XPDF commit ffaf11c was discovered to contain a global-buffer overflow via Lexer::getObj(Object*) at /xpdf/Lexer.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id65\_global\_buffer\_overflow\_in\_getObj.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    ==115893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000093aadc at pc 0x000000689c9a bp 0x7ffe79eed770 sp 0x7ffe79eed768
    READ of size 1 at 0x00000093aadc thread T0
        #0 0x689c99 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
        #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #10 0x7f2de419dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x00000093aadc is located 4 bytes to the left of global variable 'specialChars' defined in 'Lexer.cc:26:13' (0x93aae0) of size 256
    0x00000093aadc is located 55 bytes to the right of global variable '<string literal>' defined in 'Lexer.cc:471:52' (0x93aaa0) of size 5
      '<string literal>' is ascii string 'null'
    SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
    Shadow bytes around the buggy address:
      0x00008011f500: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
      0x00008011f510: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
      0x00008011f520: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
      0x00008011f530: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 07 f9
      0x00008011f540: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
    =>0x00008011f550: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
      0x00008011f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x00008011f570: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
      0x00008011f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
      0x00008011f590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x00008011f5a0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 02 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115893==ABORTING

CVE-2022-38236: global_buffer_overflow_in_getObj · Issue #8 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a floating point exception (FPE) via DCTStream::decodeImage() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id63\_FPE\_in\_decodeImage.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==115861==ERROR: AddressSanitizer: FPE on unknown address 0x0000007476d3 (pc 0x0000007476d3 bp 0x7fff22d95b40 sp 0x7fff22d952c0 T0)
        #0 0x7476d3 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19
        #1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
        #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
        #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
        #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
        #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #12 0x7ffb8625dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19 in DCTStream::decodeImage()
    ==115861==ABORTING

CVE-2022-38230: FPE_in_decodeImage · Issue #6 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::readHuffSym(DCTHuffTable*) at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id0\_heap-buffer-overflow\_in\_readHuffSym.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==108391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001782 at pc 0x000000759029 bp 0x7ffd51edc550 sp 0x7ffd51edc548
    READ of size 2 at 0x620000001782 thread T0
        #0 0x759028 in DCTStream::readHuffSym(DCTHuffTable*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16
        #1 0x7548ba in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2624:17
        #2 0x751b27 in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2392:9
        #3 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
        #4 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #5 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #6 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #7 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #8 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #9 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #10 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #11 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #12 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #13 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #14 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #15 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #16 0x7f3b180d3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #17 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x620000001782 is located 2314 bytes to the right of 3576-byte region [0x620000000080,0x620000000e78)
    allocated by thread T0 here:
        #0 0x4f5768 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x7259bc in Stream::makeFilter(char*, Stream*, Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:269:11
        #2 0x72459a in Stream::addFilters(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:141:11
        #3 0x6ad41e in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:214:14
        #4 0x6ab6f6 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:101:18
        #5 0x781a3a in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:1028:13
        #6 0x6a7611 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:357:12
        #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16 in DCTStream::readHuffSym(DCTHuffTable*)
    Shadow bytes around the buggy address:
      0x0c407fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c407fff82f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==108391==ABORTING

CVE-2022-38229: heap-buffer-overflow_in_readHuffSym · Issue #3 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a segmentation violation via Lexer::getObj(Object*) at /xpdf/Lexer.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id95\_SEGV\_in\_getObj.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==115957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000689bd4 bp 0x0000957f8ba1 sp 0x7ffd52912760 T0)
    ==115957==The signal is caused by a READ memory access.
    ==115957==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x689bd4 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
        #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #10 0x7f84f066ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
    ==115957==ABORTING

CVE-2022-38234: SEGV_in_getObj · Issue #12 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a segmentation violation via DCTStream::readMCURow() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id69\_SEGV\_in\_readMCURow.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==115909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000751cdd bp 0x7fffab2f8a10 sp 0x7fffab2f8640 T0)
    ==115909==The signal is caused by a WRITE memory access.
    ==115909==Hint: address points to the zero page.
        #0 0x751cdd in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23
        #1 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
        #2 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #3 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #4 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #5 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #6 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #14 0x7fabd9c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23 in DCTStream::readMCURow()
    ==115909==ABORTING

CVE-2022-38233: SEGV_in_readMCURow · Issue #9 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::lookChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id148\_heap\_buffer\_overflow\_in\_lookChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
    READ of size 4 at 0x631000038800 thread T0
        #0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
        #1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
        #2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
        #3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
        #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
        #5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
        #6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
        #7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
        #8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
    allocated by thread T0 here:
        #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
        #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
    Shadow bytes around the buggy address:
      0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115813==ABORTING

CVE-2022-38238: heap_buffer_overflow_in_lookChar · Issue #15 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::getChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id93\_heap\_buffer\_overflow\_in\_getChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
    READ of size 4 at 0x7f54608ff800 thread T0
        #0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
        #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
        #5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
        #6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
        #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
    allocated by thread T0 here:
        #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
        #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
    Shadow bytes around the buggy address:
      0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115941==ABORTING

CVE-2022-38231: heap_buffer_overflow_in_getChar · Issue #11 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::transformDataUnit at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id64\_heap\_buffer\_overflow\_in\_transformDataUnit.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
    READ of size 2 at 0x6200000080e0 thread T0
        #0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
        #1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
        #2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
        #3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
        #4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
        #5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
        #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    Address 0x6200000080e0 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
    Shadow bytes around the buggy address:
      0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115877==ABORTING

CVE-2022-38228: heap_buffer_overflow_in_transformDataUnit · Issue #7 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a segmentation violation via DCTStream::getChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id46\_SEGV\_in\_getChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
    ==115845==The signal is caused by a READ memory access.
    ==115845==Hint: address points to the zero page.
        #0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
        #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
    ==115845==ABORTING

CVE-2022-38235: SEGV_in_getChar · Issue #5 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a stack overflow via __asan_memcpy at asan_interceptors_memintrinsics.cpp.

Tag

#pdf