Skip to content

Fix read-heap-buffer-overflow in Splash::blitTransparent() in splashModeMono8 case

Even Rouault requested to merge rouault/poppler:fix_ossfuzz_64471 into master

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64471

clusterfuzz-testcase-minimized-gdal_fuzzer-6127122829410304

$ utils/pdftoppm clusterfuzz-testcase-minimized-gdal_fuzzer-6127122829410304
[...]
=================================================================
==1758602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024cd5 at pc 0x7fd5850e977d bp 0x7ffe0e007430 sp 0x7ffe0e007428
READ of size 1 at 0x602000024cd5 thread T0
    #0 0x7fd5850e977c in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) /home/even/poppler/splash/Splash.cc:5778:24
    #1 0x7fd58505e19d in SplashOutputDev::beginTransparencyGroup(GfxState*, double const*, GfxColorSpace*, bool, bool, bool) /home/even/poppler/poppler/SplashOutputDev.cc:3998:17
    #2 0x7fd5850451c3 in SplashOutputDev::setSoftMaskFromImageMask(GfxState*, Object*, Stream*, int, int, bool, bool, double*) /home/even/poppler/poppler/SplashOutputDev.cc:2692:5
    #3 0x7fd584c3f6a7 in Gfx::doPatternImageMask(Object*, Stream*, int, int, bool, bool) /home/even/poppler/poppler/Gfx.cc:1964:10
    #4 0x7fd584c5cc26 in Gfx::doImage(Object*, Stream*, bool) /home/even/poppler/poppler/Gfx.cc:4304:17
    #5 0x7fd584c1827a in Gfx::opBeginImage(Object*, int) /home/even/poppler/poppler/Gfx.cc:4900:9
    #6 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5
    #7 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13
    #8 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5
    #9 0x7fd58506713d in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4424:10
    #10 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53
    #11 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9
    #12 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17
    #13 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5
    #14 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13
    #15 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5
    #16 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14
    #17 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24
    #18 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10
    #19 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9
    #20 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #21 0x41d61d in _start (/home/even/poppler/build/utils/pdftoppm+0x41d61d)

0x602000024cd5 is located 1 bytes to the right of 4-byte region [0x602000024cd0,0x602000024cd4)
allocated by thread T0 here:
    #0 0x495d5d in malloc (/home/even/poppler/build/utils/pdftoppm+0x495d5d)
    #1 0x7fd5849f1d54 in gmalloc(unsigned long, bool) /home/even/poppler/goo/gmem.h:44:19
    #2 0x7fd5849f0ed0 in gmallocn(int, int, bool) /home/even/poppler/goo/gmem.h:121:12
    #3 0x7fd584c1384d in gmallocn_checkoverflow(int, int) /home/even/poppler/goo/gmem.h:126:12
    #4 0x7fd5850f7ec5 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, std::vector<GfxSeparationColorSpace*, std::allocator<GfxSeparationColorSpace*> > const*) /home/even/poppler/splash/SplashBitmap.cc:111:28
    #5 0x7fd585066631 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4398:18
    #6 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53
    #7 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9
    #8 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17
    #9 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5
    #10 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13
    #11 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5
    #12 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14
    #13 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24
    #14 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10
    #15 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9
    #16 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/even/poppler/splash/Splash.cc:5778:24 in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int)

Merge request reports