[PATCH] Fix segmentation fault in dvipdfmx's pdfparse.c when handling object streams

Shuqiao Zhang stevenjoezhang at gmail.com
Thu Apr 3 08:03:46 CEST 2025 

Dear TeX Live team,

I encountered a segmentation fault while compiling a TeX document using
`latexmk`. The issue occurred during the conversion from `.xdv` to `.pdf`
by `xdvipdfmx`.

```
$ xdvipdfmx -q -E -o "build/main.pdf"  "build/main.xdv"
[1]    1747013 segmentation fault (core dumped)  xdvipdfmx -q -E -o
"build/main.pdf" "build/main.xdv"
```

After pulling the latest TeX Live source and building in debug mode, I
traced the fault to an out-of-bounds read in the `skip_white` function in
`texk/dvipdfm-x/pdfparse.c`. This function attempts to skip whitespace
characters between `start` and `end` address range, but in this case, the
`end` pointer was invalid and pointed outside of the actual stream buffer.
As the `start` pointer incremented, it eventually dereferenced an invalid
address, causing the crash.

Looking at the caller, the faulty `end` pointer originates from the
`pdf_get_object` function in `texlive/texk/dvipdfm-x/pdfobj.c`.
Specifically, the expression on line 3648:

```c
q = p + (index == n-1 ? length : first + data[2*index+3]);
```

It calculates q relative to the start of the stream buffer (p), rather than
the base pointer returned by pdf_stream_dataptr(objstm). This results in a
pointer that may exceed the stream's actual bounds.
I propose the following fix:

```
q = (const char *) pdf_stream_dataptr(objstm) + (index == n-1 ? length :
first + data[2*index+3]);
```

This correction ensures that q stays within the valid memory range of the
object stream. After applying this fix, I rebuilt and re-ran the
xdvipdfmx with latexmk, and the segmentation fault no longer occurs.

Please find the patch attached. Let me know if any further changes or tests
are needed.


Best regards,

Shuqiao Zhang

<stevenjoezhang at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20250403/bdca8bdf/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_pdf_get_object_overflow.patch
Type: application/octet-stream
Size: 529 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20250403/bdca8bdf/attachment-0001.obj>

More information about the tex-live mailing list.