jhcloos / xpdf Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
License: GNU General Public License v2.0
Xpdf ==== version 3.04 2014-may-28 The Xpdf software and documentation are copyright 1996-2014 Glyph & Cog, LLC. Email: [email protected] WWW: http://www.foolabs.com/xpdf/ The PDF data structures, operators, and specification are copyright 1985-2006 Adobe Systems Inc. What is Xpdf? ------------- Xpdf is an open source viewer for Portable Document Format (PDF) files. (These are also sometimes also called 'Acrobat' files, from the name of Adobe's PDF software.) The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under the X Window System on UNIX and OS/2. The non-X components (pdftops, pdftotext, etc.) also run on Windows and Mac OSX systems and should run on pretty much any system with a decent C++ compiler. Xpdf will run on 32-bit and 64-bit machines. License & Distribution ---------------------- Xpdf is licensed under the GNU General Pulbic License (GPL), version 2 or 3. This means that you can distribute derivatives of Xpdf under any of the following: - GPL v2 only - GPL v3 only - GPL v2 or v3 The Xpdf source package includes the text of both GPL versions: COPYING for GPL v2, COPYING3 for GPL v3. Please note that Xpdf is NOT licensed under "any later version" of the GPL, as I have no idea what those versions will look like. If you are redistributing unmodified copies of Xpdf (or any of the Xpdf tools) in binary form, you need to include all of the documentation: README, man pages (or help files), COPYING, and COPYING3. If you want to incorporate the Xpdf source code into another program (or create a modified version of Xpdf), and you are distributing that program, you have two options: release your program under the GPL (v2 and/or v3), or purchase a commercial Xpdf source license. If you're interested in commercial licensing, please see the Glyph & Cog web site: http://www.glyphandcog.com/ Compatibility ------------- Xpdf is developed and tested on Linux. In addition, it has been compiled by others on Solaris, AIX, HP-UX, Digital Unix, Irix, and numerous other Unix implementations, as well as OS/2. It should work on pretty much any system which runs X11 and has Unix-like libraries. You'll need ANSI C++ and C compilers to compile it. The non-X components of Xpdf (pdftops, pdftotext, pdfinfo, pdffonts, pdfdetach, pdftoppm, and pdfimages) can also be compiled on Windows and Mac OSX systems. See the Xpdf web page for details. If you compile Xpdf for a system not listed on the web page, please let me know. If you're willing to make your binary available by ftp or on the web, I'll be happy to add a link from the Xpdf web page. I have decided not to host any binaries I didn't compile myself (for disk space and support reasons). If you can't get Xpdf to compile on your system, send me email and I'll try to help. Xpdf has been ported to the Acorn, Amiga, BeOS, and EPOC. See the Xpdf web page for links. Getting Xpdf ------------ The latest version is available from: http://www.foolabs.com/xpdf/ or: ftp://ftp.foolabs.com/pub/xpdf/ Source code and several precompiled executables are available. Announcements of new versions are posted to comp.text.pdf and emailed to a list of people. If you'd like to receive email notification of new versions, just let me know. Running Xpdf ------------ To run xpdf, simply type: xpdf file.pdf To generate a PostScript file, hit the "print" button in xpdf, or run pdftops: pdftops file.pdf To generate a plain text file, run pdftotext: pdftotext file.pdf There are five additional utilities (which are fully described in their man pages): pdfinfo -- dumps a PDF file's Info dictionary (plus some other useful information) pdffonts -- lists the fonts used in a PDF file along with various information for each font pdfdetach -- lists or extracts embedded files (attachments) from a PDF file pdftoppm -- converts a PDF file to a series of PPM/PGM/PBM-format bitmaps pdfimages -- extracts the images from a PDF file Command line options and many other details are described in the man pages: xpdf(1), etc. All of these utilities read an optional configuration file: see the xpdfrc(5) man page. Upgrading from Xpdf 3.02 (and earlier) -------------------------------------- The font configuration system has been changed. Previous versions used mostly separate commands to configure fonts for display and for PostScript output. As of 3.03, configuration options that make sense for both display and PS output have been unified. The following xpdfrc commands have been removed: * displayFontT1, displayFontTT: replaced with fontFile * displayNamedCIDFontT1, displayNamedCIDFontTT: replaced with fontFile * displayCIDFontT1, displayCIDFontTT: replaced with fontFileCC * psFont: replaced with psResidentFont * psNamedFont16: replaced with psResidentFont16 * psFont16: replaced with psResidentFontCC See the xpdfrc(5) man page for more information on the new commands. Pdftops will now embed external 16-bit fonts (configured with the fontFileCC command) when the PDF file refers to a non-embedded font. It does not do any subsetting (yet), so the resulting PS files will be large. Compiling Xpdf -------------- See the separate file, INSTALL. Bugs ---- If you find a bug in Xpdf, i.e., if it prints an error message, crashes, or incorrectly displays a document, and you don't see that bug listed here, please send me email, with a pointer (URL, ftp site, etc.) to the PDF file. Third-Party Libraries --------------------- Xpdf uses the following libraries: * FreeType [http://www.freetype.org/] * libpng [http://www.libpng.com/pub/png/libpng.html] (used by pdftohtml) * zlib [http://zlib.net/] (used by pdftohtml) Acknowledgments --------------- Thanks to: * Patrick Voigt for help with the remote server code. * Patrick Moreau, Martin P.J. Zinser, and David Mathog for the VMS port. * David Boldt and Rick Rodgers for sample man pages. * Brendan Miller for the icon idea. * Olly Betts for help testing pdftotext. * Peter Ganten for the OS/2 port. * Michael Richmond for the Win32 port of pdftops and pdftotext and the xpdf/cygwin/XFree86 build instructions. * Frank M. Siegert for improvements in the PostScript code. * Leo Smiers for the decryption patches. * Rainer Menzner for creating t1lib, and for helping me adapt it to xpdf. * Pine Tree Systems A/S for funding the OPI and EPS support in pdftops. * Easy Software Products for funding several improvements to the PostScript output code. * Tom Kacvinsky for help with FreeType and for being my interface to the FreeType team. * Theppitak Karoonboonyanan for help with Thai support. * Leonard Rosenthol for help and contributions on a bunch of things. * Alexandros Diamantidis and Maria Adaloglou for help with Greek support. * Lawrence Lai for help with the CJK Unicode maps. Various people have contributed modifications made for use by the pdftex project: * Han The Thanh * Martin Schröder of ArtCom GmbH References ---------- Adobe Systems Inc., _PDF Reference, sixth edition: Adobe Portable Document Format version 1.7_. http://www.adobe.com/devnet/pdf/pdf_reference.html [The manual for PDF version 1.7.] Adobe Systems Inc., "Errata for the PDF Reference, sixth edition, version 1.7", October 16, 2006. http://www.adobe.com/devnet/pdf/pdf_reference.html [The errata for the PDF 1.7 spec.] Adobe Systems Inc., _PostScript Language Reference_, 3rd ed. Addison-Wesley, 1999, ISBN 0-201-37922-8. [The official PostScript manual.] Adobe Systems, Inc., _The Type 42 Font Format Specification_, Adobe Developer Support Technical Specification #5012. 1998. http://partners.adobe.com/asn/developer/pdfs/tn/5012.Type42_Spec.pdf [Type 42 is the format used to embed TrueType fonts in PostScript files.] Adobe Systems, Inc., _Adobe CMap and CIDFont Files Specification_, Adobe Developer Support Technical Specification #5014. 1995. http://www.adobe.com/supportservice/devrelations/PDFS/TN/5014.CIDFont_Spec.pdf [CMap file format needed for Japanese and Chinese font support.] Adobe Systems, Inc., _Adobe-Japan1-4 Character Collection for CID-Keyed Fonts_, Adobe Developer Support Technical Note #5078. 2000. http://partners.adobe.com/asn/developer/PDFS/TN/5078.CID_Glyph.pdf [The Adobe Japanese character set.] Adobe Systems, Inc., _Adobe-GB1-4 Character Collection for CID-Keyed Fonts_, Adobe Developer Support Technical Note #5079. 2000. http://partners.adobe.com/asn/developer/pdfs/tn/5079.Adobe-GB1-4.pdf [The Adobe Chinese GB (simplified) character set.] Adobe Systems, Inc., _Adobe-CNS1-3 Character Collection for CID-Keyed Fonts_, Adobe Developer Support Technical Note #5080. 2000. http://partners.adobe.com/asn/developer/PDFS/TN/5080.CNS_CharColl.pdf [The Adobe Chinese CNS (traditional) character set.] Adobe Systems Inc., _Supporting the DCT Filters in PostScript Level 2_, Adobe Developer Support Technical Note #5116. 1992. http://www.adobe.com/supportservice/devrelations/PDFS/TN/5116.PS2_DCT.PDF [Description of the DCTDecode filter parameters.] Adobe Systems Inc., _Open Prepress Interface (OPI) Specification - Version 2.0_, Adobe Developer Support Technical Note #5660. 2000. http://partners.adobe.com/asn/developer/PDFS/TN/5660.OPI_2.0.pdf Adobe Systems Inc., CMap files. ftp://ftp.oreilly.com/pub/examples/nutshell/cjkv/adobe/ [The actual CMap files for the 16-bit CJK encodings.] Adobe Systems Inc., Unicode glyph lists. http://partners.adobe.com/asn/developer/type/unicodegn.html http://partners.adobe.com/asn/developer/type/glyphlist.txt http://partners.adobe.com/asn/developer/type/corporateuse.txt http://partners.adobe.com/asn/developer/type/zapfdingbats.txt [Mappings between character names to Unicode.] Adobe Systems Inc., OpenType Specification v. 1.4. http://partners.adobe.com/public/developer/opentype/index_spec.html [The OpenType font format spec.] Aldus Corp., _OPI: Open Prepress Interface Specification 1.3_. 1993. http://partners.adobe.com/asn/developer/PDFS/TN/OPI_13.pdf Anonymous, RC4 source code. ftp://ftp.ox.ac.uk/pub/crypto/misc/rc4.tar.gz ftp://idea.sec.dsi.unimi.it/pub/crypt/code/rc4.tar.gz [This is the algorithm used to encrypt PDF files.] T. Boutell, et al., "PNG (Portable Network Graphics) Specification, Version 1.0". RFC 2083. [PDF uses the PNG filter algorithms.] CCITT, "Information Technology - Digital Compression and Coding of Continuous-tone Still Images - Requirements and Guidelines", CCITT Recommendation T.81. http://www.w3.org/Graphics/JPEG/ [The official JPEG spec.] A. Chernov, "Registration of a Cyrillic Character Set". RFC 1489. [Documentation for the KOI8-R Cyrillic encoding.] Roman Czyborra, "The ISO 8859 Alphabet Soup". http://czyborra.com/charsets/iso8859.html [Documentation on the various ISO 859 encodings.] L. Peter Deutsch, "ZLIB Compressed Data Format Specification version 3.3". RFC 1950. [Information on the general format used in FlateDecode streams.] L. Peter Deutsch, "DEFLATE Compressed Data Format Specification version 1.3". RFC 1951. [The definition of the compression algorithm used in FlateDecode streams.] Morris Dworkin, "Recommendation for Block Cipher Modes of Operation", National Institute of Standards, NIST Special Publication 800-38A, 2001. [The cipher block chaining (CBC) mode used with AES in PDF files.] Federal Information Processing Standards Publication 197 (FIPS PUBS 197), "Advanced Encryption Standard (AES)", November 26, 2001. [AES encryption, used in PDF 1.6.] Jim Flowers, "X Logical Font Description Conventions", Version 1.5, X Consortium Standard, X Version 11, Release 6.1. ftp://ftp.x.org/pub/R6.1/xc/doc/hardcopy/XLFD/xlfd.PS.Z [The official specification of X font descriptors, including font transformation matrices.] Foley, van Dam, Feiner, and Hughes, _Computer Graphics: Principles and Practice_, 2nd ed. Addison-Wesley, 1990, ISBN 0-201-12110-7. [Colorspace conversion functions, Bezier spline math.] Robert L. Hummel, _Programmer's Technical Reference: Data and Fax Communications_. Ziff-Davis Press, 1993, ISBN 1-56276-077-7. [CCITT Group 3 and 4 fax decoding.] ISO/IEC, _Information technology -- Lossy/lossless coding of bi-level images_. ISO/IEC 14492, First edition (2001-12-15). http://webstore.ansi.org/ [The official JBIG2 standard. The final draft of this spec is available from http://www.jpeg.org/jbighomepage.html.] ISO/IEC, _Information technology -- JPEG 2000 image coding system -- Part 1: Core coding system_. ISO/IEC 15444-1, First edition (2000-12-15). http://webstore.ansi.org/ [The official JPEG 2000 standard. The final committee draft of this spec is available from http://www.jpeg.org/JPEG2000.html, but there were changes made to the bitstream format between that draft and the published spec.] ITU, "Standardization of Group 3 facsimile terminals for document transmission", ITU-T Recommendation T.4, 1999. ITU, "Facsimile coding schemes and coding control functions for Group 4 facsimile apparatus", ITU-T Recommendation T.6, 1993. http://www.itu.int/ [The official Group 3 and 4 fax standards - used by the CCITTFaxDecode stream, as well as the JBIG2Decode stream.] B. Kaliski, "PKCS #5: Password-Based Cryptography Specification, Version 2.0". RFC 2898. [Defines the padding scheme used with AES encryption in PDF files.] Christoph Loeffler, Adriaan Ligtenberg, George S. Moschytz, "Practical Fast 1-D DCT Algorithms with 11 Multiplications". IEEE Intl. Conf. on Acoustics, Speech & Signal Processing, 1989, 988-991. [The fast IDCT algorithm used in the DCTDecode filter.] Microsoft, _TrueType 1.0 Font Files_, rev. 1.66. 1995. http://www.microsoft.com/typography/tt/tt.htm [The TrueType font spec (in MS Word format, naturally).] V. Ostromoukhov, R.D. Hersch, "Stochastic Clustered-Dot Dithering", Conf. Color Imaging: Device-Independent Color, Color Hardcopy, and Graphic Arts IV, 1999, SPIE Vol. 3648, 496-505. http://diwww.epfl.ch/w3lsp/publications/colour/scd.html [The stochastic dithering algorithm used in Xpdf.] P. Peterlin, "ISO 8859-2 (Latin 2) Resources". http://sizif.mf.uni-lj.si/linux/cee/iso8859-2.html [This is a web page with all sorts of useful Latin-2 character set and font information.] Charles Poynton, "Color FAQ". http://www.inforamp.net/~poynton/ColorFAQ.html [The mapping from the CIE 1931 (XYZ) color space to RGB.] R. Rivest, "The MD5 Message-Digest Algorithm". RFC 1321. [MD5 is used in PDF document encryption.] Thai Industrial Standard, "Standard for Thai Character Codes for Computers", TIS-620-2533 (1990). http://www.nectec.or.th/it-standards/std620/std620.htm [The TIS-620 Thai encoding.] Unicode Consortium, "Unicode Home Page". http://www.unicode.org/ [Online copy of the Unicode spec.] W3C Recommendation, "PNG (Portable Network Graphics) Specification Version 1.0". http://www.w3.org/Graphics/PNG/ [Defines the PNG image predictor.] Gregory K. Wallace, "The JPEG Still Picture Compression Standard". ftp://ftp.uu.net/graphics/jpeg/wallace.ps.gz [Good description of the JPEG standard. Also published in CACM, April 1991, and submitted to IEEE Transactions on Consumer Electronics.] F. Yergeau, "UTF-8, a transformation format of ISO 10646". RFC 2279. [A commonly used Unicode encoding.]
8id103_heap_buffer_overflow_in_readScan.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
#0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
#1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115797==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
./pdftops -q [crash sample] /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000751cdd bp 0x7fffab2f8a10 sp 0x7fffab2f8640 T0)
==115909==The signal is caused by a WRITE memory access.
==115909==Hint: address points to the zero page.
#0 0x751cdd in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23
#1 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
#2 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#3 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#4 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#5 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#6 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#14 0x7fabd9c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23 in DCTStream::readMCURow()
==115909==ABORTING
Hi there, I use my fuzzer for fuzzing the binary pdfIamges, and this binary crashes with the following:
Syntax Error (2227): Unexpected end of file in flate stream
=================================================================
==2226711==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e91fe296ef at pc 0x55e91fa2428c bp 0x7ffdd3190680 sp 0x7ffdd3190670
READ of size 1 at 0x55e91fe296ef thread T0
#0 0x55e91fa2428b in PSTokenizer::getToken(char*, int, int*) /xpdf-master/xpdf/PSTokenizer.cc:72
#1 0x55e91f8fecec in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:264
#2 0x55e91f8fe97a in CharCodeToUnicode::parseCMap(GString*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:241
#3 0x55e91f95a1be in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /xpdf-master/xpdf/GfxFont.cc:512
#4 0x55e91f9635f8 in GfxCIDFont::GfxCIDFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:1618
#5 0x55e91f95846f in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:194
#6 0x55e91f9674cd in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /xpdf-master/xpdf/GfxFont.cc:2001
#7 0x55e91f925d5c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /xpdf-master/xpdf/Gfx.cc:291
#8 0x55e91f926dcc in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /xpdf-master/xpdf/Gfx.cc:508
#9 0x55e91fa1cc4f in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:356
#10 0x55e91fa1c53c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:308
#11 0x55e91fa225fb in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:384
#12 0x55e91fa22684 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:397
#13 0x55e91fa70d19 in main /xpdf-master/xpdf/pdfimages.cc:138
#14 0x7f48c0353c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#15 0x55e91f8e1739 in _start (/xpdf-master/xpdf/pdfimages+0xe1739)
0x55e91fe296ef is located 15 bytes to the right of global variable 'pdfDocEncoding' defined in 'PDFDocEncoding.cc:11:9' (0x55e91fe292e0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /xpdf-master/xpdf/PSTokenizer.cc:72 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
0x0abda3fbd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abda3fbd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
0x0abda3fbd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0abda3fbd310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abda3fbd320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2226711==ABORTING
Ubuntu 18.04(docker)
clang/clang++ 12.0.1
version:commit ffaf11c
export CC = gcc
export CXX=g++
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure --disable-shared
make
Zhao Jiayu (NCNIPC)
Han Zheng (NCNIPC, Hexhive)
Yin Li, Xiaotong Jiao (NCNIPC of China)
Thanks for your time!
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
./pdftops -q [crash sample] /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
==115845==The signal is caused by a READ memory access.
==115845==Hint: address points to the zero page.
#0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
#1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
==115845==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id77_heap_buffer_overflow_in_decodeImage.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d61be800 at pc 0x0000007501b0 bp 0x7fff7ae393d0 sp 0x7fff7ae393c8
READ of size 4 at 0x7ff6d61be800 thread T0
#0 0x7501af in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22
#1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7ff6d8d70c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7ff6d61be800 is located 0 bytes to the right of 245760-byte region [0x7ff6d6182800,0x7ff6d61be800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22 in DCTStream::decodeImage()
Shadow bytes around the buggy address:
0x0fff5ac2fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff5ac2fd00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115925==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id93_heap_buffer_overflow_in_getChar.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
READ of size 4 at 0x7f54608ff800 thread T0
#0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
#1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
#5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
#6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
#7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
Shadow bytes around the buggy address:
0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115941==ABORTING
ytl #1.0
A command injection vulnerability was discovered in the Xpdf-4.04 PDF viewer software. The vulnerability exists within the PSOutputDev::PSOutputDev()
function located in the xpdf-4.04/xpdf/PSOutputDev.cc
file.
The affected function is responsible for initializing the PostScript output device with user-defined parameters, including a file name and custom code callback function. An attacker can exploit this vulnerability by injecting arbitrary commands into the fileName
parameter with prefix |
, which can be executed in following popen
function.
This vulnerability presents a impact for other projects utilizing Xpdf-4.04 as their PDF parser and using user-supplied inputs as <PS-file>
. When executing Xpdf, an attacker can inject arbitrary commands into the filename
parameter, leading to command execution with the privileges of the user running the application. As a result, sensitive data could be compromised, files could be modified, or further attacks on the system could be launched.
There is a command injection vulnerability present in the code when the |
operator is combined with a subsequent command. This occurs within a conditional branch of the following C++ code:
cppCopy Code if (argc == 3) {
psFileName = new GString(argv[2]);
Subsequently, within the constructor for PSOutputDev
, if the first character of fileName
is |
, the program enters the popen
function, resulting in a command injection vulnerability:
cppCopy Code } else if (fileName[0] == '|') {
fileTypeA = psPipe;
······
if (!(f = popen(fileName + 1, "w"))) {
error(errIO, -1, "Couldn't run print command '{0:s}'", fileName);
ok = gFalse;
return;
}
./build/xpdf/pdftops ./in/helloworld.pdf '|`cat /etc/passwd > ./txt`'
The command injection vulnerability discovered in Xpdf-4.04 could allow an attacker to execute arbitrary code with the privileges of the user running the application.
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
./pdftops -q [crash sample] /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000689bd4 bp 0x0000957f8ba1 sp 0x7ffd52912760 T0)
==115957==The signal is caused by a READ memory access.
==115957==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x689bd4 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
#1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#10 0x7f84f066ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
==115957==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
./pdftops -q [crash sample] /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115861==ERROR: AddressSanitizer: FPE on unknown address 0x0000007476d3 (pc 0x0000007476d3 bp 0x7fff22d95b40 sp 0x7fff22d952c0 T0)
#0 0x7476d3 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19
#1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7ffb8625dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19 in DCTStream::decodeImage()
==115861==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id65_global_buffer_overflow_in_getObj.zip
./pdftops -q [crash sample] /dev/null
==115893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000093aadc at pc 0x000000689c9a bp 0x7ffe79eed770 sp 0x7ffe79eed768
READ of size 1 at 0x00000093aadc thread T0
#0 0x689c99 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
#1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#10 0x7f2de419dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x00000093aadc is located 4 bytes to the left of global variable 'specialChars' defined in 'Lexer.cc:26:13' (0x93aae0) of size 256
0x00000093aadc is located 55 bytes to the right of global variable '<string literal>' defined in 'Lexer.cc:471:52' (0x93aaa0) of size 5
'<string literal>' is ascii string 'null'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
Shadow bytes around the buggy address:
0x00008011f500: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
0x00008011f510: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x00008011f520: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
0x00008011f530: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 07 f9
0x00008011f540: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x00008011f550: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
0x00008011f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f570: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x00008011f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008011f5a0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 02 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115893==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
./pdftops -q [crash sample] /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115829==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9aa21f18 (pc 0x0000004ae77a bp 0x7ffc9aa22780 sp 0x7ffc9aa21f20 T0)
#0 0x4ae77a in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#1 0x6a0d5b in Object::copy(Object*) /home/bupt/Desktop/xpdf/xpdf/Object.cc:75:8
#2 0x7804e8 in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:991:25
#3 0x51e08c in Object::arrayGet(int, Object*) /home/bupt/Desktop/xpdf/xpdf/./Object.h:231:19
#4 0x51e08c in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:441:12
#5 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#6 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#7 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#8 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#9 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#10 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#11 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#12 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#13 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#14 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#15 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#16 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#17 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#18 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#19 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#20 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#21 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#22 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#23 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#24 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#25 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#26 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#27 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#28 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#29 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#30 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#31 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#32 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#33 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#34 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#35 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#36 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#37 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#38 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#39 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#40 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#41 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#42 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#43 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#44 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#45 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#46 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#47 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#48 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#49 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#50 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#51 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#52 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#53 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#54 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#55 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#56 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#57 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#58 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#59 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#60 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#61 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#62 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#63 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#64 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#65 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#66 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#67 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#68 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#69 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#70 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#71 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#72 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#73 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#74 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#75 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#76 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#77 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#78 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#79 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#80 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#81 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#82 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#83 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#84 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#85 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#86 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#87 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#88 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#89 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#90 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#91 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#92 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#93 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#94 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#95 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#96 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#97 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#98 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#99 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#100 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#101 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#102 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#103 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#104 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#105 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#106 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#107 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#108 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#109 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#110 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#111 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#112 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#113 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#114 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#115 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#116 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#117 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#118 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#119 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#120 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#121 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#122 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#123 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#124 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#125 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#126 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#127 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#128 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#129 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#130 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#131 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#132 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#133 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#134 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#135 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#136 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#137 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#138 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#139 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#140 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#141 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#142 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#143 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#144 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#145 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#146 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#147 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#148 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#149 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#150 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#151 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#152 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#153 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#154 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#155 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#156 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#157 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#158 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#159 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#160 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#161 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#162 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#163 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#164 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#165 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#166 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#167 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#168 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#169 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#170 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#171 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#172 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#173 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#174 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#175 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#176 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#177 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#178 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#179 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#180 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#181 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#182 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#183 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#184 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#185 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#186 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#187 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#188 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#189 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#190 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#191 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#192 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#193 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#194 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#195 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#196 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#197 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#198 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#199 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#200 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#201 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#202 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#203 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#204 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#205 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#206 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#207 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#208 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#209 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#210 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#211 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#212 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#213 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#214 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#215 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#216 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#217 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#218 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#219 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#220 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#221 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#222 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#223 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#224 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#225 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#226 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#227 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#228 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#229 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#230 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#231 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#232 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#233 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#234 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#235 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#236 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#237 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#238 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#239 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#240 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#241 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#242 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#243 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#244 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#245 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#246 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#247 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#248 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#249 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
#250 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
SUMMARY: AddressSanitizer: stack-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==115829==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id0_heap-buffer-overflow_in_readHuffSym.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==108391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001782 at pc 0x000000759029 bp 0x7ffd51edc550 sp 0x7ffd51edc548
READ of size 2 at 0x620000001782 thread T0
#0 0x759028 in DCTStream::readHuffSym(DCTHuffTable*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16
#1 0x7548ba in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2624:17
#2 0x751b27 in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2392:9
#3 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
#4 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
#5 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
#6 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
#7 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
#8 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
#9 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#10 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#11 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#12 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#13 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#14 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#15 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#16 0x7f3b180d3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#17 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x620000001782 is located 2314 bytes to the right of 3576-byte region [0x620000000080,0x620000000e78)
allocated by thread T0 here:
#0 0x4f5768 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
#1 0x7259bc in Stream::makeFilter(char*, Stream*, Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:269:11
#2 0x72459a in Stream::addFilters(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:141:11
#3 0x6ad41e in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:214:14
#4 0x6ab6f6 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:101:18
#5 0x781a3a in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:1028:13
#6 0x6a7611 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:357:12
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16 in DCTStream::readHuffSym(DCTHuffTable*)
Shadow bytes around the buggy address:
0x0c407fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff82f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==108391==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id148_heap_buffer_overflow_in_lookChar.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
READ of size 4 at 0x631000038800 thread T0
#0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
#1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
#2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
#3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
#4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
#5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
#6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
#7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
#8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
Shadow bytes around the buggy address:
0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115813==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id103_heap_buffer_overflow_in_readScan.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
#0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
#1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115797==ABORTING
ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
XPDF commit ffaf11c
CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" ./configure
make
./pdftotext poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3166724==ERROR: AddressSanitizer: SEGV on unknown address 0x61a8d2d2d54c (pc 0x55b73eee93da bp 0x7ffde628f900 sp 0x7ffde628f8e0 T0)
==3166724==The signal is caused by a READ memory access.
#0 0x55b73eee93d9 in DCTStream::readHuffSym(DCTHuffTable*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119
#1 0x55b73eee35e8 in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2607
#2 0x55b73eedf36c in DCTStream::readMCURow() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2392
#3 0x55b73eede3a2 in DCTStream::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2316
#4 0x55b73eeb6869 in Object::streamGetChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Object.h:288
#5 0x55b73eeaacf5 in Lexer::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:92
#6 0x55b73eeaaebf in Lexer::getObj(Object*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:124
#7 0x55b73eec21e9 in Parser::Parser(XRef*, Lexer*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Parser.cc:33
#8 0x55b73edce0d1 in Gfx::display(Object*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Gfx.cc:641
#9 0x55b73eebfe4a in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:360
#10 0x55b73eebf6ce in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:308
#11 0x55b73eec5806 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:384
#12 0x55b73eec588e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:397
#13 0x55b73ef38671 in main /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext.cc:241
#14 0x7fb136de7082 in __libc_start_main ../csu/libc-start.c:308
#15 0x55b73ed87ecd in _start (/mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext+0xe4ecd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119 in DCTStream::readHuffSym(DCTHuffTable*)
==3166724==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
8id64_heap_buffer_overflow_in_transformDataUnit.zip
./pdftops -q [crash sample] /dev/null
=================================================================
==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
READ of size 2 at 0x6200000080e0 thread T0
#0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
#1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
#2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
Address 0x6200000080e0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
Shadow bytes around the buggy address:
0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115877==ABORTING
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.