out-of-bounds sequence access in lookup_xref
Seen with instigator specimen 20220308/fffcce1a759f0d7a869280470996490d8c95db175f32ca1ebb61461daa93f3fd.
Does not occur when the parser is run in strict mode (-s).
Backtrace:
#0 thrkill () at /tmp/-:3
#1 0xaf21515fecd8ca9e in ?? ()
#2 0x00000d99cd8bd2ae in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#3 0x00000d99cd8d7712 in _libc___assert2 (file=Variable "file" is not available.
)
at /usr/src/lib/libc/gen/assert.c:52
#4 0x00000d9a95f9c950 in h_carray_index (a=0xd9aaffb8e20, i=2238)
at build/debug/src/glue.c:141
#5 0x00000d9a95f9cab3 in h_seq_index (p=0xd9a72862b78, i=2238)
at build/debug/src/glue.c:163
#6 0x00000d9a95f9cbd9 in h_seq_index_vpath (p=0xd9a72862bf8, i=1,
va=0x7f7ffffea490) at build/debug/src/glue.c:183
#7 0x00000d9a95f9cb6b in h_seq_index_path (p=0xd9a72862bf8, i=1)
at build/debug/src/glue.c:171
#8 0x00000d97b97cacd6 in lookup_xref (aux=0x7f7ffffeb568, nr=2238, gen=0)
at pdf.c:2682
#9 0x00000d97b97cb556 in resolve (aux=0x7f7ffffeb568, v=0xd9a1000aab8)
at pdf.c:2834
#10 0x00000d97b97ca60b in kstream (mm__=0x7f7ffffea6e0, x=0xd99bb308b80,
env=0x7f7ffffeb568) at pdf.c:4494
#11 0x00000d9a95f7b9bc in parse_bind (be_=0xd9a4ac25580, state=0xd9a5298e018)
at build/debug/src/parsers/bind.c:43
#12 0x00000d9a95f8b5f7 in perform_lowlevel_parse (state=0xd9a5298e018,
parser=0xd9a4abf5300) at build/debug/src/backends/packrat.c:49
#13 0x00000d9a95f8be33 in h_do_parse (parser=0xd9a4abf5300,
state=0xd9a5298e018) at build/debug/src/backends/packrat.c:230
#14 0x00000d9a95f81fb9 in parse_ignoreseq (env=0xd9a4ac151c0,
state=0xd9a5298e018) at build/debug/src/parsers/ignoreseq.c:24
#15 0x00000d9a95f8b5f7 in perform_lowlevel_parse (state=0xd9a5298e018,
parser=0xd9a4ac07440) at build/debug/src/backends/packrat.c:49
#16 0x00000d9a95f8be33 in h_do_parse (parser=0xd9a4ac07440,
state=0xd9a5298e018) at build/debug/src/backends/packrat.c:230
#17 0x00000d9a95f7ef88 in parse_choice (env=0xd9a4ac173e0, state=0xd9a5298e018)
at build/debug/src/parsers/choice.c:30
#18 0x00000d9a95f8b5f7 in perform_lowlevel_parse (state=0xd9a5298e018,
parser=0xd9a4ac14f00) at build/debug/src/backends/packrat.c:49
#19 0x00000d9a95f8be33 in h_do_parse (parser=0xd9a4ac14f00,
state=0xd9a5298e018) at build/debug/src/backends/packrat.c:230
#20 0x00000d9a95f879d9 in parse_sequence (env=0xd9a4ac17d70,
state=0xd9a5298e018) at build/debug/src/parsers/sequence.c:14
#21 0x00000d9a95f8b5f7 in perform_lowlevel_parse (state=0xd9a5298e018,
parser=0xd9a4abfb2c0) at build/debug/src/backends/packrat.c:49
#22 0x00000d9a95f8be33 in h_do_parse (parser=0xd9a4abfb2c0,
state=0xd9a5298e018) at build/debug/src/backends/packrat.c:230
#23 0x00000d9a95f81fb9 in parse_ignoreseq (env=0xd99d06c96c0,
state=0xd9a5298e018) at build/debug/src/parsers/ignoreseq.c:24
#24 0x00000d9a95f8b5f7 in perform_lowlevel_parse (state=0xd9a5298e018,
parser=0xd9a40e3c740) at build/debug/src/backends/packrat.c:49
#25 0x00000d9a95f8be33 in h_do_parse (parser=0xd9a40e3c740,
state=0xd9a5298e018) at build/debug/src/backends/packrat.c:230
#26 0x00000d9a95f8c22d in h_packrat_parse (mm__=0xd9a95fa5ec0,
parser=0xd9a40e3c740, input_stream=0x7f7ffffeada0)
at build/debug/src/backends/packrat.c:330
#27 0x00000d9a95f9e6fe in h_parse__m (mm__=0xd9a95fa5ec0,
parser=0xd9a40e3c740,
input=0xd9a4b352000 <Address 0xd9a4b352000 out of bounds>, length=978356)
at build/debug/src/hammer.c:588
#28 0x00000d9a95f9e67a in h_parse (parser=0xd9a40e3c740,
input=0xd9a4b352000 <Address 0xd9a4b352000 out of bounds>, length=978356)
at build/debug/src/hammer.c:573
#29 0x00000d97b97cae6f in parse_obj (aux=0x7f7ffffeb568, nr=2181, gen=0,
offset=759879) at pdf.c:2704
#30 0x00000d97b97cb623 in resolve (aux=0x7f7ffffeb568, v=0xd9a393f4228)
at pdf.c:2848
#31 0x00000d97b97ce790 in parse_xobject (dict_t=0xd9a47ac7890,
parent=0xd9a88c63018, pgRsrc=0xd99c25612c8, aux=0x7f7ffffeb568)
at pdf.c:3806
#32 0x00000d97b97cebca in parse_rsrcdict (arena=0xd9a4abf46c0,
dict_t=0xd9a47ac7890, pgNode=0xd9a88c63018, aux=0x7f7ffffeb568)
at pdf.c:3886
#33 0x00000d97b97cf4f4 in parse_pagenode (aux=0x7f7ffffeb568,
myNode=0xd9a88c63018, myRef=0xd99d11d9db0, myDict=0xd9a9fee0568,
parent_t=0xd9a906d7db0, parent_n=0xd99bedae4d0, arena=0xd9a4ac23340)
at pdf.c:4028
#34 0x00000d97b97d02b8 in parse_pagetree (aux=0x7f7ffffeb568,
myNode=0xd99bedae4d0, myRef=0xd9a906d7db0, myDict=0xd9a8667a568,
parent_t=0xd9a2616f6c8, parent_n=0x7f7ffffeb5c0) at pdf.c:4255
#35 0x00000d97b97d0206 in parse_pagetree (aux=0x7f7ffffeb568,
myNode=0x7f7ffffeb5c0, myRef=0xd9a2616f6c8, myDict=0xd9a68290568,
parent_t=0x0, parent_n=0x0) at pdf.c:4249
#36 0x00000d97b97d055d in parse_catalog (aux=0x7f7ffffeb568,
root=0xd9a1196c698) at pdf.c:4326
#37 0x00000d97b97d1c1f in parse_xrefs (aux=0x7f7ffffeb568) at pdf.c:4947
#38 0x00000d97b97d2531 in main (argc=1, argv=0x7f7ffffeb740) at pdf.c:5128Context:
#8 0x00000d97b97cacd6 in lookup_xref (aux=0x7f7ffffeb568, nr=2238, gen=0)
at pdf.c:2682
2682 return H_INDEX(XREntry, ss, 1, nr - base);
Current language: auto; currently minimal
(gdb) list
2677 ss = subs->elements[j];
2678 base = H_INDEX_UINT(ss, 0, 0);
2679 n = H_INDEX_UINT(ss, 0, 1);
2680
2681 if (nr >= base && nr - base < n)
2682 return H_INDEX(XREntry, ss, 1, nr - base);
2683 // TODO: Generate a more meaningful error message -- p_viol, error ontology category
2684 }
2685 }
2686
(gdb) print *ss
$1 = {token_type = TT_SEQUENCE, {bytes = {token = 0xd9aa83b50e8 "\002",
len = 0}, sint = 14957898584296, uint = 14957898584296,
dbl = 7.3901838244780706e-311, flt = -1.0398129e-14, seq = 0xd9aa83b50e8,
user = 0xd9aa83b50e8}, index = 0, bit_length = 0, bit_offset = 0 '\0'}
(gdb) print *ss->seq
$2 = {capacity = 2, used = 2, arena = 0xd9a4abf4340, elements = 0xd9aa83b5108}
(gdb) print *ss->seq->elements[1]
$3 = {token_type = TT_SEQUENCE, {bytes = {token = 0xd9aaffb8e20 "", len = 0},
sint = 14958028623392, uint = 14958028623392,
dbl = 7.3902480723280205e-311, flt = -4.57576199e-10, seq = 0xd9aaffb8e20,
user = 0xd9aaffb8e20}, index = 0, bit_length = 0, bit_offset = 0 '\0'}
(gdb) print *ss->seq->elements[1]->seq
$4 = {capacity = 4096, used = 2229, arena = 0xd9a4abf4340,
elements = 0xd99c92e6018}
(gdb) print nr
$5 = 2238
(gdb) print base
$6 = 0Edited by Sven M. Hallberg