heap overflow in downsample_row_box_filter
Hi,
I recently found heap overflow in downsample_row_box_filter. You can find ASAN report below:
=================================================================
==15344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9339a5695c at pc 0x00000045e222 bp 0x7ffc6e79cf90 sp 0x7ffc6e79cf80
READ of size 4 at 0x7f9339a5695c thread T0
#0 0x45e221 in downsample_row_box_filter /home/poppler/poppler/CairoRescaleBox.cc:125
#1 0x45ed2d in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /home/poppler/poppler/CairoRescaleBox.cc:339
#2 0x454545 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /home/poppler/poppler/CairoOutputDev.cc:3178
#3 0x454545 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /home/poppler/poppler/CairoOutputDev.cc:3262
#4 0x7f93420e3765 in Gfx::doImage(Object*, Stream*, bool) /home/poppler/poppler/Gfx.cc:4594
#5 0x7f93420e9c80 in Gfx::opXObject(Object*, int) /home/poppler/poppler/Gfx.cc:4163
#6 0x7f93420ca6b0 in Gfx::go(bool) /home/poppler/poppler/Gfx.cc:752
#7 0x7f93420cc4f3 in Gfx::display(Object*, bool) /home/poppler/poppler/Gfx.cc:714
#8 0x7f934228e7b2 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/poppler/poppler/Page.cc:548
#9 0x40f54a in renderPage /home/poppler/utils/pdftocairo.cc:737
#10 0x40f54a in main /home/poppler/utils/pdftocairo.cc:1257
#11 0x7f934108082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x4152d8 in _start (/home/build/utils/pdftocairo+0x4152d8)
0x7f9339a5695c is located 0 bytes to the right of 95572316-byte region [0x7f9333f31800,0x7f9339a5695c)
allocated by thread T0 here:
#0 0x7f9343077602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45e3af in gmalloc(unsigned long, bool) /home/poppler/goo/gmem.h:41
#2 0x45e3af in gmallocn(int, int, bool) /home/poppler/goo/gmem.h:115
#3 0x45e3af in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /home/poppler/poppler/CairoRescaleBox.cc:286
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/poppler/poppler/CairoRescaleBox.cc:125 downsample_row_box_filter
Shadow bytes around the buggy address:
0x0ff2e7342cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2e7342d20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0ff2e7342d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15344==ABORTING
Looks like something wrong with start_coverage
array. You can find debug output for downsample_row_box_filter
function below:
Start is 0xdb7c4010
pixel_coverage = 5752, src = 0xdb7c4010
x = 1, width = 8192 box = 16770736, pixel_coverage = 5752, start_coverage = 6480, src = 1
x = 2, width = 8192 box = 16774393, pixel_coverage = 5752, start_coverage = 2823, src = 2917
<---truncated---->
x = 8191, width = 8192 box = 16767080, pixel_coverage = 5752, start_coverage = 10136, src = 23887247
x = 8192, width = 8192 box = 16778584, pixel_coverage = 5752, start_coverage = -1368, src = 23890163
Heap overrun happens at x = 8192.