# poppler-0.74 ## version poppler-0.74 0.74 ## description ```txt None ``` ## download link None --------------------- ## SplashClip::clipAALine@SplashClip.cc:382-18___out-of-bounds-read ### description An issue was discovered in poppler-0.74 0.74, There is a/an out-of-bounds-read in function SplashClip::clipAALine at SplashClip.cc:382-18 ### commandline pdftoppm -cropbox -jpeg -freetype yes @@ tmp ### source ```c None ``` ### debug ```c In file: /home/pwd/fuzz/fuzz-poppler/poppler-0.74.0/splash/SplashXPathScanner.cc 453 xx = *x0 * splashAASize; 454 if (yy >= yyMin && yy <= yyMax) { 455 const auto& line = allIntersections[splashAASize * y + yy - yMin]; 456 interIdx = 0; 457 interCount = 0; ► 458 while (interIdx < line.size() && xx < (*x1 + 1) * splashAASize) { 459 xx0 = line[interIdx].x0; 460 xx1 = line[interIdx].x1; 461 interCount += line[interIdx].count; 462 ++interIdx; 463 while (interIdx < line.size() && pwndbg> p line $9 = ``` ### bug report ```txt AddressSanitizer:DEADLYSIGNAL ================================================================= ==5850==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fef9780428e bp 0x00000075f720 sp 0x7fffa84784c0 T0) ==5850==The signal is caused by a READ memory access. ==5850==Hint: address points to the zero page. #0 0x7fef9780428d in SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int) /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h #1 0x7fef977cdc54 in SplashClip::clipAALine(SplashBitmap*, int*, int*, int, bool) /src/poppler-0.74/splash/SplashClip.cc:382:18 #2 0x7fef977b6c73 in Splash::shadedFill(SplashPath*, bool, SplashPattern*) /src/poppler-0.74/splash/Splash.cc:6439:24 #3 0x7fef9774fb50 in SplashOutputDev::univariateShadedFill(GfxState*, SplashUnivariatePattern*, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4820:21 #4 0x7fef9775119a in SplashOutputDev::axialShadedFill(GfxState*, GfxAxialShading*, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4894:17 #5 0x7fef97235292 in Gfx::doAxialShFill(GfxAxialShading*) /src/poppler-0.74/poppler/Gfx.cc:2648:12 #6 0x7fef972329f6 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /src/poppler-0.74/poppler/Gfx.cc:2364:5 #7 0x7fef9722daeb in Gfx::doPatternFill(bool) /src/poppler-0.74/poppler/Gfx.cc:1943:5 #8 0x7fef971e6906 in Gfx::opFill(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1809:2 #9 0x7fef9722666f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3 #10 0x7fef97222707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7 #11 0x7fef972215b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3 #12 0x7fef9722c2f5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3 #13 0x7fef9725d3ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3 #14 0x7fef971e40fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2 #15 0x7fef9722666f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3 #16 0x7fef97222707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7 #17 0x7fef972215b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3 #18 0x7fef9745c14c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10 #19 0x7fef974798b1 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20 #20 0x521264 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /src/poppler-0.74/utils/pdftoppm.cc:287:8 #21 0x521264 in main /src/poppler-0.74/utils/pdftoppm.cc:600 #22 0x7fef95adf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #23 0x41b838 in _start (/src/aflbuild/installed/bin/pdftoppm+0x41b838) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h in SplashXPathScanner::clipAALine(SplashBitmap*, int*, int*, int) ==5850==ABORTING ``` ### others from fuzz project pwd-poppler-pdftoppm-03 crash name pwd-poppler-pdftoppm-03-00000000-20190331.pdf Auto-generated by pyspider at 2019-03-31 04:07:31