poppler issueshttps://gitlab.freedesktop.org/poppler/poppler/-/issues2023-06-07T07:50:20Zhttps://gitlab.freedesktop.org/poppler/poppler/-/issues/1391SEGV in cairo_type1_font_subset_for_each_glyph2023-06-07T07:50:20Zwenpei-zSEGV in cairo_type1_font_subset_for_each_glyph```jsx
=================================================================
==35563==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000012b3059 bp 0x7ffc9c063bb0 sp 0x7ffc9c063aa0 T0)
==35563==The signal is caused by...```jsx
=================================================================
==35563==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000012b3059 bp 0x7ffc9c063bb0 sp 0x7ffc9c063aa0 T0)
==35563==The signal is caused by a READ memory access.
==35563==Hint: address points to the zero page.
#0 0x12b3059 in cairo_type1_font_subset_for_each_glyph /src/cairo/_builddir/../src/cairo-type1-subset.c:1238:40
#1 0x12b1069 in cairo_type1_font_subset_write_private_dict /src/cairo/_builddir/../src/cairo-type1-subset.c:1383:14
#2 0x12af074 in cairo_type1_font_subset_write /src/cairo/_builddir/../src/cairo-type1-subset.c:1605:14
#3 0x12ae595 in cairo_type1_font_subset_generate /src/cairo/_builddir/../src/cairo-type1-subset.c:1677:14
#4 0x12ad85b in _cairo_type1_subset_init /src/cairo/_builddir/../src/cairo-type1-subset.c:1749:14
#5 0x11ba47c in _cairo_pdf_surface_emit_type1_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6132:14
#6 0x11b8a62 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6662:14
#7 0x129e2e4 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30
#8 0x129af2a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6
#9 0x129b242 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12
#10 0x11a18a0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14
#11 0x119c065 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11
#12 0x1169d68 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#13 0x1168fb9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5
#14 0x122e932 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2
#15 0x1169d68 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#16 0x1166a45 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2
#17 0x5ec536 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5
#18 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#19 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#20 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#21 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#22 0x7fc49da0bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#23 0x4b98f9 in _start (/out/pdf_draw_fuzzer+0x4b98f9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/cairo/_builddir/../src/cairo-type1-subset.c:1238:40 in cairo_type1_font_subset_for_each_glyph
==35563==ABORTING
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/1389Heap-buffer-overflow in cairo_cff_parse_charstring2023-06-07T07:48:31Zwenpei-zHeap-buffer-overflow in cairo_cff_parse_charstring```jsx
=================================================================
==35576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000015a05 at pc 0x000001292fa5 bp 0x7ffd2d0d80f0 sp 0x7ffd2d0d80e8
READ of size 1 at 0x625000...```jsx
=================================================================
==35576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000015a05 at pc 0x000001292fa5 bp 0x7ffd2d0d80f0 sp 0x7ffd2d0d80e8
READ of size 1 at 0x625000015a05 thread T0
#0 0x1292fa4 in cairo_cff_parse_charstring /src/cairo/_builddir/../src/cairo-cff-subset.c:1519:13
#1 0x1292500 in cairo_cff_parse_charstring /src/cairo/_builddir/../src/cairo-cff-subset.c
#2 0x1290ee2 in cairo_cff_find_width_and_subroutines_used /src/cairo/_builddir/../src/cairo-cff-subset.c:1689:14
#3 0x128ec80 in cairo_cff_font_subset_charstrings_and_subroutines /src/cairo/_builddir/../src/cairo-cff-subset.c:1806:15
#4 0x1289feb in cairo_cff_font_subset_font /src/cairo/_builddir/../src/cairo-cff-subset.c:1987:14
#5 0x128515e in cairo_cff_font_generate /src/cairo/_builddir/../src/cairo-cff-subset.c:2600:14
#6 0x128404a in _cairo_cff_subset_init /src/cairo/_builddir/../src/cairo-cff-subset.c:2977:14
#7 0x11b91dc in _cairo_pdf_surface_emit_cff_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:5939:14
#8 0x11b8a22 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6654:14
#9 0x129e2e4 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30
#10 0x129af2a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6
#11 0x129b242 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12
#12 0x11a18a0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14
#13 0x119c065 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11
#14 0x1169d68 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#15 0x1168fb9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5
#16 0x122e932 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2
#17 0x1169d68 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#18 0x1166a45 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2
#19 0x5ec536 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5
#20 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#21 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#22 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#23 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#24 0x7f57ed443b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#25 0x4b98f9 in _start (/out/pdf_draw_fuzzer+0x4b98f9)
Address 0x625000015a05 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairo-cff-subset.c:1519:13 in cairo_cff_parse_charstring
Shadow bytes around the buggy address:
0x0c4a7fffaaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffab40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffab90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==35576==ABORTING
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/1388Heap-buffer-overflow in get_unaligned_be322023-06-07T07:47:29Zwenpei-zHeap-buffer-overflow in get_unaligned_be32```jsx
=================================================================
==35579==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000009db2 at pc 0x00000121045c bp 0x7ffd92634240 sp 0x7ffd92634238
READ of size 1 at 0x604000...```jsx
=================================================================
==35579==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000009db2 at pc 0x00000121045c bp 0x7ffd92634240 sp 0x7ffd92634238
READ of size 1 at 0x604000009db2 thread T0
#0 0x121045b in get_unaligned_be32 /src/cairo/_builddir/../src/cairoint.h:257:48
#1 0x120ffe8 in _jpx_next_box /src/cairo/_builddir/../src/cairo-image-info.c:167:16
#2 0x1210056 in _jpx_find_box /src/cairo/_builddir/../src/cairo-image-info.c:196:6
#3 0x120fe9a in _cairo_image_info_get_jpx_info /src/cairo/_builddir/../src/cairo-image-info.c:233:9
#4 0x11b342a in _cairo_pdf_surface_emit_jpx_image /src/cairo/_builddir/../src/cairo-pdf-surface.c:3329:14
#5 0x11a3dc2 in _cairo_pdf_surface_emit_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:3753:11
#6 0x11a9665 in _cairo_pdf_surface_add_source_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:1735:14
#7 0x11a7551 in _cairo_pdf_surface_paint_surface_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5023:11
#8 0x11a6c18 in _cairo_pdf_surface_paint_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5166:9
#9 0x119cfcc in _cairo_pdf_surface_paint /src/cairo/_builddir/../src/cairo-pdf-surface.c:7988:11
#10 0x116876c in _cairo_surface_paint /src/cairo/_builddir/../src/cairo-surface.c:2199:14
#11 0x1162ad7 in _cairo_surface_wrapper_paint /src/cairo/_builddir/../src/cairo-surface-wrapper.c:162:14
#12 0x1142fde in _cairo_recording_surface_replay_internal /src/cairo/_builddir/../src/cairo-recording-surface.c:1862:15
#13 0x1144cf0 in _cairo_recording_surface_replay_region /src/cairo/_builddir/../src/cairo-recording-surface.c:2235:12
#14 0x123021c in _paint_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:469:11
#15 0x122f1be in _cairo_paginated_surface_show_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:583:14
#16 0x116e2df in cairo_surface_show_page /src/cairo/_builddir/../src/cairo-surface.c:2506:40
#17 0x5ec4f0 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:66:9
#18 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#19 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#20 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#21 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#22 0x7f1cf2b3eb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#23 0x4b98f9 in _start (/out/pdf_draw_fuzzer+0x4b98f9)
0x604000009db2 is located 0 bytes to the right of 34-byte region [0x604000009d90,0x604000009db2)
allocated by thread T0 here:
#0 0x5b8ffd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x6415cb in gmalloc(unsigned long, bool) /src/poppler/goo/gmem.h:44:19
#2 0x64c03a in CairoOutputDev::getStreamData(Stream*, char**, int*) /src/poppler/poppler/CairoOutputDev.cc:2978:25
#3 0x64bda2 in CairoOutputDev::setMimeData(GfxState*, Stream*, Object*, GfxImageColorMap*, _cairo_surface*, int) /src/poppler/poppler/CairoOutputDev.cc:3180:13
#4 0x64cef1 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/CairoOutputDev.cc:3400:13
#5 0x7aa235 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4589:22
#6 0x77f5f3 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4118:13
#7 0x79067d in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:809:5
#8 0x78f93c in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:684:13
#9 0x78f304 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:645:5
#10 0x87607b in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:584:14
#11 0x60c88e in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /src/poppler/glib/poppler-page.cc:331:17
#12 0x60cb0b in poppler_page_render_for_printing /src/poppler/glib/poppler-page.cc:420:5
#13 0x5ec4e7 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:65:9
#14 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#15 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#16 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#17 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7f1cf2b3eb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairoint.h:257:48 in get_unaligned_be32
Shadow bytes around the buggy address:
0x0c087fff9360: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9370: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9390: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff93a0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
=>0x0c087fff93b0: fa fa 00 00 00 00[02]fa fa fa 00 00 00 00 02 fa
0x0c087fff93c0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
0x0c087fff93d0: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c087fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==35579==ABORTING
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/1387Heap-buffer-overflow in get_unaligned_be322023-06-07T07:46:33Zwenpei-zHeap-buffer-overflow in get_unaligned_be32```jsx
=================================================================
==35582==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000001c52 at pc 0x00000121046a bp 0x7ffc18063fa0 sp 0x7ffc18063f98
READ of size 1 at 0x612000...```jsx
=================================================================
==35582==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000001c52 at pc 0x00000121046a bp 0x7ffc18063fa0 sp 0x7ffc18063f98
READ of size 1 at 0x612000001c52 thread T0
#0 0x1210469 in get_unaligned_be32 /src/cairo/_builddir/../src/cairoint.h:257:60
#1 0x121082a in _jbig2_get_next_segment /src/cairo/_builddir/../src/cairo-image-info.c:351:13
#2 0x12105e6 in _cairo_image_info_get_jbig2_info /src/cairo/_builddir/../src/cairo-image-info.c:412:6
#3 0x11b2ad3 in _cairo_pdf_surface_emit_jbig2_image /src/cairo/_builddir/../src/cairo-pdf-surface.c:3219:14
#4 0x11a3d72 in _cairo_pdf_surface_emit_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:3744:11
#5 0x11a9665 in _cairo_pdf_surface_add_source_surface /src/cairo/_builddir/../src/cairo-pdf-surface.c:1735:14
#6 0x11a7551 in _cairo_pdf_surface_paint_surface_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5023:11
#7 0x11a6c18 in _cairo_pdf_surface_paint_pattern /src/cairo/_builddir/../src/cairo-pdf-surface.c:5166:9
#8 0x119cfcc in _cairo_pdf_surface_paint /src/cairo/_builddir/../src/cairo-pdf-surface.c:7988:11
#9 0x116876c in _cairo_surface_paint /src/cairo/_builddir/../src/cairo-surface.c:2199:14
#10 0x1162ad7 in _cairo_surface_wrapper_paint /src/cairo/_builddir/../src/cairo-surface-wrapper.c:162:14
#11 0x1142fde in _cairo_recording_surface_replay_internal /src/cairo/_builddir/../src/cairo-recording-surface.c:1862:15
#12 0x1144cf0 in _cairo_recording_surface_replay_region /src/cairo/_builddir/../src/cairo-recording-surface.c:2235:12
#13 0x123021c in _paint_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:469:11
#14 0x122f1be in _cairo_paginated_surface_show_page /src/cairo/_builddir/../src/cairo-paginated-surface.c:583:14
#15 0x116e2df in cairo_surface_show_page /src/cairo/_builddir/../src/cairo-surface.c:2506:40
#16 0x5ec4f0 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:66:9
#17 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#18 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#19 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#20 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#21 0x7f520c9b5b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#22 0x4b98f9 in _start (/out/pdf_draw_fuzzer+0x4b98f9)
0x612000001c52 is located 0 bytes to the right of 274-byte region [0x612000001b40,0x612000001c52)
allocated by thread T0 here:
#0 0x5b8ffd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x6415cb in gmalloc(unsigned long, bool) /src/poppler/goo/gmem.h:44:19
#2 0x64c03a in CairoOutputDev::getStreamData(Stream*, char**, int*) /src/poppler/poppler/CairoOutputDev.cc:2978:25
#3 0x64bda2 in CairoOutputDev::setMimeData(GfxState*, Stream*, Object*, GfxImageColorMap*, _cairo_surface*, int) /src/poppler/poppler/CairoOutputDev.cc:3180:13
#4 0x64cef1 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/CairoOutputDev.cc:3400:13
#5 0x7aa235 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4589:22
#6 0x77f5f3 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4118:13
#7 0x79067d in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:809:5
#8 0x78f93c in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:684:13
#9 0x78f304 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:645:5
#10 0x87607b in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:584:14
#11 0x60c88e in _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) /src/poppler/glib/poppler-page.cc:331:17
#12 0x60cb0b in poppler_page_render_for_printing /src/poppler/glib/poppler-page.cc:420:5
#13 0x5ec4e7 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:65:9
#14 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#15 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#16 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#17 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7f520c9b5b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cairo/_builddir/../src/cairoint.h:257:60 in get_unaligned_be32
Shadow bytes around the buggy address:
0x0c247fff8330: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c247fff8360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8380: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa
0x0c247fff8390: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff83b0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c247fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==35582==ABORTING
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/1386Timout in poppler_page_find_text2023-06-07T22:22:49Zwenpei-zTimout in poppler_page_find_text```jsx
==35538== ERROR: libFuzzer: timeout after 121 seconds
#0 0x5c0a21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x50b448 in fuzzer::PrintStackTrace() /src/llvm-project/compi...```jsx
==35538== ERROR: libFuzzer: timeout after 121 seconds
#0 0x5c0a21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x50b448 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x4efa99 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:301:5
#3 0x7f0e74e8068f (/lib64/libc.so.6+0x3968f)
#4 0x508a2d in AddValue /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerValueBitMap.h:39:18
#5 0x508a2d in HandleCmp<unsigned int> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:382:19
#6 0x508a2d in __sanitizer_cov_trace_const_cmp4 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:501:15
#7 0xac7201 in JBIG2Stream::readGenericBitmap(bool, int, int, int, bool, bool, JBIG2Bitmap*, int*, int*, int) /src/poppler/poppler/JBIG2Stream.cc:3194:37
#8 0xab2d44 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) /src/poppler/poppler/JBIG2Stream.cc:1777:45
#9 0xaafaaa in JBIG2Stream::readSegments() /src/poppler/poppler/JBIG2Stream.cc:1347:18
#10 0xaaed74 in JBIG2Stream::reset() /src/poppler/poppler/JBIG2Stream.cc:1184:5
#11 0x734843 in Stream::fillString(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/poppler/poppler/Stream.h:151:9
#12 0x728f63 in Stream::fillGooString(GooString*) /src/poppler/poppler/Stream.h:157:47
#13 0x7bc097 in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /src/poppler/poppler/GfxFont.cc:599:23
#14 0x7c09d5 in Gfx8BitFont::Gfx8BitFont(XRef*, char const*, Ref, std::__1::optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&&, GfxFontType, Ref, Dict*) /src/poppler/poppler/GfxFont.cc:1307:5
#15 0x7b9581 in GfxFont::makeFont(XRef*, char const*, Ref, Dict*) /src/poppler/poppler/GfxFont.cc:218:20
#16 0x7c8f94 in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /src/poppler/poppler/GfxFont.cc:2364:24
#17 0x789ff6 in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /src/poppler/poppler/Gfx.cc:256:25
#18 0x78bc36 in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle const*, PDFRectangle const*, int, bool (*)(void*), void*, XRef*) /src/poppler/poppler/Gfx.cc:474:15
#19 0x8754ac in Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) /src/poppler/poppler/Page.cc:559:15
#20 0x60c417 in poppler_page_get_text_page(_PopplerPage*) /src/poppler/glib/poppler-page.cc:261:27
#21 0x60e062 in poppler_page_find_text_with_options /src/poppler/glib/poppler-page.cc:856:16
#22 0x60e902 in poppler_page_find_text /src/poppler/glib/poppler-page.cc:921:12
#23 0x5eb215 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/find_text_fuzzer.cc:34:9
#24 0x4f12c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#25 0x4dca32 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#26 0x4e26d6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#27 0x50bbe2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#28 0x7f0e74e6cb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#29 0x4b88e9 in _start (/out/find_text_fuzzer+0x4b88e9)
SUMMARY: libFuzzer: timeout
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/1384SEGV in cairo_cff_font_subset_dict_string2023-06-18T22:31:49Zwenpei-zSEGV in cairo_cff_font_subset_dict_string```jsx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==35533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000012934db bp 0x7fff53aa6060 sp 0x7fff53aa5ee0 ...```jsx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==35533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000012934db bp 0x7fff53aa6060 sp 0x7fff53aa5ee0 T0)
==35533==The signal is caused by a READ memory access.
==35533==Hint: address points to the zero page.
#0 0x12934db in cairo_cff_font_subset_dict_string /src/cairo/_builddir/../src/cairo-cff-subset.c:1418:70
#1 0x1293294 in cairo_cff_font_subset_dict_strings /src/cairo/_builddir/../src/cairo-cff-subset.c:1450:18
#2 0x128fb5f in cairo_cff_font_subset_strings /src/cairo/_builddir/../src/cairo-cff-subset.c:1928:14
#3 0x128a013 in cairo_cff_font_subset_font /src/cairo/_builddir/../src/cairo-cff-subset.c:2004:14
#4 0x128508e in cairo_cff_font_generate /src/cairo/_builddir/../src/cairo-cff-subset.c:2600:14
#5 0x1283f7a in _cairo_cff_subset_init /src/cairo/_builddir/../src/cairo-cff-subset.c:2977:14
#6 0x11b910c in _cairo_pdf_surface_emit_cff_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:5939:14
#7 0x11b8952 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6654:14
#8 0x129e214 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30
#9 0x129ae5a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6
#10 0x129b172 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12
#11 0x11a17d0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14
#12 0x119bf95 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11
#13 0x1169c98 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#14 0x1168ee9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5
#15 0x122e862 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2
#16 0x1169c98 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11
#17 0x1166975 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2
#18 0x5ec48d in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/annot_fuzzer.cc:73:5
#19 0x4f22d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#20 0x4dda42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#21 0x4e36e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#22 0x50cbf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#23 0x7fe83fcb9b26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#24 0x4b98f9 in _start (/out/annot_fuzzer+0x4b98f9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/cairo/_builddir/../src/cairo-cff-subset.c:1418:70 in cairo_cff_font_subset_dict_string
==35533==ABORTING
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/994Rendering of type 1 shading with sampled function never finishes with pdftocairo2022-10-07T10:20:57ZTilman HausherrRendering of type 1 shading with sampled function never finishes with pdftocairo[FUNSH01.pdf](/uploads/89d70862cb682402543f99682740ef87/FUNSH01.pdf)
Rendering is done in a second with pdftoppm, but never finishes (I stopped after several minutes) with pdftocairo (version 21.01.0 of cygwin).[FUNSH01.pdf](/uploads/89d70862cb682402543f99682740ef87/FUNSH01.pdf)
Rendering is done in a second with pdftoppm, but never finishes (I stopped after several minutes) with pdftocairo (version 21.01.0 of cygwin).https://gitlab.freedesktop.org/poppler/poppler/-/issues/931Denial Of Service through crafted PDF File2022-12-04T00:29:56ZCarlos Andres RamirezDenial Of Service through crafted PDF FileHello Poppler team,
During an incident response procedure for a client, it was found that some malicious customers were uploading malcrafted PDF files, among other things, that are later manipulated by staff.
The goal is still unclear,...Hello Poppler team,
During an incident response procedure for a client, it was found that some malicious customers were uploading malcrafted PDF files, among other things, that are later manipulated by staff.
The goal is still unclear, but when analyzing the files, this is what I have found out:
- Malcrafted files totally crash Files (Simple file manager for GNOME) **EVEN without opening the file** - seems the program access their header when you attempt to see files properties, size, etc.
- If you attempt to open them (as some staff did) they either crash **EVINCE** or consume your processing power
- By researching Evince, we isolated Poppler as the vulnerable surface
- After confirmation, we tested, and can confirm it affects Latest up to date linux versions
- No evidence of privilege escalation/remote control has been found so far
**Technical DETAILS**
PDF files containing particularly crafted data trigger an infinite loop that causes stream file reads to keep failing, inside the error() in poppler/Error.cc
Here is the sequence of functions that we see:
* FileStream::getPos()
* GooString::appendfv(char const*, __va_list_tag*),
* GooString::appendfv(char const*, __va_list_tag*),
* _poppler_error_cb(ErrorCategory, long long, char const*),
...Repeats
I will attach a case file near identical to original (We had to carefully clean personal information, so it is slightly modified but seems to still work). Attachment will be in a separate confidential report to team members.
Thank you,
----
Carlos Andres Ramirezhttps://gitlab.freedesktop.org/poppler/poppler/-/issues/893MacOS sgmentation fault:112020-03-18T10:45:18ZLecrisUTMacOS sgmentation fault:11With the recent release of `poppler 0.86.1`, some dependent applications have broken: `pdfpc` is the only example right now. I get `segmentation fault:11` when I try to open the program compiled with the new `poppler` version.
The compil...With the recent release of `poppler 0.86.1`, some dependent applications have broken: `pdfpc` is the only example right now. I get `segmentation fault:11` when I try to open the program compiled with the new `poppler` version.
The compilation environment is the standard `homebrew` environment. A MWE is:
```
(install homebrew)
brew install pdfpc
pdfpc [any pdf file]
```
I am unfamiliar to how `poppler` works and don't know how to start debugging, but if there is any more information needed, I'll try to help as much as possible.https://gitlab.freedesktop.org/poppler/poppler/-/issues/878PDF Deflate bombs may cause crashes or resource exhaustion2020-02-06T19:22:08ZJens MuellerPDF Deflate bombs may cause crashes or resource exhaustionStreams in PDF files can be compressed, which may result in "deflate bombs" if not handled by the PDF processing application / library. Find attached three simple PDF compression bombs (10MB on disk to 10GB in memory). Note the compresse...Streams in PDF files can be compressed, which may result in "deflate bombs" if not handled by the PDF processing application / library. Find attached three simple PDF compression bombs (10MB on disk to 10GB in memory). Note the compressed stream can be used multiple times in a single PDF document. The PDF files have been gzipped as a precaution mechanism, in order to prevent DoS when accidentally previewing them (gunzip them before the actual testing). Maybe resource limitations should be enforced by Poppler?
[01-dos-02-deflate-bomb.pdf.gz](/uploads/155d9cf24ba0924a1fa3584528d0d5b5/01-dos-02-deflate-bomb.pdf.gz)
[01-dos-02-deflate-bomb2.pdf.gz](/uploads/5663fe80336632c1b33ece915e06aa11/01-dos-02-deflate-bomb2.pdf.gz)
[01-dos-02-deflate-bomb3.pdf.gz](/uploads/564b066c2801d5d375aaebd74ce214c2/01-dos-02-deflate-bomb3.pdf.gz)https://gitlab.freedesktop.org/poppler/poppler/-/issues/768Heap buffer overflow in JPXStream2019-05-22T23:02:08ZfelixphewHeap buffer overflow in JPXStreamWhile fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.
The bug was originally detected in an older version, but I have confirmed it persists on trunk.
Asan error report:
```
ERROR:...While fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.
The bug was originally detected in an older version, but I have confirmed it persists on trunk.
Asan error report:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3e06cbc at pc 0xf7d8985a bp 0xffe0c7e8 sp 0xffe0c7dc
READ of size 4 at 0xf3e06cbc thread T0
#0 0xf7d89859 in JPXStream::init() /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10
#1 0xf7d8a016 in JPXStream::getChar() /poppler-0.64.0/poppler/JPEG2000Stream.cc:120:43
#2 0xf7a0bffe in Object::streamGetChar() const /poppler-0.64.0/poppler/Object.h:405:50
#3 0xf7a0bffe in Lexer::getChar(bool) /poppler-0.64.0/poppler/Lexer.cc:124
#4 0xf7a0cba4 in Lexer::getObj(int) /poppler-0.64.0/poppler/Lexer.cc:170:14
#5 0xf7a6495e in Parser::Parser(XRef*, Lexer*, bool) /poppler-0.64.0/poppler/Parser.cc:54:17
#6 0xf7864302 in Gfx::display(Object*, bool) /poppler-0.64.0/poppler/Gfx.cc:708:16
#7 0xf7a5c4f3 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:560:10
#8 0xf7a5c103 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:481:3
#9 0xf7a7410d in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/PDFDoc.cc:518:20
#10 0xf7a7410d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /poppler-0.64.0/poppler/PDFDoc.cc:535
#11 0x817f0eb (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x817f0eb)
#12 0xf7143636 in __libc_start_main (bin/pdf_llvm_asan/i386-linux-gnu/libc.so.6+0x18636)
#13 0x8062280 (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8062280)
0xf3e06cbc is located 0 bytes to the right of 252-byte region [0xf3e06bc0,0xf3e06cbc)
allocated by thread T0 here:
#0 0x8132bcf (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8132bcf)
#1 0xf6f9d558 (bin/pdf_llvm_asan/i386-linux-gnu/libopenjp2.so.7+0x2a558)
SUMMARY: AddressSanitizer: heap-buffer-overflow /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10 in JPXStream::init()
Shadow bytes around the buggy address:
0x3e7c0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3e7c0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e7c0d90: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
0x3e7c0da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e7c0db0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x3e7c0dc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x3e7c0dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e7c0de0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
```
Attached is an [input file](/uploads/3a902c7b97ebff3df1b884c8271de294/id_000011_sig_06_src_000099+004407_op_splice_rep_32) that triggers the bug when run through pdftotext.
If you need / would like any additional information, please let me know.https://gitlab.freedesktop.org/poppler/poppler/-/issues/766pdfsig segfaults when opening a file digitally signed with portablesigner and...2019-05-27T12:16:56ZÁngel de Vicentepdfsig segfaults when opening a file digitally signed with portablesigner and Acrobat ReaderOriginally submitted as a bug to Okular (https://bugs.kde.org/show_bug.cgi?id=407338), but it seems to be an issue with poppler.
I use the code portablesigner to digitally sign a document, and pdfsig can read the signature no problem (s...Originally submitted as a bug to Okular (https://bugs.kde.org/show_bug.cgi?id=407338), but it seems to be an issue with poppler.
I use the code portablesigner to digitally sign a document, and pdfsig can read the signature no problem (see example sample-sig.pdf attached).
My colleague, who uses ADOBE Acrobat Reader DC Version 2019.010.20099 in a Mac signs the same document, and pdfsig can read the signature no problem (see example sample_victor.pdf attached).
But if he signs the file previously signed by me (so as to have it signed by both of us), then pdfsig segfaults when trying to open the file (see example sample_sig_victor.pdf).
[angelv@bug]$ pdfsig -v
pdfsig version 0.76.1
[angelv@bug]$ pdfsig sample_sig_victor.pdf
Digital Signature Info of: sample_sig_victor.pdf
Signature #1:
- Signer Certificate Common Name: DE VICENTE GARRIDO ANGEL MANUEL - 30660835H
- Signer full Distinguished Name: CN=DE VICENTE GARRIDO ANGEL MANUEL - 30660835H,SN=DE VICENTE GARRIDO,givenName=ANGEL MANUEL,serialNumber=IDCES-30660835H,C=ES
- Signing Time: May 08 2019 12:16:59
- Signing Hash Algorithm: SHA1
- Signature Type: adbe.pkcs7.sha1
- Signed Ranges: [0 - 13426], [18278 - 24071]
- Not total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate is Trusted.
Segmentation fault (core dumped)
[angelv@bug]$
[samples.tgz](/uploads/e0f562d438f840493e1a4239f988ffea/samples.tgz)https://gitlab.freedesktop.org/poppler/poppler/-/issues/752Stack Overflow in function error2019-04-05T14:43:13ZLoginsoftStack Overflow in function error**Description** : During our research we observed a stack-overflow in function error located at Error.cc in poppler
**Command** : `./pdffonts -f 1 -l 2 -opw testing -upw testing $POC`
**POC** : [REPRODUCER](https://github.com/SegfaultM...**Description** : During our research we observed a stack-overflow in function error located at Error.cc in poppler
**Command** : `./pdffonts -f 1 -l 2 -opw testing -upw testing $POC`
**POC** : [REPRODUCER](https://github.com/SegfaultMasters/covering360/blob/master/poppler/STOF?raw=true)
**Debug** :
**ASAN REPORT** :
~~~
==1713==ERROR: AddressSanitizer: stack-overflow on address 0x7fffe0597fe8 (pc 0x7fb1500b442d bp 0x7fffe0598560 sp 0x7fffe0597ff0 T0)
#0 0x7fb1500b442c in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x5b42c)
#1 0x7fb1500b767f (/lib/x86_64-linux-gnu/libc.so.6+0x5e67f)
#2 0x7fb1500b4725 in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x5b725)
#3 0x7fb15146ef07 in __interceptor_vfprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x74f07)
#4 0x7fb15146f056 in __interceptor_fprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x75056)
#5 0x7fb150bdc012 in error(ErrorCategory, long long, char const*, ...) /home/second18/Desktop/packages/poppler/poppler/Error.cc:85
#6 0x7fb150d05acd in Lexer::getObj(int) /home/second18/Desktop/packages/poppler/poppler/Lexer.cc:547
#7 0x7fb150d37407 in Parser::shift(int) /home/second18/Desktop/packages/poppler/poppler/Parser.cc:330
#8 0x7fb150d35b27 in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/second18/Desktop/packages/poppler/poppler/Parser.cc:115
#9 0x7fb150d35c2f in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/second18/Desktop/packages/poppler/poppler/Parser.cc:120
#10 0x7fb150d35c2f in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/second18/Desktop/packages/poppler/poppler/Parser.cc:120
#11 0x7fb150d35c2f in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/second18/Desktop/packages/poppler/poppler/Parser.cc:120
#12 0x7fb150dfd458 in XRef::fetch(int, int, int) /home/second18/Desktop/packages/poppler/poppler/XRef.cc:1136
#13 0x7fb150dfc82c in XRef::fetch(Ref, int) /home/second18/Desktop/packages/poppler/poppler/XRef.cc:1076
#14 0x7fb150d1aa6b in Object::fetch(XRef*, int) const /home/second18/Desktop/packages/poppler/poppler/Object.cc:92
#15 0x7fb150bd31b9 in Dict::lookup(char const*, int) const /home/second18/Desktop/packages/poppler/poppler/Dict.cc:166
#16 0x7fb150bf599b in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:147
#17 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#18 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#19 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#20 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#21 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#22 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#23 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#24 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#25 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#26 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#27 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#28 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#29 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#30 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#31 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#32 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#33 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#34 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#35 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#36 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#37 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#38 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#39 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#40 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#41 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#42 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#43 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#44 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#45 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#46 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#47 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#48 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#49 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#50 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#51 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#52 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#53 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#54 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#55 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#56 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#57 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#58 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#59 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#60 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#61 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#62 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#63 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#64 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#65 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#66 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#67 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#68 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#69 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#70 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#71 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#72 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#73 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#74 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#75 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#76 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#77 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#78 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#79 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#80 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#81 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#82 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#83 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#84 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#85 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#86 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#87 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#88 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#89 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#90 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#91 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#92 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#93 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#94 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#95 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#96 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#97 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#98 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#99 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#100 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#101 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#102 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#103 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#104 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#105 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#106 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#107 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#108 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#109 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#110 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#111 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#112 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#113 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#114 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#115 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#116 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#117 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#118 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#119 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#120 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#121 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#122 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#123 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#124 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#125 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#126 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#127 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#128 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#129 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#130 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#131 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#132 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#133 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#134 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#135 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#136 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#137 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#138 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#139 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#140 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#141 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#142 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#143 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#144 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#145 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#146 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#147 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#148 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#149 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#150 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#151 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#152 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#153 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#154 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#155 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#156 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#157 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#158 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#159 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#160 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#161 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#162 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#163 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#164 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#165 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#166 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#167 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#168 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#169 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#170 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#171 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#172 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#173 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#174 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#175 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#176 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#177 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#178 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#179 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#180 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#181 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#182 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#183 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#184 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#185 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#186 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#187 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#188 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#189 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#190 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#191 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#192 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#193 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#194 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#195 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#196 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#197 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#198 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#199 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#200 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#201 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#202 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#203 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#204 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#205 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#206 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#207 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#208 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#209 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#210 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#211 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#212 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#213 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#214 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#215 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#216 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#217 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#218 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#219 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#220 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#221 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#222 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#223 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#224 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#225 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#226 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#227 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#228 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#229 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#230 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#231 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#232 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#233 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#234 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#235 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#236 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#237 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#238 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#239 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#240 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#241 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#242 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#243 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#244 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#245 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#246 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#247 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#248 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#249 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
#250 0x7fb150bf5a02 in FontInfoScanner::scanFonts(XRef*, Dict*, std::vector<FontInfo*, std::allocator<FontInfo*> >*) /home/second18/Desktop/packages/poppler/poppler/FontInfo.cc:149
SUMMARY: AddressSanitizer: stack-overflow (/lib/x86_64-linux-gnu/libc.so.6+0x5b42c) in vfprintf
==1713==ABORTING
~~~
GDB :
~~~
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x2
$rbx : 0x00007ffff69a9660 → "%s (%lld): %s"
$rcx : 0x0
$rdx : 0x00007fffff801b90 → 0x0000003000000010 → 0x0000000000000000
$rsp : 0x7fffff7feec0
$rbp : 0x00007fffff7ff430 → 0x00007fffff801b20 → 0x00007ffff69a9660 → "%s (%lld): %s"
$rsi : 0x00007ffff69a9660 → "%s (%lld): %s"
$rdi : 0x00007fffff7ff470 → 0x00007ffffbad8004
$rip : 0x00007ffff5ad43c6 → <vfprintf+54> mov DWORD PTR [rbp-0x4b8], eax
$r8 : 0x000060300699e5f0 → "Illegal character '}'"
$r9 : 0x0
$r10 : 0x000060300699e5f0 → "Illegal character '}'"
$r11 : 0x0
$r12 : 0x00007fffff801b90 → 0x0000003000000010 → 0x0000000000000000
$r13 : 0x00000ffffff00396 → 0x0000000000000000
$r14 : 0x00007fffff7ff470 → 0x00007ffffbad8004
$r15 : 0x00000000fbad2887 → 0x0000000000000000
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
[!] Unmapped address
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x7ffff5ad43b8 <vfprintf+40> rex.RB enter 0xc031, 0x48
0x7ffff5ad43bd <vfprintf+45> mov eax, DWORD PTR [rip+0x38faa5] # 0x7ffff5e63e68
0x7ffff5ad43c3 <vfprintf+51> mov eax, DWORD PTR fs:[rax]
→ 0x7ffff5ad43c6 <vfprintf+54> mov DWORD PTR [rbp-0x4b8], eax
0x7ffff5ad43cc <vfprintf+60> mov eax, DWORD PTR [rdi+0xc0]
0x7ffff5ad43d2 <vfprintf+66> test eax, eax
0x7ffff5ad43d4 <vfprintf+68> jne 0x7ffff5ad45b0 <_IO_vfprintf_internal+544>
0x7ffff5ad43da <vfprintf+74> mov DWORD PTR [rdi+0xc0], 0xffffffff
0x7ffff5ad43e4 <vfprintf+84> mov r15d, DWORD PTR [r14]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdffonts", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff5ad43c6 → _IO_vfprintf_internal(s=0x7fffff7ff470, format=0x7ffff69a9660 "%s (%lld): %s\n", ap=0x7fffff801b90)
[#1] 0x7ffff5ad7680 → buffered_vfprintf(s=0x7ffff5e65680 <_IO_2_1_stderr_>, format=0x7ffff69a9660 "%s (%lld): %s\n", args=0x7fffff801b90)
[#2] 0x7ffff5ad4726 → _IO_vfprintf_internal(s=0x7ffff5e65680 <_IO_2_1_stderr_>, format=0x7ffff69a9660 "%s (%lld): %s\n", ap=0x7fffff801b90)
[#3] 0x7ffff6e8ef08 → vfprintf()
[#4] 0x7ffff6e8f057 → fprintf()
[#5] 0x7ffff65fc013 → error(category=errSyntaxError, pos=0xa7a, msg=0x7ffff6a220a0 "Illegal character '{0:c}'")
[#6] 0x7ffff6725ace → Lexer::getObj(this=0x61000064d840, objNum=0xffffffff)
[#7] 0x7ffff6757408 → Parser::shift(this=0x60600652efe0, objNum=0xffffffff)
[#8] 0x7ffff6755b28 → Parser::getObj(this=0x60600652efe0, simpleOnly=0x0, fileKey=0x0, encAlgorithm=cryptNone, keyLength=0xbebebebe, objNum=0x2, objGen=0x0, recursion=0x3, strict=0x0)
[#9] 0x7ffff6755c30 → Parser::getObj(this=0x60600652efe0, simpleOnly=0x0, fileKey=0x0, encAlgorithm=cryptNone, keyLength=0xbebebebe, objNum=0x2, objGen=0x0, recursion=0x2, strict=0x0)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00007ffff5ad43c6 in _IO_vfprintf_internal (s=0x7fffff7ff470, format=0x7ffff69a9660 "%s (%lld): %s\n", ap=0x7fffff801b90) at vfprintf.c:1275
~~~https://gitlab.freedesktop.org/poppler/poppler/-/issues/751A heap-buffer-overflow in function PSOutputDev::checkPageSlice2021-11-05T11:02:44ZpwdA heap-buffer-overflow in function PSOutputDev::checkPageSlice# poppler-0.74
## version
poppler-0.74 0.74
## description
```txt
None
```
## download link
None
---------------------
## PSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow
### description
An...# poppler-0.74
## version
poppler-0.74 0.74
## description
```txt
None
```
## download link
None
---------------------
## PSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow
### description
An issue was discovered in poppler-0.74 0.74, There is a/an heap-buffer-overflow in function PSOutputDev::checkPageSlice at PSOutputDev.cc:3468-23
### commandline
pdftops -level1sep @@ /dev/null
### source
```c
3464 }
3465 } else {
3466 // Gray color image
3467 for (x = 0; x < w; ++x) {
>3468 col[comp] |= p[4*x + comp];
3469 digit = p[4*x + comp] / 16;
3470 hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3471 digit = p[4*x + comp] % 16;
3472 hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3473 if (i >= 64) {
```
### bug report
```txt
=================================================================
==31131==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdf3a598400 at pc 0x7fdf454415e0 bp 0x7ffe233c2770 sp 0x7ffe233c2768
READ of size 1 at 0x7fdf3a598400 thread T0
#0 0x7fdf454415df in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23
#1 0x7fdf4527de72 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:527:13
#2 0x7fdf4527dd00 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:469:3
#3 0x7fdf4529a925 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:633:20
#4 0x5204ac in main /src/poppler-0.74/utils/pdftops.cc:424:12
#5 0x7fdf4390182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x41b5b8 in _start (/src/aflbuild/installed/bin/pdftops+0x41b5b8)
0x7fdf3a598400 is located 0 bytes to the right of 519168-byte region [0x7fdf3a519800,0x7fdf3a598400)
allocated by thread T0 here:
#0 0x4df7e8 in __interceptor_malloc /work/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7fdf455e1963 in gmalloc(unsigned long, bool) /src/poppler-0.74/goo/gmem.h:41:17
#2 0x7fdf455e1963 in gmallocn(int, int, bool) /src/poppler-0.74/goo/gmem.h:115
#3 0x7fdf455e1963 in gmallocn_checkoverflow(int, int) /src/poppler-0.74/goo/gmem.h:119
#4 0x7fdf455e1963 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, GooList*) /src/poppler-0.74/splash/SplashBitmap.cc:113
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23 in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*)
Shadow bytes around the buggy address:
0x0ffc674ab030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc674ab070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffc674ab080:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffc674ab0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31131==ABORTING
```
### others
from fuzz project pwd-poppler-pdftops-06
crash name pwd-poppler-pdftops-06-00000000-20190401.pdf
Auto-generated by pyspider at 2019-04-01 15:07:53
[poc.tar.gz](/uploads/9b98e900fbecce72d8dcbc602a71e530/poc.tar.gz)https://gitlab.freedesktop.org/poppler/poppler/-/issues/750a heap-buffer-overflow in function Splash::blitTransparent2019-05-14T06:58:00Zpwda heap-buffer-overflow in function Splash::blitTransparent# poppler-0.74
## version
poppler-0.74 0.74
## description
```txt
None
```
## download link
None
---------------------
## Splash::blitTransparent@Splash.cc:5872-6___heap-buffer-overflow
### description
An issue was...# poppler-0.74
## version
poppler-0.74 0.74
## description
```txt
None
```
## download link
None
---------------------
## Splash::blitTransparent@Splash.cc:5872-6___heap-buffer-overflow
### description
An issue was discovered in poppler-0.74 0.74, There is a/an heap-buffer-overflow in function Splash::blitTransparent at Splash.cc:5872-6
### commandline
pdftoppm -cropbox -mono @@
### source
```c
5868 mask = 0x80 >> (xDest & 7);
5869 sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)];
5870 srcMask = 0x80 >> (xSrc & 7);
5871 for (x = 0; x < w; ++x) {
>5872 if (*sp & srcMask) {
5873 *p |= mask;
5874 } else {
5875 *p &= ~mask;
5876 }
5877 if (!(mask >>= 1)) {
```
### bug report
```txt
=================================================================
==15571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x632000014b20 at pc 0x7fac6548f951 bp 0x7fffb884dba0 sp 0x7fffb884db98
READ of size 1 at 0x632000014b20 thread T0
#0 0x7fac6548f950 in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) /src/poppler-0.74/splash/Splash.cc:5872:6
#1 0x7fac65422030 in SplashOutputDev::beginTransparencyGroup(GfxState*, double const*, GfxColorSpace*, bool, bool, bool) /src/poppler-0.74/poppler/SplashOutputDev.cc:4282:13
#2 0x7fac64f06096 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4828:10
#3 0x7fac64f373ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
#4 0x7fac64ebe0fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
#5 0x7fac64f0066f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
#6 0x7fac64efc707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
#7 0x7fac64efb5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
#8 0x7fac64f062f5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
#9 0x7fac64f373ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
#10 0x7fac64ebe0fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
#11 0x7fac64f0066f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
#12 0x7fac64efc707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
#13 0x7fac64efb5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
#14 0x7fac6513614c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
#15 0x7fac651538b1 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
#16 0x521264 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /src/poppler-0.74/utils/pdftoppm.cc:287:8
#17 0x521264 in main /src/poppler-0.74/utils/pdftoppm.cc:600
#18 0x7fac637b982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#19 0x41b838 in _start (/src/aflbuild/installed/bin/pdftoppm+0x41b838)
0x632000014b20 is located 0 bytes to the right of 82720-byte region [0x632000000800,0x632000014b20)
allocated by thread T0 here:
#0 0x4dfa68 in __interceptor_malloc /work/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7fac65499963 in gmalloc(unsigned long, bool) /src/poppler-0.74/goo/gmem.h:41:17
#2 0x7fac65499963 in gmallocn(int, int, bool) /src/poppler-0.74/goo/gmem.h:115
#3 0x7fac65499963 in gmallocn_checkoverflow(int, int) /src/poppler-0.74/goo/gmem.h:119
#4 0x7fac65499963 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, GooList*) /src/poppler-0.74/splash/SplashBitmap.cc:113
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/poppler-0.74/splash/Splash.cc:5872:6 in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int)
Shadow bytes around the buggy address:
0x0c647fffa910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffa950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c647fffa960: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15571==ABORTING
```
### others
from fuzz project pwd-poppler-pdftoppm-00
crash name pwd-poppler-pdftoppm-00-00000000-20190402.pdf
Auto-generated by pyspider at 2019-04-02 13:29:10
[poc.tar.gz](/uploads/c1a76b9a575ea1da523c24e5202e9c3c/poc.tar.gz)https://gitlab.freedesktop.org/poppler/poppler/-/issues/747pdftocairo crashes on this PDF file with _cairo_ps_surface_operation_supporte...2019-03-29T22:12:26ZAlex Kpdftocairo crashes on this PDF file with _cairo_ps_surface_operation_supported failedpoppler utils 0.61.1, cairo 1.16.0 on Debian Testing.
How to reproduce:
pdftocairo -ps -level3 [d96882-edited.pdf](/uploads/b3be72f3b77feeca3e2e5866581ab0ef/d96882-edited.pdf) out.ps
```
pdftocairo: ../../../../src/cairo-ps-surface.c...poppler utils 0.61.1, cairo 1.16.0 on Debian Testing.
How to reproduce:
pdftocairo -ps -level3 [d96882-edited.pdf](/uploads/b3be72f3b77feeca3e2e5866581ab0ef/d96882-edited.pdf) out.ps
```
pdftocairo: ../../../../src/cairo-ps-surface.c:4986: _cairo_ps_surface_mask: Assertion `_cairo_ps_surface_operation_supported (surface, op, source, mask, &extents.bounded)' failed.
Program received signal SIGABRT, Aborted.
```
Gdb stack shows this
```
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff65013fa in __GI_abort () at abort.c:89
#2 0x00007ffff64f8e37 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7ffff7ba9870 "_cairo_ps_surface_operation_supported (surface, op, source, mask, &extents.bounded)", file=file@entry=0x7ffff7ba7a58 "../../../../src/cairo-ps-surface.c", line=line@entry=4986, function=function@entry=0x7ffff7ba99f0 <__PRETTY_FUNCTION__.14368> "_cairo_ps_surface_mask") at assert.c:92
#3 0x00007ffff64f8ee2 in __GI___assert_fail (assertion=assertion@entry=0x7ffff7ba9870 "_cairo_ps_surface_operation_supported (surface, op, source, mask, &extents.bounded)", file=file@entry=0x7ffff7ba7a58 "../../../../src/cairo-ps-surface.c", line=line@entry=4986, function=function@entry=0x7ffff7ba99f0 <__PRETTY_FUNCTION__.14368> "_cairo_ps_surface_mask") at assert.c:101
#4 0x00007ffff7b820b1 in _cairo_ps_surface_mask (abstract_surface=0x5555557cea50, op=CAIRO_OPERATOR_OVER, source=0x555555830df8, mask=0x555555830f10, clip=<optimized out>) at ../../../../src/cairo-ps-surface.c:4986
#5 0x00007ffff7b31747 in _cairo_surface_mask (surface=0x5555557cea50, op=CAIRO_OPERATOR_OVER, source=0x555555830df8, mask=0x555555830f10, clip=0x5555558a6a90) at ../../../../src/cairo-surface.c:2247
#6 0x00007ffff7b2df40 in _cairo_surface_wrapper_mask (wrapper=wrapper@entry=0x7fffffffd200, op=CAIRO_OPERATOR_OVER, source=source@entry=0x555555830df8, mask=mask@entry=0x555555830f10, clip=<optimized out>) at ../../../../src/cairo-surface-wrapper.c:200
#7 0x00007ffff7b1afcb in _cairo_recording_surface_replay_internal (surface=surface@entry=0x5555558472b0, surface_extents=surface_extents@entry=0x0, surface_transform=surface_transform@entry=0x0, target=target@entry=0x5555557cea50, target_clip=target_clip@entry=0x0, surface_is_unbounded=surface_is_unbounded@entry=0, type=CAIRO_RECORDING_REPLAY, region=<optimized out>) at ../../../../src/cairo-recording-surface.c:1896
#8 0x00007ffff7b1c287 in _cairo_recording_surface_replay_region (surface=surface@entry=0x5555558472b0, surface_extents=surface_extents@entry=0x0, target=target@entry=0x5555557cea50, region=region@entry=CAIRO_RECORDING_REGION_NATIVE) at ../../../../src/cairo-recording-surface.c:2210
#9 0x00007ffff7b7f430 in _cairo_ps_surface_emit_recording_surface (surface=surface@entry=0x5555557cea50, recording_surface=0x5555558472b0, recording_extents=0x7fffffffd510, subsurface=subsurface@entry=0) at ../../../../src/cairo-ps-surface.c:3398
#10 0x00007ffff7b800e3 in _cairo_ps_surface_emit_surface (surface=0x5555557cea50, mode=CAIRO_EMIT_SURFACE_ANALYZE, params=0x7fffffffd580) at ../../../../src/cairo-ps-surface.c:3684
#11 0x00007ffff7b8061e in _cairo_ps_surface_emit_surface_pattern (surface=0x5555557cea50, pattern=0x5555557f2a48, extents=<optimized out>, op=CAIRO_OPERATOR_OVER) at ../../../../src/cairo-ps-surface.c:4117
#12 0x00007ffff7b81ed3 in _cairo_ps_surface_fill (abstract_surface=0x5555557cea50, op=CAIRO_OPERATOR_OVER, source=0x5555557f2a48, path=0x5555557f2b60, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=<optimized out>, antialias=<optimized out>, clip=0x5555557c20a0) at ../../../../src/cairo-ps-surface.c:5163
#13 0x00007ffff7b3196a in _cairo_surface_fill (surface=0x5555557cea50, op=CAIRO_OPERATOR_OVER, source=0x5555557f2a48, path=0x5555557f2b60, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x5555557c20a0) at ../../../../src/cairo-surface.c:2422
#14 0x00007ffff7b2e6f0 in _cairo_surface_wrapper_fill (wrapper=wrapper@entry=0x7fffffffde50, op=CAIRO_OPERATOR_OVER, source=source@entry=0x5555557f2a48, path=path@entry=0x5555557f2b60, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x5555557f0c30) at ../../../../src/cairo-surface-wrapper.c:384
#15 0x00007ffff7b1b2e6 in _cairo_recording_surface_replay_internal (surface=<optimized out>, surface_extents=surface_extents@entry=0x0, surface_transform=surface_transform@entry=0x0, target=<optimized out>, target_clip=target_clip@entry=0x0, surface_is_unbounded=surface_is_unbounded@entry=0, type=CAIRO_RECORDING_REPLAY, region=<optimized out>) at ../../../../src/cairo-recording-surface.c:1980
#16 0x00007ffff7b1c287 in _cairo_recording_surface_replay_region (surface=<optimized out>, surface_extents=surface_extents@entry=0x0, target=<optimized out>, region=region@entry=CAIRO_RECORDING_REGION_NATIVE) at ../../../../src/cairo-recording-surface.c:2210
#17 0x00007ffff7afce42 in _paint_page (surface=surface@entry=0x5555557d0bf0) at ../../../../src/cairo-paginated-surface.c:469
#18 0x00007ffff7afd313 in _cairo_paginated_surface_show_page (abstract_surface=0x5555557d0bf0) at ../../../../src/cairo-paginated-surface.c:583
#19 0x00007ffff7b31ccb in INT_cairo_surface_show_page (surface=0x5555557d0bf0) at ../../../../src/cairo-surface.c:2504
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/737Division by zero in CairoRescaleBox::downScaleImage2019-09-22T09:31:12ZMaksimDivision by zero in CairoRescaleBox::downScaleImageHi,
There is a division by zero that happens here:
https://gitlab.freedesktop.org/poppler/poppler/blob/master/poppler/CairoRescaleBox.cc#L306
```scaled_height``` might be zero in case the following code path is triggered:
https://gi...Hi,
There is a division by zero that happens here:
https://gitlab.freedesktop.org/poppler/poppler/blob/master/poppler/CairoRescaleBox.cc#L306
```scaled_height``` might be zero in case the following code path is triggered:
https://gitlab.freedesktop.org/poppler/poppler/blob/master/poppler/CairoOutputDev.cc#L3131
[div_by_zero.pdf](/uploads/c705b241551a677942913277b7abf47e/div_by_zero.pdf)https://gitlab.freedesktop.org/poppler/poppler/-/issues/736heap overflow in downsample_row_box_filter2019-03-28T11:07:33ZMaksimheap overflow in downsample_row_box_filterHi,
I recently found heap overflow in downsample_row_box_filter. You can find ASAN report below:
```
=================================================================
==15344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x...Hi,
I recently found heap overflow in downsample_row_box_filter. You can find ASAN report below:
```
=================================================================
==15344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9339a5695c at pc 0x00000045e222 bp 0x7ffc6e79cf90 sp 0x7ffc6e79cf80
READ of size 4 at 0x7f9339a5695c thread T0
#0 0x45e221 in downsample_row_box_filter /home/poppler/poppler/CairoRescaleBox.cc:125
#1 0x45ed2d in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /home/poppler/poppler/CairoRescaleBox.cc:339
#2 0x454545 in RescaleDrawImage::getSourceImage(Stream*, int, int, int, int, bool, GfxImageColorMap*, int*) /home/poppler/poppler/CairoOutputDev.cc:3178
#3 0x454545 in CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /home/poppler/poppler/CairoOutputDev.cc:3262
#4 0x7f93420e3765 in Gfx::doImage(Object*, Stream*, bool) /home/poppler/poppler/Gfx.cc:4594
#5 0x7f93420e9c80 in Gfx::opXObject(Object*, int) /home/poppler/poppler/Gfx.cc:4163
#6 0x7f93420ca6b0 in Gfx::go(bool) /home/poppler/poppler/Gfx.cc:752
#7 0x7f93420cc4f3 in Gfx::display(Object*, bool) /home/poppler/poppler/Gfx.cc:714
#8 0x7f934228e7b2 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/poppler/poppler/Page.cc:548
#9 0x40f54a in renderPage /home/poppler/utils/pdftocairo.cc:737
#10 0x40f54a in main /home/poppler/utils/pdftocairo.cc:1257
#11 0x7f934108082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x4152d8 in _start (/home/build/utils/pdftocairo+0x4152d8)
0x7f9339a5695c is located 0 bytes to the right of 95572316-byte region [0x7f9333f31800,0x7f9339a5695c)
allocated by thread T0 here:
#0 0x7f9343077602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45e3af in gmalloc(unsigned long, bool) /home/poppler/goo/gmem.h:41
#2 0x45e3af in gmallocn(int, int, bool) /home/poppler/goo/gmem.h:115
#3 0x45e3af in CairoRescaleBox::downScaleImage(unsigned int, unsigned int, int, int, unsigned short, unsigned short, unsigned short, unsigned short, _cairo_surface*) /home/poppler/poppler/CairoRescaleBox.cc:286
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/poppler/poppler/CairoRescaleBox.cc:125 downsample_row_box_filter
Shadow bytes around the buggy address:
0x0ff2e7342cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2e7342d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2e7342d20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0ff2e7342d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff2e7342d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15344==ABORTING
```
Looks like something wrong with ```start_coverage``` array. You can find debug output for ```downsample_row_box_filter``` function below:
```Size of temp_buf = 0xce5, orig_widht = 0x16c9457, scaled_width = 0x2000 temp_buf = 0xcf575010
Start is 0xdb7c4010
pixel_coverage = 5752, src = 0xdb7c4010
x = 1, width = 8192 box = 16770736, pixel_coverage = 5752, start_coverage = 6480, src = 1
x = 2, width = 8192 box = 16774393, pixel_coverage = 5752, start_coverage = 2823, src = 2917
<---truncated---->
x = 8191, width = 8192 box = 16767080, pixel_coverage = 5752, start_coverage = 10136, src = 23887247
x = 8192, width = 8192 box = 16778584, pixel_coverage = 5752, start_coverage = -1368, src = 23890163
```
Heap overrun happens at x = 8192.
[radamsa_716NiagaraWineTrail_opt.pdf](/uploads/df642babbb32891fca389c8e99f0982f/radamsa_716NiagaraWineTrail_opt.pdf)https://gitlab.freedesktop.org/poppler/poppler/-/issues/731Recursive function call at function JBIG2Stream::readTextRegion()2019-03-01T22:23:19ZLoginsoftRecursive function call at function JBIG2Stream::readTextRegion()**What is vulnerability** - : During our research there is a recursive function call at function JBIG2Stream::readTextRegion() in JBIG2Stream.cc in poppler 0.74.0.
**Command**- : : pdfimages -f 1 -l 1 -opw testing -upw testing -j -p –q ...**What is vulnerability** - : During our research there is a recursive function call at function JBIG2Stream::readTextRegion() in JBIG2Stream.cc in poppler 0.74.0.
**Command**- : : pdfimages -f 1 -l 1 -opw testing -upw testing -j -p –q $POC output
**POC**- [REPRODUCER](https://github.com/SegfaultMasters/covering360/blob/master/poppler/RFC_POC?raw=true)
**Debug** -
**GDB** -
```
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x7fff8cf5c800 → 0x0000000000000000
$rbx : 0x3be980
$rcx : 0x7fff8cff5000 → 0x0000000000000000
$rdx : 0x7fff8d31b180 → 0x0000000000000000
$rsp : 0x7fffffffc158 → 0x00007ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38]
$rbp : 0x7fffffffc9e0 → 0x00007fffffffca00 → 0x00007fffffffcdb0 → 0x00007fffffffd3b0 → 0x00007fffffffd5f0 → 0x00007fffffffd620 → 0x00007fffffffd640 → 0x00007fffffffd740
$rsi : 0x0
$rdi : 0x7fff8cf5c800 → 0x0000000000000000
$rip : 0x7ffff5b58963 → <__memset_sse2_unaligned_erms+147> movdqa XMMWORD PTR [rcx], xmm0
$r8 : 0x1000719e3900 → 0x0000000000000000
$r9 : 0x100071a5b630 → 0xfafafafafafafa01
$r10 : 0x4032
$r11 : 0x202
$r12 : 0x7fff8cf5c800 → 0x0000000000000000
$r13 : 0x7fff8d31b180 → 0x0000000000000000
$r14 : 0x0
$r15 : 0x0
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $gs: 0x0000 $ds: 0x0000 $cs: 0x0033 $es: 0x0000 $ss: 0x002b
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffc158│+0x00: 0x00007ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38] ← $rsp
0x00007fffffffc160│+0x08: 0x00007ffff6726e6f → <JBIG2Stream::readTextRegion(bool,+0> mov QWORD PTR [rbp-0x2d8], r14
0x00007fffffffc168│+0x10: 0x00007ffff6722a77 → <JBIG2Stream::readSymbolDictSeg(unsigned+0> add rsp, 0xb0
0x00007fffffffc170│+0x18: 0x00007ffff671f5a2 → <JBIG2Stream::readSegments()+2546> xor eax, 0x1
0x00007fffffffc178│+0x20: 0x00007ffff671e351 → <JBIG2Stream::reset()+1633> mov rax, QWORD PTR [rbp-0x18]
0x00007fffffffc180│+0x28: 0x00007ffff6609541 → <Object::streamReset()+255> nop
0x00007fffffffc188│+0x30: 0x00007ffff673bee2 → <Lexer::Lexer(XRef*,+0> nop
0x00007fffffffc190│+0x38: 0x00007ffff66354eb → 0x00000040bfe6894d → 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff5b5895a <__memset_sse2_unaligned_erms+138> and rdx, 0xffffffffffffffc0
0x7ffff5b5895e <__memset_sse2_unaligned_erms+142> cmp rcx, rdx
0x7ffff5b58961 <__memset_sse2_unaligned_erms+145> je 0x7ffff5b58923 <__memset_sse2_unaligned_erms+83>
→ 0x7ffff5b58963 <__memset_sse2_unaligned_erms+147> movdqa XMMWORD PTR [rcx], xmm0
0x7ffff5b58967 <__memset_sse2_unaligned_erms+151> movdqa XMMWORD PTR [rcx+0x10], xmm0
0x7ffff5b5896c <__memset_sse2_unaligned_erms+156> movdqa XMMWORD PTR [rcx+0x20], xmm0
0x7ffff5b58971 <__memset_sse2_unaligned_erms+161> movdqa XMMWORD PTR [rcx+0x30], xmm0
0x7ffff5b58976 <__memset_sse2_unaligned_erms+166> add rcx, 0x40
0x7ffff5b5897a <__memset_sse2_unaligned_erms+170> cmp rdx, rcx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "pdfimages", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff5b58963 → Name: __memset_sse2_unaligned_erms()
[#1] 0x7ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38]
[#2] 0x7ffff671b455 → Name: JBIG2Bitmap::clearToZero(this=0x60300001b400)
[#3] 0x7ffff6726f27 → Name: JBIG2Stream::readTextRegion(this=0x612000000f40, huff=0x0, refine=0x1, w=0x95e, h=0x3320, numInstances=0x5, logStrips=0x0, numSyms=0x3d0, symCodeTab=0x0, symCodeLen=0xe, syms=0x633000000800, defPixel=0x0, combOp=0x0, transposed=0x0, refCorner=0x1, sOffset=0x0, huffFSTable=0x7ffff6de4de0 <huffTableF>, huffDSTable=0x7ffff6de5020 <huffTableH>, huffDTTable=0x7ffff6de54c0 <huffTableK>, huffRDWTable=0x7ffff6de5840 <huffTableO>, huffRDHTable=0x7ffff6de5840 <huffTableO>, huffRDXTable=0x7ffff6de5840 <huffTableO>, huffRDYTable=0x7ffff6de5840 <huffTableO>, huffRSizeTable=0x7ffff6de4aa0 <huffTableA>, templ=0x0, atx=0x7fffffffd280, aty=0x7fffffffd2c0)
[#4] 0x7ffff6722a77 → Name: JBIG2Stream::readSymbolDictSeg(this=0x612000000f40, segNum=0x0, length=0x2e2e2e2e, refSegs=0x0, nRefSegs=0x0)
[#5] 0x7ffff671f5a2 → Name: JBIG2Stream::readSegments(this=0x612000000f40)
[#6] 0x7ffff671e351 → Name: JBIG2Stream::reset(this=0x612000000f40)
[#7] 0x7ffff6609541 → Name: Object::streamReset(this=0x610000001658)
[#8] 0x7ffff673bee2 → Name: Lexer::Lexer(this=0x610000001640, xrefA=0x6120000001c0, obj=0x7fffffffd910)
[#9] 0x7ffff66354eb → Name: Gfx::display(this=0x612000000ac0, obj=0x7fffffffd910, topLevel=0x1)
```https://gitlab.freedesktop.org/poppler/poppler/-/issues/730recursive function call in function JBIG2Stream::readGenericBitmap()2019-09-20T22:08:03ZLoginsoftrecursive function call in function JBIG2Stream::readGenericBitmap()**What is vulnerability** - During our research there is a recursive function call in function JBIG2Stream::readGenericBitmap() located at JBIG2Stream.cc in poppler 0.74.0.
**Command**- : pdfseperate -f 1 -l 2 $POC res-%d.pdf
**POC**- ...**What is vulnerability** - During our research there is a recursive function call in function JBIG2Stream::readGenericBitmap() located at JBIG2Stream.cc in poppler 0.74.0.
**Command**- : pdfseperate -f 1 -l 2 $POC res-%d.pdf
**POC**- [REPRODUCER](https://github.com/SegfaultMasters/covering360/blob/master/poppler/URL7_POC?raw=true)
**Debug** -
**GDB** -
```
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x1
$rbx : 0x11
$rcx : 0x619000001500 → 0x004e00330038003d ("="?)
$rdx : 0x0
$rsp : 0x7fffffffb858 → 0x00007ffff6731a83 → <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax
$rbp : 0x7fffffffba10 → 0x00007fffffffbf90 → 0x00007fffffffc1d0 → 0x00007fffffffc200 → 0x00007fffffffc520 → 0x00007fffffffc780 → 0x00007fffffffc910 → 0x00007fffffffca20
$rsi : 0x7
$rdi : 0x2
$rip : 0x7ffff6716411 → <JArithmeticDecoder::decodeBit(unsigned+0> ret
$r8 : 0x5b
$r9 : 0x10007d307e93 → 0xfafafafafafafa02
$r10 : 0x4032
$r11 : 0x202
$r12 : 0x7fffffffb980 → 0x0000000041b58ab3
$r13 : 0xffffffff730 → 0x0000000000000000
$r14 : 0x7fffe97eb800 → 0xffffffffffffffff
$r15 : 0x7fffffffb980 → 0x0000000041b58ab3
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$ss: 0x002b $fs: 0x0000 $es: 0x0000 $cs: 0x0033 $gs: 0x0000 $ds: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffb858│+0x00: 0x00007ffff6731a83 → <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax ← $rsp
0x00007fffffffb860│+0x08: 0x0000000000000000
0x00007fffffffb868│+0x10: 0x00007fffffffbf20 → 0x00000000ffffffd8 → 0x0000000000000000
0x00007fffffffb870│+0x18: 0x00007fffffffbee0 → 0x0000000000000000
0x00007fffffffb878│+0x20: 0x0000000000000000
0x00007fffffffb880│+0x28: 0x0000000000000000
0x00007fffffffb888│+0x30: 0x0000001700000002 → 0x0000000000000000
0x00007fffffffb890│+0x38: 0x0000000000033676
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff6716408 <JArithmeticDecoder::decodeBit(unsigned+0> jmp 0x7ffff67162df <JArithmeticDecoder::decodeBit(unsigned int, JArithmeticDecoderStats*)+2579>
0x7ffff671640d <JArithmeticDecoder::decodeBit(unsigned+0> mov eax, DWORD PTR [rbp-0x10]
0x7ffff6716410 <JArithmeticDecoder::decodeBit(unsigned+0> leave
→ 0x7ffff6716411 <JArithmeticDecoder::decodeBit(unsigned+0> ret
↳ 0x7ffff6731a83 <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax
0x7ffff6731a89 <JBIG2Stream::readGenericBitmap(bool,+0> cmp DWORD PTR [rbp-0x104], 0x0
0x7ffff6731a90 <JBIG2Stream::readGenericBitmap(bool,+0> setne al
0x7ffff6731a93 <JBIG2Stream::readGenericBitmap(bool,+0> test al, al
0x7ffff6731a95 <JBIG2Stream::readGenericBitmap(bool,+0> je 0x7ffff6731b48 <JBIG2Stream::readGenericBitmap(bool, int, int, int, bool, bool, JBIG2Bitmap*, int*, int*, int)+21084>
0x7ffff6731a9b <JBIG2Stream::readGenericBitmap(bool,+0> mov rax, QWORD PTR [rbp-0xd0]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/aceteam/Desktop/packages/poppler-master/poppler/JArithmeticDecoder.cc+230 ]────
225 c <<= 1;
226 --ct;
227 } while (!(a & 0x80000000));
228 }
229 return bit;
→ 230 }
231
232 int JArithmeticDecoder::decodeByte(unsigned int context,
233 JArithmeticDecoderStats *stats) {
234 int byte;
235 int i;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "pdfseparate", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff6716411 → Name: JArithmeticDecoder::decodeBit(this=0x604000001a50, context=0xaa, stats=0x602000024bb0)
[#1] 0x7ffff6731a83 → Name: JBIG2Stream::readGenericBitmap(this=0x612000000340, mmr=0x0, w=0x33676, h=0x17, templ=0x2, tpgdOn=0x0, useSkip=0x0, skip=0x0, atx=0x7fffffffbee0, aty=0x7fffffffbf20, mmrDataLength=0x0)
[#2] 0x7ffff6722b0f → Name: JBIG2Stream::readSymbolDictSeg(this=0x612000000340, segNum=0x686c73ac, length=0x7f41d7d0, refSegs=0x0, nRefSegs=0x0)
[#3] 0x7ffff671f5a2 → Name: JBIG2Stream::readSegments(this=0x612000000340)
[#4] 0x7ffff671e351 → Name: JBIG2Stream::reset(this=0x612000000340)
[#5] 0x7ffff68295a5 → Name: XRef::readXRefStream(this=0x6120000001c0, xrefStr=0x612000000340, pos=0x612000000278)
[#6] 0x7ffff68273d3 → Name: XRef::readXRef(this=0x6120000001c0, pos=0x612000000278, followedXRefStm=0x7fffffffc8a0, xrefStreamObjsNum=0x0)
[#7] 0x7ffff6824ab8 → Name: XRef::XRef(this=0x6120000001c0, strA=0x613000000040, pos=0x74, mainXRefEntriesOffsetA=0x0, wasReconstructed=0x7fffffffc970, reconstruct=0x0)
[#8] 0x7ffff676aba3 → Name: PDFDoc::setup(this=0x610000000040, ownerPassword=0x0, userPassword=0x0)
[#9] 0x7ffff676a492 → Name: PDFDoc::PDFDoc(this=0x610000000040, fileNameA=0x60300000e020, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0)
```