Skip to content

GitLab

Closed
Opened by bin24151@bin24151

Stack-Overflow in `FoFiType1C::cvtGlyph` results in Segmentation Fault

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: ./pdftops ./poc /dev/null

The backtrace is:

==107470==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5f160fd8 (pc 0x0000004ded5c bp 0x7ffc5f161850 sp 0x7ffc5f160fe0 T0)
    #0 0x4ded5b in __asan_memcpy (/src/poppler_test/build/utils/pdftops+0x4ded5b)
    #1 0x817158 in FoFiType1C::getOp(int, bool, bool*) /src/poppler_test/fofi/FoFiType1C.cc:2620:21
    #2 0x8077bd in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc:1141:15
    #3 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #4 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #5 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #6 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #7 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #8 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #9 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #10 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #11 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #12 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #13 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #14 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #15 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #16 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #17 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #18 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #19 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #20 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #21 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #22 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #23 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #24 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #25 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #26 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #27 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #28 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #29 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #30 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #31 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #32 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #33 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #34 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #35 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #36 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #37 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #38 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #39 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #40 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #41 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    #42 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
...
...

This cause segmentation fault without ASAN.

poc

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information