Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double free in function pspdf_export() in ps-pdf.cxx at line 945 #429

Closed
chibataiki opened this issue May 17, 2021 · 2 comments
Closed

Double free in function pspdf_export() in ps-pdf.cxx at line 945 #429

chibataiki opened this issue May 17, 2021 · 2 comments
Assignees
Labels
bug Something isn't working duplicate This issue or pull request already exists priority-high
Milestone

Comments

@chibataiki
Copy link

Hi,

A double free was found in function pspdf_export() in ps-pdf.cxx at line 945.

    941    for (i = 0; i < (int)num_pages; i ++)
    942    {
    943      if ((i == 0 || pages[i].chapter != pages[i - 1].chapter) &&
    944          pages[i].chapter)
                        // i=0x1
→  945        free(pages[i].chapter);

Version:
1.9.12 commit [ee77825]
Env:
ubuntu 20.04 x86_64
clang version 11.0.0

reproduce
./configure
make
./htmldoc -f ./check.ps [poc]
double_free_945.zip

more info

=================================================================
==2347838==ERROR: AddressSanitizer: attempting double-free on 0x617000000e80 in thread T0:
    #0 0x49764d in free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d)
    #1 0x50b90d in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:945:7
    #2 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
    #3 0x7fa4e656f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41d85d in _start (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x41d85d)

0x617000000e80 is located 0 bytes inside of 766-byte region [0x617000000e80,0x61700000117e)
freed by thread T0 here:
    #0 0x49764d in free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d)
    #1 0x50b90d in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:945:7
    #2 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
    #3 0x7fa4e656f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4978cd in malloc (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x4978cd)
    #1 0x5d4981 in htmlGetText /home/chiba/htmldoc/htmldoc/htmllib.cxx:2125:23
    #2 0x586427 in parse_heading(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4599:28
    #3 0x511582 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4197:11
    #4 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
    #5 0x584778 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7111:5
    #6 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
    #7 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
    #8 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
    #9 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
    #10 0x5098a4 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:803:3
    #11 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
    #12 0x7fa4e656f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: double-free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d) in free
==2347838==ABORTING
@chibataiki chibataiki changed the title Double free in function pspdf_export() in ps-pdf.cxx Double free in function pspdf_export() in ps-pdf.cxx at line 945 May 17, 2021
@michaelrsweet
Copy link
Owner

Tracking this with Issue #430 - same issue.

@michaelrsweet michaelrsweet self-assigned this May 17, 2021
@michaelrsweet michaelrsweet added bug Something isn't working duplicate This issue or pull request already exists priority-high labels May 17, 2021
@michaelrsweet michaelrsweet added this to the Stable milestone May 17, 2021
@michaelrsweet
Copy link
Owner

[master 3f9893f] Fix more crash bugs due to double-frees (Issue #429, Issue #430)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working duplicate This issue or pull request already exists priority-high
Projects
None yet
Development

No branches or pull requests

2 participants