Skip to content
GitLab
Open
Issue created by Albert Astals Cid@aacidOwner

Heap use after free in ArthurType3Font::getGlyph

When rendering https://bugs.freedesktop.org/attachment.cgi?id=137757

==13443==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100004d978 at pc 0x7f0719edff99 bp 0x7ffe12602e70 sp 0x7ffe12602e68
READ of size 8 at 0x62100004d978 thread T0
    #0 0x7f0719edff98 in ArthurType3Font::getGlyph(int) const /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:117:22
    #1 0x7f0719ef378d in ArthurOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:925:68
    #2 0x7f071860af78 in Gfx::doShowText(GooString const*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4041:14
    #3 0x7f07185b7f12 in Gfx::opShowText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3771:3
    #4 0x7f07185cede8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #5 0x7f07185cdb15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #6 0x7f07185cd289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #7 0x7f07187fd12a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #8 0x7f07188105a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #9 0x7f0719eab03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #10 0x7f0719ea98c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #11 0x7f0719ea8351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #12 0x7f0719ea81c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

0x62100004d978 is located 120 bytes inside of 4600-byte region [0x62100004d900,0x62100004eaf8)
freed by thread T0 here:
    #0 0x560fcb6a3731 in operator delete(void*) (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0x133731)
    #1 0x7f0718648d37 in Gfx8BitFont::~Gfx8BitFont() /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:1407:29
    #2 0x7f0718635580 in GfxFont::decRefCnt() /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:272:5
    #3 0x7f071865b652 in GfxFontDict::~GfxFontDict() /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:2429:17
    #4 0x7f07185c791e in GfxResources::~GfxResources() /home/tsdgeos/devel/poppler/poppler/Gfx.cc:372:3
    #5 0x7f07185ccebb in Gfx::popResources() /home/tsdgeos/devel/poppler/poppler/Gfx.cc:5388:3
    #6 0x7f07185d1b5d in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4870:3
    #7 0x7f071861702a in Gfx::doForm(Object*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4764:3
    #8 0x7f07185b07d7 in Gfx::opXObject(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4181:2
    #9 0x7f07185cede8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #10 0x7f07185cdb15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #11 0x7f07185cd289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #12 0x7f07187fd12a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #13 0x7f07188105a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #14 0x7f0719eab03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #15 0x7f0719ea98c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #16 0x7f0719ea8351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #17 0x7f0719ea81c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information