heap buffer overflow in ArthurOutputDev::drawChar
second page of this file bug-poppler51369.pdf gives a heap buffer overflow issue on an asan build of poppler master
==8318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200107259c at pc 0x7f01ee52866a bp 0x7ffd485f7090 sp 0x7ffd485f7088
READ of size 4 at 0x60200107259c thread T0
#0 0x7f01ee528669 in ArthurOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:943:42
#1 0x7f01ecc3ef78 in Gfx::doShowText(GooString const*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4041:14
#2 0x7f01ecbea4df in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3859:7
#3 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
#4 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
#5 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
#6 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
#7 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
#8 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
#9 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
#10 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
#11 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10
0x60200107259c is located 5 bytes to the right of 7-byte region [0x602001072590,0x602001072597)
freed by thread T0 here:
#0 0x55e0328c1fe1 in free (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf4fe1)
#1 0x7f01ece131eb in gfree(void*) /home/tsdgeos/devel/poppler/goo/gmem.h:61:5
#2 0x7f01ece131eb in Object::free() /home/tsdgeos/devel/poppler/poppler/Object.cc:102
#3 0x7f01ece38b91 in Object::~Object() /home/tsdgeos/devel/poppler/poppler/Object.h:153:15
#4 0x7f01ece38b91 in Parser::~Parser() /home/tsdgeos/devel/poppler/poppler/Parser.cc:58
#5 0x7f01ecf8045d in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1133:5
#6 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
#7 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
#8 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
#9 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
#10 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
#11 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
#12 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
#13 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
#14 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
#15 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
#16 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
#17 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
#18 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10
previously allocated by thread T0 here:
#0 0x55e0328c23c9 in __interceptor_malloc (/home/tsdgeos/devel/poppler/build-asan-ubsan/qt5/tests/test-render-to-file-qt5+0xf53c9)
#1 0x7f01eca33ffc in gmalloc(unsigned long, bool) /home/tsdgeos/devel/poppler/goo/gmem.h:41:17
#2 0x7f01eca33ffc in copyString(char const*) /home/tsdgeos/devel/poppler/goo/gmem.h:169
#3 0x7f01ecad9b57 in Object::Object(ObjType, char const*) /home/tsdgeos/devel/poppler/poppler/Object.h:166:93
#4 0x7f01ecdf386f in Lexer::getObj(int) /home/tsdgeos/devel/poppler/poppler/Lexer.cc
#5 0x7f01ece3be85 in Parser::shift(char const*, int) /home/tsdgeos/devel/poppler/poppler/Parser.cc:348:19
#6 0x7f01ece3b012 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:264:3
#7 0x7f01ece39b7d in Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/tsdgeos/devel/poppler/poppler/Parser.cc:134:34
#8 0x7f01ecf80447 in XRef::fetch(int, int, int) /home/tsdgeos/devel/poppler/poppler/XRef.cc:1131:26
#9 0x7f01ece12fc1 in Object::fetch(XRef*, int) const /home/tsdgeos/devel/poppler/poppler/Object.cc:92:16
#10 0x7f01ecc6f76e in GfxFont::readEmbFontFile(XRef*, int*) /home/tsdgeos/devel/poppler/poppler/GfxFont.cc:822:22
#11 0x7f01ee51ea16 in ArthurOutputDev::updateFont(GfxState*) /home/tsdgeos/devel/poppler/qt5/src/ArthurOutputDev.cc:551:29
#12 0x7f01ecbea116 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3838:10
#13 0x7f01ecc02de8 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:876:3
#14 0x7f01ecc01b15 in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:752:7
#15 0x7f01ecc01289 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:714:3
#16 0x7f01ece3112a in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:548:10
#17 0x7f01ece445a5 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:664:20
#18 0x7f01ee4df03b in Poppler::renderToArthur(Poppler::QImageDumpingArthurOutputDev*, QPainter*, Poppler::PageData*, double, double, int, int, int, int, Poppler::Page::Rotation, QFlags<Poppler::Page::PainterFlag>) /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:491:25
#19 0x7f01ee4dd8c6 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:622:7
#20 0x7f01ee4dc351 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation, void (*)(QImage const&, QVariant const&), bool (*)(QVariant const&), QVariant const&) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:519:10
#21 0x7f01ee4dc1c7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const /home/tsdgeos/devel/poppler/qt5/src/poppler-page.cc:514:10