Heap-Buffer-Overflow in DCTStream::getChars
- Version: 20.12.1
- Commit: e1f56258
- How to reproduce: pdftops ./poc /dev/null
The log of ASAN:
==78169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004def3c bp 0x7ffcb2d72b80 sp 0x7ffcb2d72330
WRITE of size 219 at 0x633000019830 thread T0
#0 0x4def3b in __asan_memcpy (/src/executable/pdftops+0x4def3b)
#1 0x7c5601 in DCTStream::getChars(int, unsigned char*) /src/poppler/poppler/DCTStream.cc:223:9
#2 0x606c86 in Stream::doGetChars(int, unsigned char*) /src/poppler/poppler/Stream.h:130:20
#3 0x603203 in LZWEncoder::reset() /src/poppler/poppler/Stream.cc:4940:21
#4 0x5ffdc3 in ASCII85Encoder::reset() /src/poppler/poppler/Stream.cc:4723:10
#5 0x6a18c6 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6047:14
#6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
#7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
#8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
#9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
#10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
#11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
#12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
#13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
#14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
#15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
#16 0x7fabbbf24bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#17 0x420359 in _start (/src/executable/pdftops+0x420359)
0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
#0 0x5187c0 in operator new(unsigned long) (/src/executable/pdftops+0x5187c0)
#1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
#2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/executable/pdftops+0x4def3b) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==78169==ABORTING
poc file: poc