pdfalto icon indicating copy to clipboard operation
pdfalto copied to clipboard

Published 20 hours ago verified publisher icon kermitt2

SEGV in TextPage::createPath

Open strongcourage opened this issue 6 years ago • 1 comments

Hi,

I found a crash in (the latest commit 8296a3d on master).

PoC: https://github.com/strongcourage/PoCs/blob/master/pdfalto_8296a3d/PoC_segv_TextPage::createPath Command: pdfalto $PoC /dev/null

ASAN says:

==17560==ERROR: AddressSanitizer: SEGV on unknown address 0x02007f614fef (pc 0x00000073e2e2 bp 0x7fffd873fa80 sp 0x7fffd873fa70 T0)
    #0 0x73e2e1 in GString::~GString() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/goo/GString.cc:209
    #1 0x439fec in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6457
    #2 0x43889d in TextPage::doPathForClip(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6256
    #3 0x43a51b in TextPage::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6489
    #4 0x446eac in XmlAltoOutputDev::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8609
    #5 0x6d90aa in Gfx::doEndPath() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:3436
    #6 0x6c5a55 in Gfx::opFill(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1691
    #7 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
    #8 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
    #9 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
    #10 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
    #11 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
    #12 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
    #13 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
    #14 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
    #15 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
    #16 0x7f24cf72582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x4062c8 in _start (/home/dungnguyen/PoCs/pdfalto_8296a3d/pdfalto-asan+0x4062c8)

Thanks, Manh Dung

strongcourage avatar Jul 25 '19 16:07 strongcourage

Thank you ! Normally the corresponding delete at the end of TextPage::createPath should not be present, and could lead to a crash when applying later xmlFreeDoc(). Fixed with 2d1bafa25091c1f7ea34d89ea8510273b36af455

kermitt2 avatar Apr 07 '21 11:04 kermitt2