=================================================================
==115925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d61be800 at pc 0x0000007501b0 bp 0x7fff7ae393d0 sp 0x7fff7ae393c8
READ of size 4 at 0x7ff6d61be800 thread T0
#0 0x7501af in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22
#1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
#2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
#3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
#4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
#5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
#6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
#7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
#8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
#9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
#10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
#11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
#12 0x7ff6d8d70c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
0x7ff6d61be800 is located 0 bytes to the right of 245760-byte region [0x7ff6d6182800,0x7ff6d61be800)
allocated by thread T0 here:
#0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
#2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22 in DCTStream::decodeImage()
Shadow bytes around the buggy address:
0x0fff5ac2fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff5ac2fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff5ac2fd00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff5ac2fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==115925==ABORTING
Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.
crash sample
8id77_heap_buffer_overflow_in_decodeImage.zip
command to reproduce
./pdftops -q [crash sample] /dev/nullcrash detail