summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2024-02-20 21:14:50 +0100
committerEven Rouault <even.rouault@spatialys.com>2024-02-20 21:14:53 +0100
commit1c7c2bae76d684bc4c8cd27f203b76009f49a848 (patch)
tree42eda86f6fb5b7555edd7f1b8fb2b0f4cf919547
parenta938d58fb5b7ab43447f972ce238618fe2534ccd (diff)
Fix read-heap-buffer-overflow in Splash::blitTransparent() in splashModeMono8 case
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64471 ``` $ utils/pdftoppm clusterfuzz-testcase-minimized-gdal_fuzzer-6127122829410304 [...] ================================================================= ==1758602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024cd5 at pc 0x7fd5850e977d bp 0x7ffe0e007430 sp 0x7ffe0e007428 READ of size 1 at 0x602000024cd5 thread T0 #0 0x7fd5850e977c in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) /home/even/poppler/splash/Splash.cc:5778:24 #1 0x7fd58505e19d in SplashOutputDev::beginTransparencyGroup(GfxState*, double const*, GfxColorSpace*, bool, bool, bool) /home/even/poppler/poppler/SplashOutputDev.cc:3998:17 #2 0x7fd5850451c3 in SplashOutputDev::setSoftMaskFromImageMask(GfxState*, Object*, Stream*, int, int, bool, bool, double*) /home/even/poppler/poppler/SplashOutputDev.cc:2692:5 #3 0x7fd584c3f6a7 in Gfx::doPatternImageMask(Object*, Stream*, int, int, bool, bool) /home/even/poppler/poppler/Gfx.cc:1964:10 #4 0x7fd584c5cc26 in Gfx::doImage(Object*, Stream*, bool) /home/even/poppler/poppler/Gfx.cc:4304:17 #5 0x7fd584c1827a in Gfx::opBeginImage(Object*, int) /home/even/poppler/poppler/Gfx.cc:4900:9 #6 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #7 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #8 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #9 0x7fd58506713d in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4424:10 #10 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53 #11 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9 #12 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17 #13 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #14 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #15 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #16 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14 #17 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24 #18 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10 #19 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9 #20 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #21 0x41d61d in _start (/home/even/poppler/build/utils/pdftoppm+0x41d61d) 0x602000024cd5 is located 1 bytes to the right of 4-byte region [0x602000024cd0,0x602000024cd4) allocated by thread T0 here: #0 0x495d5d in malloc (/home/even/poppler/build/utils/pdftoppm+0x495d5d) #1 0x7fd5849f1d54 in gmalloc(unsigned long, bool) /home/even/poppler/goo/gmem.h:44:19 #2 0x7fd5849f0ed0 in gmallocn(int, int, bool) /home/even/poppler/goo/gmem.h:121:12 #3 0x7fd584c1384d in gmallocn_checkoverflow(int, int) /home/even/poppler/goo/gmem.h:126:12 #4 0x7fd5850f7ec5 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, std::vector<GfxSeparationColorSpace*, std::allocator<GfxSeparationColorSpace*> > const*) /home/even/poppler/splash/SplashBitmap.cc:111:28 #5 0x7fd585066631 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, GfxTilingPattern*, double const*, int, int, int, int, double, double) /home/even/poppler/poppler/SplashOutputDev.cc:4398:18 #6 0x7fd584c3b41b in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /home/even/poppler/poppler/Gfx.cc:2176:53 #7 0x7fd584c36188 in Gfx::doPatternFill(bool) /home/even/poppler/poppler/Gfx.cc:1895:9 #8 0x7fd584c16d93 in Gfx::opFillStroke(Object*, int) /home/even/poppler/poppler/Gfx.cc:1794:17 #9 0x7fd584c32abe in Gfx::execOp(Object*, Object*, int) /home/even/poppler/poppler/Gfx.cc:811:5 #10 0x7fd584c316ef in Gfx::go(bool) /home/even/poppler/poppler/Gfx.cc:686:13 #11 0x7fd584c30f76 in Gfx::display(Object*, bool) /home/even/poppler/poppler/Gfx.cc:647:5 #12 0x7fd584de61b9 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/Page.cc:593:14 #13 0x7fd584dfd5fc in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/even/poppler/poppler/PDFDoc.cc:633:24 #14 0x4cc9c6 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/even/poppler/utils/pdftoppm.cc:293:10 #15 0x4cb932 in main /home/even/poppler/utils/pdftoppm.cc:695:9 #16 0x7fd5841ef082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/even/poppler/splash/Splash.cc:5778:24 in Splash::blitTransparent(SplashBitmap*, int, int, int, int, int, int) ```
Diffstat
-rw-r--r--splash/Splash.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/splash/Splash.cc b/splash/Splash.cc
index b1c036a1..f0343d24 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -5773,7 +5773,7 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, int x
case splashModeMono8:
for (y = 0; y < height; ++y) {
p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest];
- sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc];
+ sp = &src->data[(ySrc + y) * src->rowSize + xSrc];
for (x = 0; x < width; ++x) {
*p++ = *sp++;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-27 00:33:06 +0000