A heap-buffer-overflow in function PSOutputDev::checkPageSlice
poppler-0.74
version
poppler-0.74 0.74description
Nonedownload link
NonePSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow
description
An issue was discovered in poppler-0.74 0.74, There is a/an heap-buffer-overflow in function PSOutputDev::checkPageSlice at PSOutputDev.cc:3468-23commandline
pdftops -level1sep @@ /dev/nullsource
3464 }
3465 } else {
3466 // Gray color image
3467 for (x = 0; x < w; ++x) {
>3468 col[comp] |= p[4*x + comp];
3469 digit = p[4*x + comp] / 16;
3470 hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3471 digit = p[4*x + comp] % 16;
3472 hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3473 if (i >= 64) {bug report
=================================================================
==31131==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdf3a598400 at pc 0x7fdf454415e0 bp 0x7ffe233c2770 sp 0x7ffe233c2768
READ of size 1 at 0x7fdf3a598400 thread T0
#0 0x7fdf454415df in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23
#1 0x7fdf4527de72 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:527:13
#2 0x7fdf4527dd00 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:469:3
#3 0x7fdf4529a925 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:633:20
#4 0x5204ac in main /src/poppler-0.74/utils/pdftops.cc:424:12
#5 0x7fdf4390182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x41b5b8 in _start (/src/aflbuild/installed/bin/pdftops+0x41b5b8)
0x7fdf3a598400 is located 0 bytes to the right of 519168-byte region [0x7fdf3a519800,0x7fdf3a598400)
allocated by thread T0 here:
#0 0x4df7e8 in __interceptor_malloc /work/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7fdf455e1963 in gmalloc(unsigned long, bool) /src/poppler-0.74/goo/gmem.h:41:17
#2 0x7fdf455e1963 in gmallocn(int, int, bool) /src/poppler-0.74/goo/gmem.h:115
#3 0x7fdf455e1963 in gmallocn_checkoverflow(int, int) /src/poppler-0.74/goo/gmem.h:119
#4 0x7fdf455e1963 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, GooList*) /src/poppler-0.74/splash/SplashBitmap.cc:113
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23 in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*)
Shadow bytes around the buggy address:
0x0ffc674ab030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffc674ab080:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31131==ABORTING
others
from fuzz project pwd-poppler-pdftops-06
crash name pwd-poppler-pdftops-06-00000000-20190401.pdf
Auto-generated by pyspider at 2019-04-01 15:07:53
To upload designs, you'll need to enable LFS. More information