Created attachment 96152 [details] Fuzzed PDF file that causes heap-buffer-overflow ASAN reports heap-buffer-overflow when malformed PDF file is opened. Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5. Distrubution: Gentoo Linux 64bit Evince version: 3.10.3 Zathura version: 0.2.1 Zathura-pdf-poppler version: 0.2.3 Malformed file is given as an attachment. ASAN report: ==8131== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6004000cda11 at pc 0x7f91ae3434e1 bp 0x7f91ab918190 sp 0x7f91ab918188 READ of size 1 at 0x6004000cda11 thread T3 (pool) #0 0x7f91ae3434e0 (/usr/lib64/libpoppler.so.44.0.0+0x36a4e0) #1 0x7f91ae8f0bb7 (/usr/lib64/libpoppler-glib.so.8.6.0+0x4cbb7) #2 0x7f91ae215840 (/usr/lib64/libpoppler.so.44.0.0+0x23c840) #3 0x7f91ae1feb45 (/usr/lib64/libpoppler.so.44.0.0+0x225b45) #4 0x7f91ae1ff50f (/usr/lib64/libpoppler.so.44.0.0+0x22650f) #5 0x7f91ae2bb6d7 (/usr/lib64/libpoppler.so.44.0.0+0x2e26d7) #6 0x7f91ae8d8a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92) #7 0x7f91aeb3fca4 (/usr/lib64/zathura/pdf.so+0x3ca4) #8 0x42f8b7 (/usr/bin/zathura+0x42f8b7) #9 0x7f91b6d6dea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5) #10 0x7f91b6d6d4e4 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6f4e4) #11 0x7f91b8420c07 (/usr/lib64/libasan.so.0.0.0+0x18c07) #12 0x7f91b66e3f39 (/lib64/libpthread-2.17.so+0x8f39) #13 0x7f91b6120c3c (/lib64/libc-2.17.so+0xedc3c) 0x6004000cda11 is located 0 bytes to the right of 1-byte region [0x6004000cda10,0x6004000cda11) allocated by thread T3 (pool) here: #0 0x7f91b841d54a (/usr/lib64/libasan.so.0.0.0+0x1554a) #1 0x7f91ae11481d (/usr/lib64/libpoppler.so.44.0.0+0x13b81d) #2 0x7f91ae114e4e (/usr/lib64/libpoppler.so.44.0.0+0x13be4e) #3 0x7f91ae2218a1 (/usr/lib64/libpoppler.so.44.0.0+0x2488a1) #4 0x7f91ae22c9b3 (/usr/lib64/libpoppler.so.44.0.0+0x2539b3) #5 0x7f91ae22ce2d (/usr/lib64/libpoppler.so.44.0.0+0x253e2d) #6 0x7f91ae1e189c (/usr/lib64/libpoppler.so.44.0.0+0x20889c) #7 0x7f91ae1fcdcc (/usr/lib64/libpoppler.so.44.0.0+0x223dcc) #8 0x7f91ae2bafb0 (/usr/lib64/libpoppler.so.44.0.0+0x2e1fb0) #9 0x7f91ae2bb67b (/usr/lib64/libpoppler.so.44.0.0+0x2e267b) #10 0x7f91ae8d8a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92) #11 0x7f91aeb3fca4 (/usr/lib64/zathura/pdf.so+0x3ca4) #12 0x7f91b6d6dea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5) Thread T3 (pool) created by T0 here: #0 0x7f91b8412c5b (/usr/lib64/libasan.so.0.0.0+0xac5b) #1 0x7f91b6d88941 (/usr/lib64/libglib-2.0.so.0.3800.2+0x8a941) Shadow bytes around the buggy address: 0x0c0100011af0: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa 0x0c0100011b00: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa 0x0c0100011b10: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa 0x0c0100011b20: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa 0x0c0100011b30: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa fd fa =>0x0c0100011b40: fa fa[01]fa fa fa fd fa fa fa 03 fa fa fa fd fa 0x0c0100011b50: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa 0x0c0100011b60: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa 0x0c0100011b70: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa 0x0c0100011b80: fa fa 03 fa fa fa fd fa fa fa fd fd fa fa fd fa 0x0c0100011b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==8131== ABORTING gdb backtrace: gdb$ bt #0 __asan_report_error (pc=0x7fffead884e1, bp=0x7fffe835d190, sp=0x7fffe835d188, addr=0x6004000cda11, is_write=0x0, access_size=0x1) at ../../.././libsanitizer/asan/asan_report.cc:628 #1 0x00007ffff4e5f7c4 in __asan::__asan_report_load1 (addr=<optimized out>) at ../../.././libsanitizer/asan/asan_rtl.cc:226 #2 0x00007fffead884e1 in TextPage::updateFont (this=0x60220000fe80, state=state@entry=0x603c0001ea80) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:2199 #3 0x00007fffeb335bb8 in CairoOutputDev::updateFont (this=0x603600004540, state=0x603c0001ea80) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:624 #4 0x00007fffeac5a841 in Gfx::opShowText (this=0x60240007f5c0, args=0x7fffe835d5a0, numArgs=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:3742 #5 0x00007fffeac43b46 in Gfx::go (this=this@entry=0x60240007f5c0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712 #6 0x00007fffeac44510 in Gfx::display (this=this@entry=0x60240007f5c0, obj=obj@entry=0x7fffe835d9d0, topLevel=topLevel@entry=0x1) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678 #7 0x00007fffead006d8 in Page::displaySlice (this=0x6022000190c0, out=out@entry=0x603600004540, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=sliceY@entry=0xffffffff, sliceW=sliceW@entry=0xffffffff, sliceH=sliceH@entry=0xffffffff, printing=printing@entry=0x0, abortCheckCbk=abortCheckCbk@entry=0x0, abortCheckCbkData=abortCheckCbkData@entry=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=annotDisplayDecideCbkData@entry=0x0, copyXRef=copyXRef@entry=0x0) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584 #8 0x00007fffeb31da93 in _poppler_page_render (page=0x605200035180, cairo=0x604a0000f100, printing=<optimized out>, print_flags=<optimized out>) at /var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362 #9 0x00007fffeb584ca5 in pdf_page_render_cairo () from /usr/lib64/zathura/pdf.so #10 0x000000000042f8b8 in render (page=0x60080002a110, zathura=0x60260000f660) at render.c:183 #11 render_job (data=0x60080002a110, user_data=0x60260000f660) at render.c:37 #12 0x00007ffff37b2ea6 in ?? () from /usr/lib64/libglib-2.0.so.0 #13 0x00007ffff37b24e5 in ?? () from /usr/lib64/libglib-2.0.so.0 #14 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe835f000) at ../../.././libsanitizer/asan/asan_thread.cc:99 #15 0x00007ffff3128f3a in start_thread (arg=0x7fffe835e700) at pthread_create.c:308 #16 0x00007ffff2b65c3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 -- Antti Husa Research Assistant, OUSPG
Hi can you please read http://tsdgeos.blogspot.de/2014/03/asan-and-gcc-how-to-get-line-numbers-in.html and provide numbers with the ASAN backtrace?
Even with the exports I was unable to get ASAN to show line numbers it only showed the function names. However Valgrind did show line numbers with the same compiler debug options so here's Valgrind report: ==15458== Invalid read of size 1 ==15458== at 0xEEC0255: TextPage::updateFont(GfxState*) (TextOutputDev.cc:2199) ==15458== by 0xEB2CB93: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:624) ==15458== by 0xEE5A4BC: Gfx::opShowText(Object*, int) (Gfx.cc:3742) ==15458== by 0xEE52A88: Gfx::go(bool) (Gfx.cc:712) ==15458== by 0xEE52ECC: Gfx::display(Object*, bool) (Gfx.cc:678) ==15458== by 0xEE94054: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:584) ==15458== by 0xEB224F6: _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) (poppler-page.cc:362) ==15458== by 0xE8FDCA4: pdf_page_render_cairo (pdf.c:809) ==15458== by 0x41DCE7: render_job (render.c:183) ==15458== by 0x627FEA5: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==15458== by 0x627F4E4: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) ==15458== by 0x694CF39: start_thread (pthread_create.c:308) ==15458== Address 0x115012f1 is 0 bytes after a block of size 1 alloc'd ==15458== at 0x4C2C71B: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==15458== by 0xEE043AD: gmalloc (gmem.cc:110) ==15458== by 0xEE04971: copyString (gmem.cc:316) ==15458== by 0xEE5E5CD: Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref, GooString*, GfxFontType, Ref, Dict*) (GfxFont.cc:1198) ==15458== by 0xEE6187B: GfxFont::makeFont(XRef*, char const*, Ref, Dict*) (GfxFont.cc:223) ==15458== by 0xEE619A2: GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) (GfxFont.cc:2497) ==15458== by 0xEE46EFE: GfxResources::GfxResources(XRef*, Dict*, GfxResources*) (Gfx.cc:341) ==15458== by 0xEE523D3: Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, bool (*)(void*), void*, XRef*) (Gfx.cc:554) ==15458== by 0xEE93D85: Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) (Page.cc:544) ==15458== by 0xEE9401B: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:579) ==15458== by 0xEB224F6: _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) (poppler-page.cc:362) ==15458== by 0xE8FDCA4: pdf_page_render_cairo (pdf.c:809) ==15458== ==15458== ==15458== HEAP SUMMARY: ==15458== in use at exit: 3,708,571 bytes in 19,892 blocks ==15458== total heap usage: 112,237 allocs, 92,345 frees, 18,910,558 bytes allocated ==15458== ==15458== LEAK SUMMARY: ==15458== definitely lost: 4,320 bytes in 9 blocks ==15458== indirectly lost: 17,319 bytes in 684 blocks ==15458== possibly lost: 28,608 bytes in 444 blocks ==15458== still reachable: 3,527,140 bytes in 18,138 blocks ==15458== suppressed: 0 bytes in 0 blocks ==15458== Rerun with --leak-check=full to see details of leaked memory
The problem was actually llvm being version 3.3 so updating llvm to 3.4 fixed the line numbers in ASAN report.
Fixed in master. Thanks for the report.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.