[PATCH] Fix segmentation fault in dvipdfmx's pdfparse.c when handling object streams

Shuqiao Zhang stevenjoezhang at gmail.com
Fri Apr 4 05:24:07 CEST 2025 

Hi Karl,

Thank you for the response, and apologies — this was my first time reaching
out via mailing list, and I’ll make sure to use the correct mailing list in
the future.

The issue I encountered happened when using `\includegraphics` in TeX to
import another PDF file. I’ve attached the related `.xdv` file and the PDF
being included. (Note that the `.xdv` file may contain references to fonts
included in the TeX Live 2025 environment, so it might require a full
installation to reproduce the issue.)

The segmentation fault occurs during the following command executed by
latexmk:

    xdvipdfmx -q -E -o "build/main.pdf" "build/main.xdv"

Here is the version information:

    $ latexmk --version
    Latexmk, John Collins, 27 Dec. 2024. Version 4.86a
    $ xdvipdfmx --version
    This is xdvipdfmx Version 20250205 by the DVIPDFMx project team,
    modified for TeX Live,
    an extended version of DVIPDFMx, which in turn was
    an extended version of dvipdfm-0.13.2c developed by Mark A. Wicks.

    Copyright (C) 2002-2025 the DVIPDFMx project team
    Copyright (C) 2006-2025 SIL International.

    This is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    $ uname -a
    Linux epyc 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14
15:33:28 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 24.04.2 LTS
    Release:        24.04
    Codename:       noble

I hope this helps in reproducing the issue. For the functions related to
the bug I discovered during debugging, please refer to the previous email.

Additionally, it seems that this problem is also influenced by heap memory
layout, which means there's a chance that xdvipdfmx doesn't crash if the
out-of-bounds pointer happens to fall on a valid memory page. I repeated to
run the command 10 times (on Ubuntu 24.04), and in 8 of them, xdvipdfmx
crashed. I also ran tests on other systems, using fresh installed TeX Live
2025: the crash also happens on macOS with Intel x86-64 architecture (macOS
13.6.6 22G630), but on macOS with Apple Silicon (macOS 15.3.2 24D81),
xdvipdfmx works fine.

Best regards,

Shuqiao Zhang

Karl Berry <karl at freefriends.org> 于2025年4月4日周五 05:12写道:

> Hi Shuqiao - thanks much for the report and patch. Please, please,
> provide the .xdv file that causes the crash. Otherwise we cannot verify
> it or make a test case.
>
> Also, for the future, (x)dvipdfm(x) reports are best sent to
> dvipdfmx at tug.org, not the general tex-live list. There's no need to
> resend this one, though.
>
> Thanks,
> Karl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20250404/c103cbc1/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.xdv
Type: application/octet-stream
Size: 54824 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20250404/c103cbc1/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpki-ecosystem.drawio.pdf
Type: application/pdf
Size: 247372 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20250404/c103cbc1/attachment-0001.pdf>

More information about the tex-live mailing list.