Code Monkey home page Code Monkey logo

xpdf's Introduction

Xpdf
====

version 3.04
2014-may-28

The Xpdf software and documentation are
copyright 1996-2014 Glyph & Cog, LLC.

Email: [email protected]
WWW: http://www.foolabs.com/xpdf/

The PDF data structures, operators, and specification are
copyright 1985-2006 Adobe Systems Inc.


What is Xpdf?
-------------

Xpdf is an open source viewer for Portable Document Format (PDF)
files.  (These are also sometimes also called 'Acrobat' files, from
the name of Adobe's PDF software.)  The Xpdf project also includes a
PDF text extractor, PDF-to-PostScript converter, and various other
utilities.

Xpdf runs under the X Window System on UNIX and OS/2.  The non-X
components (pdftops, pdftotext, etc.) also run on Windows and Mac OSX
systems and should run on pretty much any system with a decent C++
compiler.  Xpdf will run on 32-bit and 64-bit machines.


License & Distribution
----------------------

Xpdf is licensed under the GNU General Pulbic License (GPL), version 2
or 3.  This means that you can distribute derivatives of Xpdf under
any of the following:
  - GPL v2 only
  - GPL v3 only
  - GPL v2 or v3

The Xpdf source package includes the text of both GPL versions:
COPYING for GPL v2, COPYING3 for GPL v3.

Please note that Xpdf is NOT licensed under "any later version" of the
GPL, as I have no idea what those versions will look like.

If you are redistributing unmodified copies of Xpdf (or any of the
Xpdf tools) in binary form, you need to include all of the
documentation: README, man pages (or help files), COPYING, and
COPYING3.

If you want to incorporate the Xpdf source code into another program
(or create a modified version of Xpdf), and you are distributing that
program, you have two options: release your program under the GPL (v2
and/or v3), or purchase a commercial Xpdf source license.

If you're interested in commercial licensing, please see the Glyph &
Cog web site:

    http://www.glyphandcog.com/


Compatibility
-------------

Xpdf is developed and tested on Linux.

In addition, it has been compiled by others on Solaris, AIX, HP-UX,
Digital Unix, Irix, and numerous other Unix implementations, as well
as OS/2.  It should work on pretty much any system which runs X11 and
has Unix-like libraries.  You'll need ANSI C++ and C compilers to
compile it.

The non-X components of Xpdf (pdftops, pdftotext, pdfinfo, pdffonts,
pdfdetach, pdftoppm, and pdfimages) can also be compiled on Windows
and Mac OSX systems.  See the Xpdf web page for details.

If you compile Xpdf for a system not listed on the web page, please
let me know.  If you're willing to make your binary available by ftp
or on the web, I'll be happy to add a link from the Xpdf web page.  I
have decided not to host any binaries I didn't compile myself (for
disk space and support reasons).

If you can't get Xpdf to compile on your system, send me email and
I'll try to help.

Xpdf has been ported to the Acorn, Amiga, BeOS, and EPOC.  See the
Xpdf web page for links.


Getting Xpdf
------------

The latest version is available from:

  http://www.foolabs.com/xpdf/

or:

  ftp://ftp.foolabs.com/pub/xpdf/

Source code and several precompiled executables are available.

Announcements of new versions are posted to comp.text.pdf and emailed
to a list of people.  If you'd like to receive email notification of
new versions, just let me know.


Running Xpdf
------------

To run xpdf, simply type:

  xpdf file.pdf

To generate a PostScript file, hit the "print" button in xpdf, or run
pdftops:

  pdftops file.pdf

To generate a plain text file, run pdftotext:

  pdftotext file.pdf

There are five additional utilities (which are fully described in
their man pages):

  pdfinfo -- dumps a PDF file's Info dictionary (plus some other
             useful information)
  pdffonts -- lists the fonts used in a PDF file along with various
              information for each font
  pdfdetach -- lists or extracts embedded files (attachments) from a
               PDF file
  pdftoppm -- converts a PDF file to a series of PPM/PGM/PBM-format
              bitmaps
  pdfimages -- extracts the images from a PDF file

Command line options and many other details are described in the man
pages: xpdf(1), etc.

All of these utilities read an optional configuration file: see the
xpdfrc(5) man page.


Upgrading from Xpdf 3.02 (and earlier)
--------------------------------------

The font configuration system has been changed.  Previous versions
used mostly separate commands to configure fonts for display and for
PostScript output.  As of 3.03, configuration options that make sense
for both display and PS output have been unified.

The following xpdfrc commands have been removed:
* displayFontT1, displayFontTT: replaced with fontFile
* displayNamedCIDFontT1, displayNamedCIDFontTT: replaced with fontFile
* displayCIDFontT1, displayCIDFontTT: replaced with fontFileCC
* psFont: replaced with psResidentFont
* psNamedFont16: replaced with psResidentFont16
* psFont16: replaced with psResidentFontCC

See the xpdfrc(5) man page for more information on the new commands.

Pdftops will now embed external 16-bit fonts (configured with the
fontFileCC command) when the PDF file refers to a non-embedded font.
It does not do any subsetting (yet), so the resulting PS files will be
large.


Compiling Xpdf
--------------

See the separate file, INSTALL.


Bugs
----

If you find a bug in Xpdf, i.e., if it prints an error message,
crashes, or incorrectly displays a document, and you don't see that
bug listed here, please send me email, with a pointer (URL, ftp site,
etc.) to the PDF file.


Third-Party Libraries
---------------------

Xpdf uses the following libraries:
* FreeType [http://www.freetype.org/]
* libpng [http://www.libpng.com/pub/png/libpng.html] (used by pdftohtml)
* zlib [http://zlib.net/] (used by pdftohtml)


Acknowledgments
---------------

Thanks to:

* Patrick Voigt for help with the remote server code.
* Patrick Moreau, Martin P.J. Zinser, and David Mathog for the VMS
  port.
* David Boldt and Rick Rodgers for sample man pages.
* Brendan Miller for the icon idea.
* Olly Betts for help testing pdftotext.
* Peter Ganten for the OS/2 port.
* Michael Richmond for the Win32 port of pdftops and pdftotext and the
  xpdf/cygwin/XFree86 build instructions.
* Frank M. Siegert for improvements in the PostScript code.
* Leo Smiers for the decryption patches.
* Rainer Menzner for creating t1lib, and for helping me adapt it to
  xpdf.
* Pine Tree Systems A/S for funding the OPI and EPS support in
  pdftops.
* Easy Software Products for funding several improvements to the
  PostScript output code.
* Tom Kacvinsky for help with FreeType and for being my interface to
  the FreeType team.
* Theppitak Karoonboonyanan for help with Thai support.
* Leonard Rosenthol for help and contributions on a bunch of things.
* Alexandros Diamantidis and Maria Adaloglou for help with Greek
  support.
* Lawrence Lai for help with the CJK Unicode maps.

Various people have contributed modifications made for use by the
pdftex project:

* Han The Thanh
* Martin Schröder of ArtCom GmbH


References
----------

Adobe Systems Inc., _PDF Reference, sixth edition: Adobe Portable
Document Format version 1.7_.
http://www.adobe.com/devnet/pdf/pdf_reference.html
[The manual for PDF version 1.7.]

Adobe Systems Inc., "Errata for the PDF Reference, sixth edition,
version 1.7", October 16, 2006.
http://www.adobe.com/devnet/pdf/pdf_reference.html
[The errata for the PDF 1.7 spec.]

Adobe Systems Inc., _PostScript Language Reference_, 3rd ed.
Addison-Wesley, 1999, ISBN 0-201-37922-8.
[The official PostScript manual.]

Adobe Systems, Inc., _The Type 42 Font Format Specification_,
Adobe Developer Support Technical Specification #5012.  1998.
http://partners.adobe.com/asn/developer/pdfs/tn/5012.Type42_Spec.pdf
[Type 42 is the format used to embed TrueType fonts in PostScript
files.]

Adobe Systems, Inc., _Adobe CMap and CIDFont Files Specification_,
Adobe Developer Support Technical Specification #5014.  1995.
http://www.adobe.com/supportservice/devrelations/PDFS/TN/5014.CIDFont_Spec.pdf
[CMap file format needed for Japanese and Chinese font support.]

Adobe Systems, Inc., _Adobe-Japan1-4 Character Collection for
CID-Keyed Fonts_, Adobe Developer Support Technical Note #5078.
2000.
http://partners.adobe.com/asn/developer/PDFS/TN/5078.CID_Glyph.pdf
[The Adobe Japanese character set.]

Adobe Systems, Inc., _Adobe-GB1-4 Character Collection for
CID-Keyed Fonts_, Adobe Developer Support Technical Note #5079.
2000.
http://partners.adobe.com/asn/developer/pdfs/tn/5079.Adobe-GB1-4.pdf
[The Adobe Chinese GB (simplified) character set.]

Adobe Systems, Inc., _Adobe-CNS1-3 Character Collection for
CID-Keyed Fonts_, Adobe Developer Support Technical Note #5080.
2000.
http://partners.adobe.com/asn/developer/PDFS/TN/5080.CNS_CharColl.pdf
[The Adobe Chinese CNS (traditional) character set.]

Adobe Systems Inc., _Supporting the DCT Filters in PostScript Level
2_, Adobe Developer Support Technical Note #5116.  1992.
http://www.adobe.com/supportservice/devrelations/PDFS/TN/5116.PS2_DCT.PDF
[Description of the DCTDecode filter parameters.]

Adobe Systems Inc., _Open Prepress Interface (OPI) Specification -
Version 2.0_, Adobe Developer Support Technical Note #5660.  2000.
http://partners.adobe.com/asn/developer/PDFS/TN/5660.OPI_2.0.pdf

Adobe Systems Inc., CMap files.
ftp://ftp.oreilly.com/pub/examples/nutshell/cjkv/adobe/
[The actual CMap files for the 16-bit CJK encodings.]

Adobe Systems Inc., Unicode glyph lists.
http://partners.adobe.com/asn/developer/type/unicodegn.html
http://partners.adobe.com/asn/developer/type/glyphlist.txt
http://partners.adobe.com/asn/developer/type/corporateuse.txt
http://partners.adobe.com/asn/developer/type/zapfdingbats.txt
[Mappings between character names to Unicode.]

Adobe Systems Inc., OpenType Specification v. 1.4.
http://partners.adobe.com/public/developer/opentype/index_spec.html
[The OpenType font format spec.]

Aldus Corp., _OPI: Open Prepress Interface Specification 1.3_.  1993.
http://partners.adobe.com/asn/developer/PDFS/TN/OPI_13.pdf

Anonymous, RC4 source code.
ftp://ftp.ox.ac.uk/pub/crypto/misc/rc4.tar.gz
ftp://idea.sec.dsi.unimi.it/pub/crypt/code/rc4.tar.gz
[This is the algorithm used to encrypt PDF files.]

T. Boutell, et al., "PNG (Portable Network Graphics) Specification,
Version 1.0".  RFC 2083.
[PDF uses the PNG filter algorithms.]

CCITT, "Information Technology - Digital Compression and Coding of
Continuous-tone Still Images - Requirements and Guidelines", CCITT
Recommendation T.81.
http://www.w3.org/Graphics/JPEG/
[The official JPEG spec.]

A. Chernov, "Registration of a Cyrillic Character Set".  RFC 1489.
[Documentation for the KOI8-R Cyrillic encoding.]

Roman Czyborra, "The ISO 8859 Alphabet Soup".
http://czyborra.com/charsets/iso8859.html
[Documentation on the various ISO 859 encodings.]

L. Peter Deutsch, "ZLIB Compressed Data Format Specification version
3.3".  RFC 1950.
[Information on the general format used in FlateDecode streams.]

L. Peter Deutsch, "DEFLATE Compressed Data Format Specification
version 1.3".  RFC 1951.
[The definition of the compression algorithm used in FlateDecode
streams.]

Morris Dworkin, "Recommendation for Block Cipher Modes of Operation",
National Institute of Standards, NIST Special Publication 800-38A,
2001.
[The cipher block chaining (CBC) mode used with AES in PDF files.]

Federal Information Processing Standards Publication 197 (FIPS PUBS
197), "Advanced Encryption Standard (AES)", November 26, 2001.
[AES encryption, used in PDF 1.6.]

Jim Flowers, "X Logical Font Description Conventions", Version 1.5, X
Consortium Standard, X Version 11, Release 6.1.
ftp://ftp.x.org/pub/R6.1/xc/doc/hardcopy/XLFD/xlfd.PS.Z
[The official specification of X font descriptors, including font
transformation matrices.]

Foley, van Dam, Feiner, and Hughes, _Computer Graphics: Principles and
Practice_, 2nd ed.  Addison-Wesley, 1990, ISBN 0-201-12110-7.
[Colorspace conversion functions, Bezier spline math.]

Robert L. Hummel, _Programmer's Technical Reference: Data and Fax
Communications_.  Ziff-Davis Press, 1993, ISBN 1-56276-077-7.
[CCITT Group 3 and 4 fax decoding.]

ISO/IEC, _Information technology -- Lossy/lossless coding of bi-level
images_.  ISO/IEC 14492, First edition (2001-12-15).
http://webstore.ansi.org/
[The official JBIG2 standard.  The final draft of this spec is
available from http://www.jpeg.org/jbighomepage.html.]

ISO/IEC, _Information technology -- JPEG 2000 image coding system --
Part 1: Core coding system_.  ISO/IEC 15444-1, First edition
(2000-12-15).
http://webstore.ansi.org/
[The official JPEG 2000 standard.  The final committee draft of this
spec is available from http://www.jpeg.org/JPEG2000.html, but there
were changes made to the bitstream format between that draft and the
published spec.]

ITU, "Standardization of Group 3 facsimile terminals for document
transmission", ITU-T Recommendation T.4, 1999.
ITU, "Facsimile coding schemes and coding control functions for Group 4
facsimile apparatus", ITU-T Recommendation T.6, 1993.
http://www.itu.int/
[The official Group 3 and 4 fax standards - used by the CCITTFaxDecode
stream, as well as the JBIG2Decode stream.]

B. Kaliski, "PKCS #5: Password-Based Cryptography Specification,
Version 2.0".  RFC 2898.
[Defines the padding scheme used with AES encryption in PDF files.]

Christoph Loeffler, Adriaan Ligtenberg, George S. Moschytz, "Practical
Fast 1-D DCT Algorithms with 11 Multiplications".  IEEE Intl. Conf. on
Acoustics, Speech & Signal Processing, 1989, 988-991.
[The fast IDCT algorithm used in the DCTDecode filter.]

Microsoft, _TrueType 1.0 Font Files_, rev. 1.66.  1995.
http://www.microsoft.com/typography/tt/tt.htm
[The TrueType font spec (in MS Word format, naturally).]

V. Ostromoukhov, R.D. Hersch, "Stochastic Clustered-Dot Dithering",
Conf. Color Imaging: Device-Independent Color, Color Hardcopy, and
Graphic Arts IV, 1999, SPIE Vol. 3648, 496-505.
http://diwww.epfl.ch/w3lsp/publications/colour/scd.html
[The stochastic dithering algorithm used in Xpdf.]

P. Peterlin, "ISO 8859-2 (Latin 2) Resources".
http://sizif.mf.uni-lj.si/linux/cee/iso8859-2.html
[This is a web page with all sorts of useful Latin-2 character set and
font information.]

Charles Poynton, "Color FAQ".
http://www.inforamp.net/~poynton/ColorFAQ.html
[The mapping from the CIE 1931 (XYZ) color space to RGB.]

R. Rivest, "The MD5 Message-Digest Algorithm".  RFC 1321.
[MD5 is used in PDF document encryption.]

Thai Industrial Standard, "Standard for Thai Character Codes for
Computers", TIS-620-2533 (1990).
http://www.nectec.or.th/it-standards/std620/std620.htm
[The TIS-620 Thai encoding.]

Unicode Consortium, "Unicode Home Page".
http://www.unicode.org/
[Online copy of the Unicode spec.]

W3C Recommendation, "PNG (Portable Network Graphics) Specification
Version 1.0".
http://www.w3.org/Graphics/PNG/
[Defines the PNG image predictor.]

Gregory K. Wallace, "The JPEG Still Picture Compression Standard".
ftp://ftp.uu.net/graphics/jpeg/wallace.ps.gz
[Good description of the JPEG standard.  Also published in CACM, April
1991, and submitted to IEEE Transactions on Consumer Electronics.]

F. Yergeau, "UTF-8, a transformation format of ISO 10646".  RFC 2279.
[A commonly used Unicode encoding.]

xpdf's People

Contributors

jhcloos avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

xpdf's Issues

heap_buffer_overflow_in_readScan

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id103_heap_buffer_overflow_in_readScan.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
    #0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
    #1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
  0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115797==ABORTING

FPE_in_decodeImage

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id63_FPE_in_decodeImage.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115861==ERROR: AddressSanitizer: FPE on unknown address 0x0000007476d3 (pc 0x0000007476d3 bp 0x7fff22d95b40 sp 0x7fff22d952c0 T0)
    #0 0x7476d3 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19
    #1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7ffb8625dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2813:19 in DCTStream::decodeImage()
==115861==ABORTING

SEGV_in_getChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id46_SEGV_in_getChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
==115845==The signal is caused by a READ memory access.
==115845==Hint: address points to the zero page.
    #0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
    #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
==115845==ABORTING

global-buffer-overflow on binary pdfimages

SUMMARY

Hi there, I use my fuzzer for fuzzing the binary pdfIamges, and this binary crashes with the following:

Syntax Error (2227): Unexpected end of file in flate stream
=================================================================
==2226711==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e91fe296ef at pc 0x55e91fa2428c bp 0x7ffdd3190680 sp 0x7ffdd3190670
READ of size 1 at 0x55e91fe296ef thread T0
    #0 0x55e91fa2428b in PSTokenizer::getToken(char*, int, int*) /xpdf-master/xpdf/PSTokenizer.cc:72
    #1 0x55e91f8fecec in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:264
    #2 0x55e91f8fe97a in CharCodeToUnicode::parseCMap(GString*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:241
    #3 0x55e91f95a1be in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /xpdf-master/xpdf/GfxFont.cc:512
    #4 0x55e91f9635f8 in GfxCIDFont::GfxCIDFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:1618
    #5 0x55e91f95846f in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:194
    #6 0x55e91f9674cd in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /xpdf-master/xpdf/GfxFont.cc:2001
    #7 0x55e91f925d5c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /xpdf-master/xpdf/Gfx.cc:291
    #8 0x55e91f926dcc in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /xpdf-master/xpdf/Gfx.cc:508
    #9 0x55e91fa1cc4f in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:356
    #10 0x55e91fa1c53c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:308
    #11 0x55e91fa225fb in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:384
    #12 0x55e91fa22684 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:397
    #13 0x55e91fa70d19 in main /xpdf-master/xpdf/pdfimages.cc:138
    #14 0x7f48c0353c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #15 0x55e91f8e1739 in _start (/xpdf-master/xpdf/pdfimages+0xe1739)

0x55e91fe296ef is located 15 bytes to the right of global variable 'pdfDocEncoding' defined in 'PDFDocEncoding.cc:11:9' (0x55e91fe292e0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /xpdf-master/xpdf/PSTokenizer.cc:72 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0abda3fbd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abda3fbd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
  0x0abda3fbd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0abda3fbd310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2226711==ABORTING

poc

poc_pdfimages.zip

Environment

Ubuntu 18.04(docker)
clang/clang++ 12.0.1
version:commit ffaf11c

COMPILE

export CC = gcc
export CXX=g++
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure --disable-shared
make

Credit

Zhao Jiayu (NCNIPC)
Han Zheng (NCNIPC, Hexhive)
Yin Li, Xiaotong Jiao (NCNIPC of China)

Thanks for your time!

global_buffer_overflow_in_getObj

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id65_global_buffer_overflow_in_getObj.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

==115893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000093aadc at pc 0x000000689c9a bp 0x7ffe79eed770 sp 0x7ffe79eed768
READ of size 1 at 0x00000093aadc thread T0
    #0 0x689c99 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
    #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #10 0x7f2de419dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x00000093aadc is located 4 bytes to the left of global variable 'specialChars' defined in 'Lexer.cc:26:13' (0x93aae0) of size 256
0x00000093aadc is located 55 bytes to the right of global variable '<string literal>' defined in 'Lexer.cc:471:52' (0x93aaa0) of size 5
  '<string literal>' is ascii string 'null'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
Shadow bytes around the buggy address:
  0x00008011f500: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
  0x00008011f510: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x00008011f520: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
  0x00008011f530: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 07 f9
  0x00008011f540: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x00008011f550: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x00008011f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f570: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00008011f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008011f5a0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 02 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115893==ABORTING

heap_buffer_overflow_in_transformDataUnit

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id64_heap_buffer_overflow_in_transformDataUnit.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
READ of size 2 at 0x6200000080e0 thread T0
    #0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
    #1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
    #2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

Address 0x6200000080e0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
Shadow bytes around the buggy address:
  0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115877==ABORTING

heap_buffer_overflow_in_lookChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id148_heap_buffer_overflow_in_lookChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
READ of size 4 at 0x631000038800 thread T0
    #0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
    #1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
    #2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
    #3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
    #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
    #5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
    #6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
    #7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
    #8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
Shadow bytes around the buggy address:
  0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115813==ABORTING

SEGV_in_readMCURow

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id69_SEGV_in_readMCURow.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115909==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000751cdd bp 0x7fffab2f8a10 sp 0x7fffab2f8640 T0)
==115909==The signal is caused by a WRITE memory access.
==115909==Hint: address points to the zero page.
    #0 0x751cdd in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23
    #1 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
    #2 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #3 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #4 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #5 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #6 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #14 0x7fabd9c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2403:23 in DCTStream::readMCURow()
==115909==ABORTING

heap_buffer_overflow_in_decodeImage

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id77_heap_buffer_overflow_in_decodeImage.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff6d61be800 at pc 0x0000007501b0 bp 0x7fff7ae393d0 sp 0x7fff7ae393c8
READ of size 4 at 0x7ff6d61be800 thread T0
    #0 0x7501af in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22
    #1 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7ff6d8d70c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7ff6d61be800 is located 0 bytes to the right of 245760-byte region [0x7ff6d6182800,0x7ff6d61be800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2827:22 in DCTStream::decodeImage()
Shadow bytes around the buggy address:
  0x0fff5ac2fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff5ac2fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff5ac2fd00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff5ac2fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115925==ABORTING

heap_buffer_overflow_in_readScan

crash sample

8id103_heap_buffer_overflow_in_readScan.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
READ of size 4 at 0x7fcb48dd5800 thread T0
    #0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
    #1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
    #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
    #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
    #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
    #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
Shadow bytes around the buggy address:
  0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115797==ABORTING

SEGV_in_getObj

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id95_SEGV_in_getObj.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115957==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000689bd4 bp 0x0000957f8ba1 sp 0x7ffd52912760 T0)
==115957==The signal is caused by a READ memory access.
==115957==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x689bd4 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16
    #1 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #2 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #3 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #4 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #5 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #6 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #7 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #8 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #9 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #10 0x7f84f066ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:132:16 in Lexer::getObj(Object*)
==115957==ABORTING

Command Injection in Xpdf-4.04

Overview

A command injection vulnerability was discovered in the Xpdf-4.04 PDF viewer software. The vulnerability exists within the PSOutputDev::PSOutputDev() function located in the xpdf-4.04/xpdf/PSOutputDev.cc file.

The affected function is responsible for initializing the PostScript output device with user-defined parameters, including a file name and custom code callback function. An attacker can exploit this vulnerability by injecting arbitrary commands into the fileName parameter with prefix |, which can be executed in following popen function.

Impact

This vulnerability presents a impact for other projects utilizing Xpdf-4.04 as their PDF parser and using user-supplied inputs as <PS-file>. When executing Xpdf, an attacker can inject arbitrary commands into the filename parameter, leading to command execution with the privileges of the user running the application. As a result, sensitive data could be compromised, files could be modified, or further attacks on the system could be launched.

Exploit Details

There is a command injection vulnerability present in the code when the | operator is combined with a subsequent command. This occurs within a conditional branch of the following C++ code:

cppCopy Code  if (argc == 3) {
    psFileName = new GString(argv[2]);

Subsequently, within the constructor for PSOutputDev, if the first character of fileName is |, the program enters the popen function, resulting in a command injection vulnerability:

cppCopy Code  } else if (fileName[0] == '|') {
    fileTypeA = psPipe;
······
    if (!(f = popen(fileName + 1, "w"))) {
      error(errIO, -1, "Couldn't run print command '{0:s}'", fileName);
      ok = gFalse;
      return;
    }

Poc

./build/xpdf/pdftops ./in/helloworld.pdf '|`cat /etc/passwd > ./txt`'

Conclusion

The command injection vulnerability discovered in Xpdf-4.04 could allow an attacker to execute arbitrary code with the privileges of the user running the application.

stack overflow

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id2-stack-overflow.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

AddressSanitizer:DEADLYSIGNAL
=================================================================
==115829==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9aa21f18 (pc 0x0000004ae77a bp 0x7ffc9aa22780 sp 0x7ffc9aa21f20 T0)
    #0 0x4ae77a in __asan_memcpy /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x6a0d5b in Object::copy(Object*) /home/bupt/Desktop/xpdf/xpdf/Object.cc:75:8
    #2 0x7804e8 in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:991:25
    #3 0x51e08c in Object::arrayGet(int, Object*) /home/bupt/Desktop/xpdf/xpdf/./Object.h:231:19
    #4 0x51e08c in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:441:12
    #5 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #6 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #7 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #8 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #9 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #10 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #11 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #12 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #13 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #14 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #15 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #16 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #17 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #18 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #19 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #20 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #21 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #22 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #23 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #24 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #25 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #26 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #27 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #28 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #29 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #30 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #31 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #32 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #33 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #34 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #35 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #36 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #37 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #38 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #39 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #40 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #41 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #42 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #43 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #44 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #45 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #46 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #47 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #48 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #49 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #50 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #51 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #52 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #53 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #54 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #55 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #56 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #57 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #58 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #59 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #60 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #61 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #62 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #63 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #64 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #65 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #66 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #67 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #68 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #69 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #70 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #71 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #72 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #73 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #74 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #75 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #76 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #77 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #78 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #79 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #80 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #81 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #82 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #83 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #84 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #85 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #86 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #87 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #88 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #89 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #90 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #91 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #92 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #93 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #94 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #95 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #96 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #97 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #98 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #99 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #100 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #101 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #102 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #103 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #104 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #105 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #106 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #107 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #108 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #109 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #110 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #111 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #112 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #113 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #114 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #115 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #116 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #117 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #118 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #119 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #120 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #121 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #122 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #123 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #124 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #125 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #126 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #127 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #128 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #129 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #130 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #131 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #132 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #133 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #134 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #135 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #136 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #137 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #138 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #139 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #140 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #141 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #142 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #143 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #144 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #145 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #146 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #147 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #148 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #149 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #150 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #151 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #152 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #153 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #154 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #155 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #156 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #157 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #158 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #159 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #160 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #161 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #162 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #163 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #164 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #165 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #166 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #167 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #168 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #169 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #170 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #171 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #172 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #173 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #174 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #175 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #176 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #177 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #178 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #179 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #180 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #181 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #182 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #183 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #184 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #185 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #186 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #187 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #188 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #189 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #190 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #191 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #192 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #193 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #194 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #195 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #196 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #197 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #198 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #199 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #200 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #201 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #202 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #203 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #204 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #205 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #206 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #207 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #208 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #209 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #210 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #211 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #212 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #213 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #214 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #215 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #216 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #217 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #218 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #219 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #220 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #221 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #222 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #223 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #224 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #225 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #226 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #227 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #228 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #229 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #230 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #231 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #232 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #233 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #234 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #235 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #236 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #237 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #238 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #239 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #240 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #241 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #242 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #243 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #244 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #245 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #246 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #247 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #248 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #249 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12
    #250 0x51e098 in Catalog::countPageTree(Object*) /home/bupt/Desktop/xpdf/xpdf/Catalog.cc:442:12

SUMMARY: AddressSanitizer: stack-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==115829==ABORTING

heap_buffer_overflow_in_getChar

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id93_heap_buffer_overflow_in_getChar.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
READ of size 4 at 0x7f54608ff800 thread T0
    #0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
    #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
    #5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
    #6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
    #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
allocated by thread T0 here:
    #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
    #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
Shadow bytes around the buggy address:
  0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==115941==ABORTING

SEGV in DCTStream::readHuffSym

SEGV

env

ubuntu20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)
XPDF commit ffaf11c

sample

id189.zip

reproduce

CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" LDFLAGS="-g -fsanitize=address" ./configure
make
./pdftotext poc

crash

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3166724==ERROR: AddressSanitizer: SEGV on unknown address 0x61a8d2d2d54c (pc 0x55b73eee93da bp 0x7ffde628f900 sp 0x7ffde628f8e0 T0)
==3166724==The signal is caused by a READ memory access.
    #0 0x55b73eee93d9 in DCTStream::readHuffSym(DCTHuffTable*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119
    #1 0x55b73eee35e8 in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2607
    #2 0x55b73eedf36c in DCTStream::readMCURow() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2392
    #3 0x55b73eede3a2 in DCTStream::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:2316
    #4 0x55b73eeb6869 in Object::streamGetChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Object.h:288
    #5 0x55b73eeaacf5 in Lexer::getChar() /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:92
    #6 0x55b73eeaaebf in Lexer::getObj(Object*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Lexer.cc:124
    #7 0x55b73eec21e9 in Parser::Parser(XRef*, Lexer*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Parser.cc:33
    #8 0x55b73edce0d1 in Gfx::display(Object*, int) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Gfx.cc:641
    #9 0x55b73eebfe4a in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:360
    #10 0x55b73eebf6ce in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Page.cc:308
    #11 0x55b73eec5806 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:384
    #12 0x55b73eec588e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/PDFDoc.cc:397
    #13 0x55b73ef38671 in main /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext.cc:241
    #14 0x7fb136de7082 in __libc_start_main ../csu/libc-start.c:308
    #15 0x55b73ed87ecd in _start (/mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/pdftotext+0xe4ecd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/hgfs/ubuntu/cve/xpdf/xpdf-master/xpdf/Stream.cc:3119 in DCTStream::readHuffSym(DCTHuffTable*)
==3166724==ABORTING

heap-buffer-overflow_in_readHuffSym

Hi, in the lastest version of this code [ ps: commit id ffaf11c] I found something unusual.

crash sample

8id0_heap-buffer-overflow_in_readHuffSym.zip

command to reproduce

./pdftops -q [crash sample] /dev/null

crash detail

=================================================================
==108391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001782 at pc 0x000000759029 bp 0x7ffd51edc550 sp 0x7ffd51edc548
READ of size 2 at 0x620000001782 thread T0
    #0 0x759028 in DCTStream::readHuffSym(DCTHuffTable*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16
    #1 0x7548ba in DCTStream::readDataUnit(DCTHuffTable*, DCTHuffTable*, int*, int*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2624:17
    #2 0x751b27 in DCTStream::readMCURow() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2392:9
    #3 0x750d6e in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2316:12
    #4 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
    #5 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
    #6 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
    #7 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
    #8 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
    #9 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
    #10 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
    #11 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
    #12 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
    #13 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
    #14 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
    #15 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
    #16 0x7f3b180d3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)

0x620000001782 is located 2314 bytes to the right of 3576-byte region [0x620000000080,0x620000000e78)
allocated by thread T0 here:
    #0 0x4f5768 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
    #1 0x7259bc in Stream::makeFilter(char*, Stream*, Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:269:11
    #2 0x72459a in Stream::addFilters(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:141:11
    #3 0x6ad41e in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:214:14
    #4 0x6ab6f6 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:101:18
    #5 0x781a3a in XRef::fetch(int, int, Object*, int) /home/bupt/Desktop/xpdf/xpdf/XRef.cc:1028:13
    #6 0x6a7611 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:357:12
    #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:3119:16 in DCTStream::readHuffSym(DCTHuffTable*)
Shadow bytes around the buggy address:
  0x0c407fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c407fff82f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==108391==ABORTING

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.