Heap overflow in pspdf_transform_coords()

In `pspdf_transform_coords()`, in [ps-pdf.cxx](https://github.com/michaelrsweet/htmldoc/blob/master/htmldoc/ps-pdf.cxx), there is a heap buffer overflow:

```C
static void
pspdf_transform_coords(page_t *p,	// I - Page
                       float  &x,	// IO - X coordinate
		       float  &y)	// IO - Y coordinate
{
  float tx, ty;				// Temporary X and Y


  tx = x;
  ty = y;
  x  = tx * p->outmatrix[0][0] + ty * p->outmatrix[0][1] + p->outmatrix[0][2];
  y  = tx * p->outmatrix[1][0] + ty * p->outmatrix[1][1] + p->outmatrix[1][2];
}
```

The vulnerability is triggered in `pspdf_transform_coords()`, when accessing `page_t *p`, since it points to arbitrary memory. `page_t *p` is fetched from an array of `pages`, in the following code:

```C
2850    pspdf_transform_coords(pages + chapter_starts[0], x, y);
```

In this situation, the variable `num_pages = 10`, and `chapter_starts[0] = 10`, so `page_t *p` points to arbitrary memory, resulting in a heap overflow in `p->outmatrix[0][0]`.






I've attached [poc.zip](https://github.com/michaelrsweet/htmldoc/files/7871800/poc.zip) that can trigger the heap overflow.

## Steps to reproduce

```
$ unzip poc.zip
$ # Compiling htmldoc with -fsanitize=address,bounds
$ htmldoc -f output.pdf poc

=================================================================
==154271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000003a6c at pc 0x55f5e8fc61a3 bp 0x7ffe27311790 sp 0x7ffe27311780
READ of size 4 at 0x621000003a6c thread T0
    #0 0x55f5e8fc61a2 in pspdf_transform_coords /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:1071
    #1 0x55f5e8fd13f9 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2850
    #2 0x55f5e8fd2754 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:3002
    #3 0x55f5e8fce8f8 in pdf_write_document /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2331
    #4 0x55f5e8fc519b in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:910
    #5 0x55f5e8fa6caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #6 0x7f61ac24e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x55f5e8f94bed in _start (/home/fuzz/fuzzing/htmldoc/fuzzing/analysis/htmldoc+0x57bed)

0x621000003a6c is located 380 bytes to the right of 4080-byte region [0x621000002900,0x6210000038f0)
allocated by thread T0 here:
    #0 0x7f61ad293bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55f5e900eec0 in check_pages /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:8850
    #2 0x55f5e8fc1ce8 in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:636
    #3 0x55f5e8fa6caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #4 0x7f61ac24e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:1071 in pspdf_transform_coords
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Heap overflow in pspdf_transform_coords() #467

Steps to reproduce

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Heap overflow in pspdf_transform_coords() #467

Description

Steps to reproduce

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions