Stack overflow in GooString.h:241
Hi, there.
There is a stack overflow in GooString.h:241, which causes a segmentation fault and may lead to denial of service in version d5d23b3b, version 23.03.0.
To reproduce, run
./pdftoppm -mono -cropbox POC
Here is my environment:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"
Here is the call stack reported by ASAN:
=================================================================
==1913191==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc16ae7fd8 (pc 0x00000049edb6 bp 0x7ffc16ae8860 sp 0x7ffc16ae7fe0 T0)
#0 0x49edb6 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:841:7
#1 0x49f6c8 in memcmp /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:873:33
#2 0x7f90cfd6b6bd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x1456bd)
#3 0x7f90d0277b69 in GooString::cmp(char const*) const /benchmark/poppler/goo/GooString.h:241:44
#4 0x7f90d0277b69 in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1253:25
#5 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#6 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#7 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#8 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#9 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#10 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#11 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#12 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#13 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#14 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#15 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#16 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#17 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#18 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#19 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#20 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#21 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#22 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#23 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#24 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#25 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#26 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#27 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#28 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#29 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#30 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#31 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#32 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#33 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#34 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#35 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#36 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#37 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#38 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#52 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#53 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#54 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#55 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#56 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#57 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#58 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#59 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#76 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#77 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#78 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#79 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#80 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#81 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#82 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#83 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#84 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#85 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#86 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#87 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#88 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#89 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#90 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#91 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#92 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#106 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#107 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#108 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#109 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#110 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#111 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#112 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#113 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#114 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#115 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#116 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#117 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#118 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#119 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#120 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#121 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#122 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#123 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#124 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#125 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#126 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#127 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#128 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#129 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#130 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#131 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#132 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#133 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#134 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#173 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#174 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#175 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#176 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#177 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#178 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#179 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#180 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#181 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#182 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#183 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#184 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#185 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#186 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#187 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#188 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#189 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#190 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#191 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#192 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#193 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#194 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#195 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#196 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#197 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#198 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#199 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#200 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#201 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#202 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#214 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#215 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#216 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#217 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#218 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#219 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#220 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#221 0x7f90d027881d in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1263:22
#222 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#223 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#244 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#245 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#246 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#247 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#248 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
#249 0x7f90d027815f in PostScriptFunction::parseCode(Stream*, int*) /benchmark/poppler/poppler/Function.cc:1257:18
SUMMARY: AddressSanitizer: stack-overflow /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:841:7 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
==1913191==ABORTING
Aborted