integer overflow cause OOB in PostScript module
Hi, I write a fuzzer to fuzz PostScript module, Here is crash
Running: ./new-crash/crash-ae468b455a5742af1c43149288b28cce88994594
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Thread 1 "genPdfFile" received signal SIGSEGV, Segmentation fault.
0x00007ffff766ab4a in PSStack::topTwoAreInts (this=0x7fffffffc9c0) at /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:1013
1013 stack[sp].type == psInt &&
(gdb) p sp
$1 = -2147483574
asan output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4217==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff504b9c9f0 (pc 0x7f2228030603 bp 0x7ffd04b9c9b0 sp 0x7ffd04b9c880 T0)
==4217==The signal is caused by a READ memory access.
#0 0x7f2228030602 in PSStack::topTwoAreInts() /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc
#1 0x7f2228030602 in PostScriptFunction::exec(PSStack*, int) const /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:1570:13
#2 0x7f222802db93 in PostScriptFunction::transform(double const*, double*) const /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:1230:3
#3 0x7f222802a050 in PostScriptFunction::PostScriptFunction(Object*, Dict*) /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:1180:3
#4 0x7f222801b865 in Function::parse(Object*, std::set<int, std::less<int>, std::allocator<int> >*) /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:92:16
#5 0x7f222801b46a in Function::parse(Object*) /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc:59:10
#6 0x55511d in fuzz(char*, unsigned long) /home/hauly/Jetbrains-Project/clion-project/PopplerFuzz/simpleFuzzer/FuzzFunctionObject/writePdfFile.cpp:189:22
#7 0x555732 in LLVMFuzzerTestOneInput /home/hauly/Jetbrains-Project/clion-project/PopplerFuzz/simpleFuzzer/FuzzFunctionObject/writePdfFile.cpp:201:12
#8 0x45afb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
#9 0x4458d1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#10 0x44b49e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
#11 0x4749e2 in main /home/nnelson/Documents/llvm-project/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#12 0x7f222782fb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
#13 0x41f729 in _start (/home/hauly/Jetbrains-Project/clion-project/PopplerFuzz/cmake-build-debug/simpleFuzzer/FuzzFunctionObject/genPdfFile+0x41f729)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hauly/SourceCode/poppler/current_poppler/poppler/Function.cc in PSStack::topTwoAreInts()
==4217==ABORTING