string '/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc'
0x7f45c6d68d08 is located 56 bytes to the left of global variable 'specialChars' defined in '/home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:38:19' (0x7f45c6d68d40) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow /home/legarrec/info/programmation/popplerok/poppler/PSTokenizer.cc:87 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0fe938da5150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe938da5160: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe938da5170: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0fe938da5180: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 06
  0x0fe938da5190: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe938da51a0: 03[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe938da51b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe938da51c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0fe938da51d0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe938da51e0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 00 04 f9
  0x0fe938da51f0: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9


Please, could you check again ?

Thanks,
Comment 6 LE GARREC Vincent 2017-12-04 21:40:07 UTC 
Created attachment 135941 [details]
PSTokenizer_getToken_address_sanitizer2.pdf
Comment 7 Albert Astals Cid 2017-12-05 16:26:27 UTC 
Ah, didn't realize you where using the undefined sanitizer too

BTW you want
cmake -DECM_ENABLE_SANITIZERS="address;undefined"
it's easier ;)
Comment 8 LE GARREC Vincent 2017-12-15 19:27:34 UTC 
Created attachment 136205 [details] [review]
0001-Fix-index-out-of-bounds-in-PSTokenizer.patch

Thanks, I will try it :)

Please, find enclosed a proposal patch for this bug.
Comment 9 LE GARREC Vincent 2017-12-15 19:28:31 UTC 
Created attachment 136206 [details]
PSTokenizer_getToken_address_sanitizer2_small.pdf

Minimal case.
Comment 10 Albert Astals Cid 2017-12-19 23:24:13 UTC 
thanks i kind of came up with the same patch but forgot to really give it a try, i'll do a nightly regtest to see nothing breaks.
Comment 11 Albert Astals Cid 2017-12-20 23:58:36 UTC 
Pushed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.