heap buffer overflow in ArthurOutputDev::drawChar (#701) · Issues · poppler / poppler

heap buffer overflow in ArthurOutputDev::drawChar

second page of this file bug-poppler51369.pdf gives a heap buffer overflow issue on an asan build of poppler master

==8318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200107259c at pc 0x7f01ee52866a bp 0x7ffd485f7090 sp 0x7ffd485f7088
READ of size 4 at 0x60200107259c thread T0
    #0 0x7f01ee528669 in ArthurOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:943:42
    #1 0x7f01ecc3ef78 in Gfx::doShowText(GooString const*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4041:14
    #2 0x7f01ecbea4df in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3859:7
    #3 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #4 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #5 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #6 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #7 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #8 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #9 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #10 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #11 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

0x60200107259c is located 5 bytes to the right of 7-byte region [0x602001072590,0x602001072597)
freed by thread T0 here:
    #0 0x55e0328c1fe1 in free (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf4fe1)
    #1 0x7f01ece131eb in gfree(void*) /home/tsdgeos/devel/poppler/goo/gmem.h:61:5
    #2 0x7f01ece131eb in Object::free() /home/tsdgeos/devel/poppler/poppler/Object.cc:102
    #3 0x7f01ece38b91 in Object::~Object() /home/tsdgeos/devel/poppler/poppler/Object.h:153:15
    #4 0x7f01ece38b91 in Parser::~Parser() /home/tsdgeos/devel/poppler/poppler/Parser.cc:58
    #5 0x7f01ecf8045d in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1133:5
    #6 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
    #7 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
    #8 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
    #9 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
    #10 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #11 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #12 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #13 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #14 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #15 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #16 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #17 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #18 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

previously allocated by thread T0 here:
    #0 0x55e0328c23c9 in __interceptor_malloc (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf53c9)
    #1 0x7f01eca33ffc in gmalloc(unsigned long, bool) /home/tsdgeos/devel/poppler/goo/gmem.h:41:17
    #2 0x7f01eca33ffc in copyString(char const*) /home/tsdgeos/devel/poppler/goo/gmem.h:169
    #3 0x7f01ecad9b57 in Object::Object(ObjType, char const*) /home/tsdgeos/devel/poppler/poppler/Object.h:166:93
    #4 0x7f01ecdf386f in Lexer::getObj(int) /home/tsdgeos/devel/poppler/poppler/Lexer.cc
    #5 0x7f01ece3be85 in Parser::shift(char const*, int) /home/tsdgeos/devel/poppler/poppler/Parser.cc:348:19
    #6 0x7f01ece3b012 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:264:3
    #7 0x7f01ece39b7d in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:134:34
    #8 0x7f01ecf80447 in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1131:26
    #9 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
    #10 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
    #11 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
    #12 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
    #13 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #14 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #15 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #16 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #17 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #18 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #19 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #20 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #21 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

second page of this file [bug-poppler51369.pdf](/uploads/b4d29179a66167674e3a901e507917f5/bug-poppler51369.pdf) gives a heap buffer overflow issue on an asan build of poppler master

```
==8318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200107259c at pc 0x7f01ee52866a bp 0x7ffd485f7090 sp 0x7ffd485f7088
READ of size 4 at 0x60200107259c thread T0
    #0 0x7f01ee528669 in ArthurOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:943:42
    #1 0x7f01ecc3ef78 in Gfx::doShowText(GooString const*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4041:14
    #2 0x7f01ecbea4df in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3859:7
    #3 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #4 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #5 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #6 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #7 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #8 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #9 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #10 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #11 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

0x60200107259c is located 5 bytes to the right of 7-byte region [0x602001072590,0x602001072597)
freed by thread T0 here:
    #0 0x55e0328c1fe1 in free (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf4fe1)
    #1 0x7f01ece131eb in gfree(void*) /home/tsdgeos/devel/poppler/goo/gmem.h:61:5
    #2 0x7f01ece131eb in Object::free() /home/tsdgeos/devel/poppler/poppler/Object.cc:102
    #3 0x7f01ece38b91 in Object::~Object() /home/tsdgeos/devel/poppler/poppler/Object.h:153:15
    #4 0x7f01ece38b91 in Parser::~Parser() /home/tsdgeos/devel/poppler/poppler/Parser.cc:58
    #5 0x7f01ecf8045d in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1133:5
    #6 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
    #7 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
    #8 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
    #9 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
    #10 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #11 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #12 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #13 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #14 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #15 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #16 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #17 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #18 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10

previously allocated by thread T0 here:
    #0 0x55e0328c23c9 in __interceptor_malloc (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf53c9)
    #1 0x7f01eca33ffc in gmalloc(unsigned long, bool) /home/tsdgeos/devel/poppler/goo/gmem.h:41:17
    #2 0x7f01eca33ffc in copyString(char const*) /home/tsdgeos/devel/poppler/goo/gmem.h:169
    #3 0x7f01ecad9b57 in Object::Object(ObjType, char const*) /home/tsdgeos/devel/poppler/poppler/Object.h:166:93
    #4 0x7f01ecdf386f in Lexer::getObj(int) /home/tsdgeos/devel/poppler/poppler/Lexer.cc
    #5 0x7f01ece3be85 in Parser::shift(char const*, int) /home/tsdgeos/devel/poppler/poppler/Parser.cc:348:19
    #6 0x7f01ece3b012 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:264:3
    #7 0x7f01ece39b7d in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:134:34
    #8 0x7f01ecf80447 in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1131:26
    #9 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
    #10 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
    #11 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
    #12 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
    #13 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
    #14 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
    #15 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
    #16 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
    #17 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
    #18 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
    #19 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
    #20 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
    #21 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10
```

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.