In pdf_write_contents(), in ps-pdf.cxx, there is a heap buffer overflow:
2982 i = heading_pages[*heading];
In this case, the variable num_headings = 36 and *heading can be larger than num_headings, the array size.
I've attached poc.zip that can trigger the heap overflow.
Steps to reproduce
$ unzip poc.zip
$ # Compiling htmldoc with -fsanitize=address,bounds
$ htmldoc -f output.pdf poc
=================================================================
==164645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000388 at pc 0x55e9c7443313 bp 0x7ffdee44e1b0 sp 0x7ffdee44e1a0
READ of size 4 at 0x611000000388 thread T0
#0 0x55e9c7443312 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982
#1 0x55e9c7443754 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:3002
#2 0x55e9c743f8f8 in pdf_write_document /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2331
#3 0x55e9c743619b in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:910
#4 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
#5 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x55e9c7405bed in _start (/home/fuzz/fuzzing/htmldoc/fuzzing/analysis/htmldoc_asan+0x57bed)
0x611000000388 is located 0 bytes to the right of 200-byte region [0x6110000002c0,0x611000000388)
allocated by thread T0 here:
#0 0x7fdffb9c8bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55e9c7452724 in parse_heading /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4640
#2 0x55e9c744d04f in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4206
#3 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
#4 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
#5 0x55e9c7434e7c in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:803
#6 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
#7 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982 in pdf_write_contents
In
pdf_write_contents()
, in ps-pdf.cxx, there is a heap buffer overflow:In this case, the variable
num_headings = 36
and*heading
can be larger thannum_headings
, the array size.I've attached poc.zip that can trigger the heap overflow.
Steps to reproduce