heap-buffer-overflow in Splash::fillGlyph2
Submitted by pdknsk
Assigned to poppler-bugs
Link to original bug (#106060)
Description
==20495==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000c66214 at pc 0x000000a9e07c bp 0x7ffc90fe2e90 sp 0x7ffc90fe2e88 READ of size 1 at 0x602000c66214 thread T0 #0 0xa9e07b in Splash::fillGlyph2(int, int, SplashGlyphBitmap*, bool) poppler/splash/Splash.cc:2889:59 #1 0xa9787d in Splash::fillChar(double, double, int, SplashFont*) poppler/splash/Splash.cc:2753:5 #2 (closed) 0xa37c96 in SplashOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) poppler/poppler/SplashOutputDev.cc:2466:13 #3 (closed) 0x8aa6c3 in Gfx::doShowText(GooString const*) poppler/poppler/Gfx.cc:4049:14 #4 0x86c687 in Gfx::opShowText(Object*, int) poppler/poppler/Gfx.cc:3776:3 #5 (closed) 0x88b290 in Gfx::go(bool) poppler/poppler/Gfx.cc:747:7 #6 (closed) 0x889f45 in Gfx::display(Object*, bool) poppler/poppler/Gfx.cc:709:3 #7 0x97adf0 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool ()(void), void*, bool ()(Annot, void*), void*, bool) poppler/poppler/Page.cc:560:10 #8 0x7a439f in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool ()(void), void*, bool ()(Annot, void*), void*, bool) poppler/poppler/PDFDoc.cc:550:20 #9 0xa28303 in poppler::page_renderer::render_page(poppler::page const*, double, double, int, int, int, int, poppler::rotation_enum) const poppler/cpp/poppler-page-renderer.cpp:180:13