Giter Club home page Giter Club logo

xpdf's People

Contributors

jhcloos avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

xpdf's Issues

FPE_in_decodeImage

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id63_FPE_in_decodeImage.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115861==ERROR: AddressSanitizer: FPE on unknown address 0x0000007476d3 (pc 0x0000007476d3 bp 0x7fff22d95b40 sp 0x7fff22d952c0 T0)
    #0 0x7476d3 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19
    #1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7ffb8625dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19 in DCTStream::decodeImage()
==115861==ABORTING

Command Injection in Xpdf-4.04

Overview

A command injection vulnerability was discovered in the Xpdf-4.04 PDF viewer software. The vulnerability exists within the PSOutputDev::PSOutputDev() function located in the xpdf-4.04/xpdf/PSOutputDev.cc file.

The affected function is responsible for initializing the PostScript output device with user-defined parameters, including a file name and custom code callback function. An attacker can exploit this vulnerability by injecting arbitrary commands into the fileName parameter with prefix |, which can be executed in following popen function.

Impact

This vulnerability presents a impact for other projects utilizing Xpdf-4.04 as their PDF parser and using user-supplied inputs as <PS-file>. When executing Xpdf, an attacker can inject arbitrary commands into the filename parameter, leading to command execution with the privileges of the user running the application. As a result, sensitive data could be compromised, files could be modified, or further attacks on the system could be launched.

Exploit Details

There is a command injection vulnerability present in the code when the | operator is combined with a subsequent command. This occurs within a conditional branch of the following C++ code:

cppCopy Code  if (argc == 3) {
    psFileName = new GString(argv[2]);

Subsequently, within the constructor for PSOutputDev, if the first character of fileName is |, the program enters the popen function, resulting in a command injection vulnerability:

cppCopy Code  } else if (fileName[0] == '|') {
    fileTypeA = psPipe;
······
    if (!(f = popen(fileName + 1, "w"))) {
      error(errIO, -1, "Couldn't run print command '{0:s}'", fileName);
      ok = gFalse;
      return;
    }

Poc

./build/xpdf/pdftops ./in/helloworld.pdf '|`cat /etc/passwd > ./txt`'

Conclusion

The command injection vulnerability discovered in Xpdf-4.04 could allow an attacker to execute arbitrary code with the privileges of the user running the application.

global_buffer_overflow_in_getObj

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id65_global_buffer_overflow_in_getObj.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

==115893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000093aadc at pc 0x000000689c9a bp 0x7ffe79eed770 sp 0x7ffe79eed768
READ of size 1 at 0x00000093aadc thread T0
    #0 0x689c99 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
    #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #10 0x7f2de419dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x00000093aadc is located 4 bytes to the left of global variable 'specialChars' defined in 'Lexer.cc:26:13' (0x93aae0) of size 256
0x00000093aadc is located 55 bytes to the right of global variable '<string literal>' defined in 'Lexer.cc:471:52' (0x93aaa0) of size 5
  '<string literal>' is ascii string 'null'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
Shadow bytes around the buggy address:
  0x00008011f500: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
  0x00008011f510: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x00008011f520: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
  0x00008011f530: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 07 f9
  0x00008011f540: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x00008011f550: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x00008011f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f570: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00008011f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f5a0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 02 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115893==ABORTING

stack overflow

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id2-stack-overflow.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115829==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9aa21f18 (pc 0x0000004ae77a bp 0x7ffc9aa22780 sp 0x7ffc9aa21f20 T0)
    #0 0x4ae77a in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x6a0d5b in Object::copy(Object*) /home/bupt/Desktop/xpdf/xpdf/Object.cc:75:8
    #2 0x7804e8 in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:991:25
    #3 0x51e08c in Object::arrayGet(int, Object*) /home/bupt/Desktop/xpdf/xpdf/./Object.h:231:19
    #4 0x51e08c in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:441:12
    #5 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #6 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #7 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #8 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #9 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #10 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #11 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #12 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #13 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #14 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #15 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #16 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #17 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #18 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #19 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #20 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #21 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #22 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #23 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #24 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #25 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #26 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #27 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #28 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #29 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #30 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #31 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #32 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #33 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #34 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #35 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #36 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #37 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #38 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #39 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #40 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #41 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #42 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #43 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #44 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #45 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #46 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #47 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #48 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #49 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #50 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #51 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #52 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #53 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #54 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #55 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #56 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #57 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #58 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #59 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #60 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #61 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #62 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #63 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #64 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #65 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #66 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #67 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #68 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #69 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #70 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #71 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #72 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #73 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #74 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #75 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #76 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #77 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #78 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #79 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #80 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #81 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #82 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #83 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #84 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #85 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #86 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #87 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #88 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #89 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #90 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #91 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #92 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #93 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #94 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #95 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #96 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #97 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #98 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #99 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #100 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #101 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #102 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #103 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #104 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #105 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #106 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #107 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #108 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #109 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #110 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #111 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #112 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #113 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #114 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #115 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #116 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #117 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #118 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #119 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #120 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #121 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #122 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #123 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #124 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #125 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #126 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #127 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #128 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #129 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #130 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #131 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #132 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #133 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #134 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #135 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #136 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #137 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #138 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #139 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #140 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #141 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #142 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #143 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #144 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #145 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #146 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #147 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #148 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #149 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #150 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #151 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #152 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #153 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #154 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #155 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #156 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #157 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #158 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #159 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #160 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #161 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #162 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #163 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #164 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #165 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #166 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #167 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #168 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #169 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #170 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #171 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #172 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #173 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #174 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #175 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #176 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #177 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #178 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #179 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #180 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #181 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #182 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #183 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #184 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #185 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #186 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #187 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #188 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #189 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #190 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #191 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #192 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #193 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #194 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #195 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #196 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #197 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #198 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #199 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #200 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #201 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #202 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #203 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #204 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #205 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #206 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #207 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #208 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #209 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #210 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #211 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #212 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #213 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #214 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #215 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #216 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #217 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #218 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #219 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #220 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #221 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #222 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #223 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #224 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #225 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #226 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #227 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #228 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #229 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #230 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #231 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #232 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #233 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #234 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #235 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #236 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #237 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #238 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #239 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #240 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #241 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #242 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #243 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #244 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #245 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #246 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #247 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #248 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #249 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #250 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12

SUMMARY: AddressSanitizer: stack-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==115829==ABORTING

heap_buffer_overflow_in_transformDataUnit

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id64_heap_buffer_overflow_in_transformDataUnit.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
READ of size 2 at 0x6200000080e0 thread T0
    #0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
    #1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
    #2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

Address 0x6200000080e0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
Shadow bytes around the buggy address:
  0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115877==ABORTING

SEGV_in_getChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id46_SEGV_in_getChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
==115845==The signal is caused by a READ memory access.
==115845==Hint: address points to the zero page.
    #0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
    #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
==115845==ABORTING

heap_buffer_overflow_in_readScan

crash sample

8id103_heap_buffer_overflow_in_readScan.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
    #0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
    #1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
  0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115797==ABORTING

SEGV in DCTStream::readHuffSym

SEGV

env

ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
XPDF commit ffaf11c

sample

id189.zip

reproduce

CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" ./configure
make
./pdftotext poc

crash

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3166724==ERROR: AddressSanitizer: SEGV on unknown address 0x61a8d2d2d54c (pc 0x55b73eee93da bp 0x7ffde628f900 sp 0x7ffde628f8e0 T0)
==3166724==The signal is caused by a READ memory access.
    #0 0x55b73eee93d9 in DCTStream::readHuffSym(DCTHuffTable*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119
    #1 0x55b73eee35e8 in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2607
    #2 0x55b73eedf36c in DCTStream::readMCURow() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2392
    #3 0x55b73eede3a2 in DCTStream::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2316
    #4 0x55b73eeb6869 in Object::streamGetChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Object.h:288
    #5 0x55b73eeaacf5 in Lexer::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:92
    #6 0x55b73eeaaebf in Lexer::getObj(Object*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:124
    #7 0x55b73eec21e9 in Parser::Parser(XRef*, Lexer*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Parser.cc:33
    #8 0x55b73edce0d1 in Gfx::display(Object*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Gfx.cc:641
    #9 0x55b73eebfe4a in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:360
    #10 0x55b73eebf6ce in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:308
    #11 0x55b73eec5806 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:384
    #12 0x55b73eec588e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:397
    #13 0x55b73ef38671 in main /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext.cc:241
    #14 0x7fb136de7082 in __libc_start_main ../csu/libc-start.c:308
    #15 0x55b73ed87ecd in _start (/mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext+0xe4ecd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119 in DCTStream::readHuffSym(DCTHuffTable*)
==3166724==ABORTING

global-buffer-overflow on binary pdfimages

SUMMARY

Hi there, I use my fuzzer for fuzzing the binary pdfIamges, and this binary crashes with the following:

Syntax Error (2227): Unexpected end of file in flate stream
=================================================================
==2226711==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e91fe296ef at pc 0x55e91fa2428c bp 0x7ffdd3190680 sp 0x7ffdd3190670
READ of size 1 at 0x55e91fe296ef thread T0
    #0 0x55e91fa2428b in PSTokenizer::getToken(char*, int, int*) /xpdf-master/xpdf/PSTokenizer.cc:72
    #1 0x55e91f8fecec in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:264
    #2 0x55e91f8fe97a in CharCodeToUnicode::parseCMap(GString*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:241
    #3 0x55e91f95a1be in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /xpdf-master/xpdf/GfxFont.cc:512
    #4 0x55e91f9635f8 in GfxCIDFont::GfxCIDFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:1618
    #5 0x55e91f95846f in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:194
    #6 0x55e91f9674cd in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /xpdf-master/xpdf/GfxFont.cc:2001
    #7 0x55e91f925d5c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /xpdf-master/xpdf/Gfx.cc:291
    #8 0x55e91f926dcc in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /xpdf-master/xpdf/Gfx.cc:508
    #9 0x55e91fa1cc4f in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:356
    #10 0x55e91fa1c53c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:308
    #11 0x55e91fa225fb in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:384
    #12 0x55e91fa22684 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:397
    #13 0x55e91fa70d19 in main /xpdf-master/xpdf/pdfimages.cc:138
    #14 0x7f48c0353c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #15 0x55e91f8e1739 in _start (/xpdf-master/xpdf/pdfimages+0xe1739)

0x55e91fe296ef is located 15 bytes to the right of global variable 'pdfDocEncoding' defined in 'PDFDocEncoding.cc:11:9' (0x55e91fe292e0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /xpdf-master/xpdf/PSTokenizer.cc:72 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0abda3fbd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abda3fbd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
  0x0abda3fbd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0abda3fbd310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2226711==ABORTING

poc

poc_pdfimages.zip

Environment

Ubuntu 18.04(docker)
clang/clang++ 12.0.1
version:commit ffaf11c

COMPILE

export CC = gcc
export CXX=g++
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure --disable-shared
make

Credit

Zhao Jiayu (NCNIPC)
Han Zheng (NCNIPC, Hexhive)
Yin Li, Xiaotong Jiao (NCNIPC of China)

Thanks for your time!

heap-buffer-overflow_in_readHuffSym

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id0_heap-buffer-overflow_in_readHuffSym.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==108391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001782 at pc 0x000000759029 bp 0x7ffd51edc550 sp 0x7ffd51edc548
READ of size 2 at 0x620000001782 thread T0
    #0 0x759028 in DCTStream::readHuffSym(DCTHuffTable*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16
    #1 0x7548ba in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2624:17
    #2 0x751b27 in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2392:9
    #3 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
    #4 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #5 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #6 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #7 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #8 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #9 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #10 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #11 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #12 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #13 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #14 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #15 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #16 0x7f3b180d3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x620000001782 is located 2314 bytes to the right of 3576-byte region [0x620000000080,0x620000000e78)
allocated by thread T0 here:
    #0 0x4f5768 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
    #1 0x7259bc in Stream::makeFilter(char*, Stream*, Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:269:11
    #2 0x72459a in Stream::addFilters(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:141:11
    #3 0x6ad41e in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:214:14
    #4 0x6ab6f6 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:101:18
    #5 0x781a3a in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:1028:13
    #6 0x6a7611 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:357:12
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16 in DCTStream::readHuffSym(DCTHuffTable*)
Shadow bytes around the buggy address:
  0x0c407fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff82f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==108391==ABORTING

heap_buffer_overflow_in_decodeImage

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id77_heap_buffer_overflow_in_decodeImage.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d61be800 at pc 0x0000007501b0 bp 0x7fff7ae393d0 sp 0x7fff7ae393c8
READ of size 4 at 0x7ff6d61be800 thread T0
    #0 0x7501af in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22
    #1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7ff6d8d70c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7ff6d61be800 is located 0 bytes to the right of 245760-byte region [0x7ff6d6182800,0x7ff6d61be800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22 in DCTStream::decodeImage()
Shadow bytes around the buggy address:
  0x0fff5ac2fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff5ac2fd00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115925==ABORTING

SEGV_in_readMCURow

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id69_SEGV_in_readMCURow.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000751cdd bp 0x7fffab2f8a10 sp 0x7fffab2f8640 T0)
==115909==The signal is caused by a WRITE memory access.
==115909==Hint: address points to the zero page.
    #0 0x751cdd in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23
    #1 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
    #2 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #3 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #4 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #5 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #6 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #14 0x7fabd9c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23 in DCTStream::readMCURow()
==115909==ABORTING

heap_buffer_overflow_in_readScan

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id103_heap_buffer_overflow_in_readScan.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
    #0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
    #1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
  0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115797==ABORTING

heap_buffer_overflow_in_lookChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id148_heap_buffer_overflow_in_lookChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
READ of size 4 at 0x631000038800 thread T0
    #0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
    #1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
    #2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
    #3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
    #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
    #5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
    #6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
    #7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
    #8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
Shadow bytes around the buggy address:
  0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115813==ABORTING

SEGV_in_getObj

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id95_SEGV_in_getObj.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000689bd4 bp 0x0000957f8ba1 sp 0x7ffd52912760 T0)
==115957==The signal is caused by a READ memory access.
==115957==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x689bd4 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
    #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #10 0x7f84f066ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
==115957==ABORTING

heap_buffer_overflow_in_getChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id93_heap_buffer_overflow_in_getChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
READ of size 4 at 0x7f54608ff800 thread T0
    #0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
    #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
    #5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
    #6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
    #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
Shadow bytes around the buggy address:
  0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115941==ABORTING

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.