Double free in function pspdf_export() in ps-pdf.cxx at line 949
Closed this issue · 2 comments
chibataiki commented
Hi,
A double free was found in function pspdf_export() in ps-pdf.cxx at line 949.
947 if ((i == 0 || pages[i].heading != pages[i - 1].heading) &&
948 pages[i].heading)
// i=0x1, heading=0x8
→ 949 free(pages[i].heading);
Version:
1.9.12 commit [ee77825]
Env:
ubuntu 20.04 x86_64
clang version 11.0.0
reproduce
./configure
make
./htmldoc -f ./check.ps [poc]
double_free_949.zip
more info
==3791852==ERROR: AddressSanitizer: attempting double-free on 0x60e000000580 in thread T0:
#0 0x49764d in free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d)
#1 0x50ba80 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:949:7
#2 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
#3 0x7ff225d0e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41d85d in _start (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x41d85d)
0x60e000000580 is located 0 bytes inside of 147-byte region [0x60e000000580,0x60e000000613)
freed by thread T0 here:
#0 0x49764d in free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d)
#1 0x50ba80 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:949:7
#2 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
#3 0x7ff225d0e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x4978cd in malloc (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x4978cd)
#1 0x5d4981 in htmlGetText /home/chiba/htmldoc/htmldoc/htmllib.cxx:2125:23
#2 0x51a5ec in check_pages(int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:8889:21
#3 0x51a78c in new_render(int, int, double, double, double, double, void*, render_str*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:8715:3
#4 0x563690 in parse_paragraph(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5369:11
#5 0x519804 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4550:5
#6 0x593fd1 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:5829:9
#7 0x584778 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:7111:5
#8 0x510e9d in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4169:11
#9 0x518f08 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4515:13
#10 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
#11 0x50e351 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:4083:9
#12 0x5098a4 in pspdf_export /home/chiba/htmldoc/htmldoc/ps-pdf.cxx:803:3
#13 0x4e03e3 in main /home/chiba/htmldoc/htmldoc/htmldoc.cxx:1291:3
#14 0x7ff225d0e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: double-free (/home/chiba/htmldoc/check-sani/bin/htmldoc+0x49764d) in free
==3791852==ABORTING
michaelrsweet commented
Confirmed, but this appears to be a deeper problem - page 8 and 10 have the same heading value while page 9 (an intervening page) has a different current heading. Investigating...
michaelrsweet commented