<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Memory Corruption while processing Blend Mode"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=93476">93476</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Memory Corruption while processing Blend Mode
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86 (IA32)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>Hanafie.Nuruddin@f13-labs.net
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=120651" name="attach_120651" title="Test case (PoC, crashdump, stack trace)">attachment 120651</a> <a href="attachment.cgi?id=120651&action=edit" title="Test case (PoC, crashdump, stack trace)">[details]</a></span>
Test case (PoC, crashdump, stack trace)

Hi,

We found a memory corruption during fuzzing in a different type of PDF reader /
viewer. Upon analysis, we found that bug leads to libpoppler library. The issue
happened when "ExtGState" is not a valid blend mode. We noticed this is related
to security issue. We have attached all the information needed for your
testing.

Our lab test: Ubuntu 14.04.3 LTS (trusty)
PDF viewer / reader: diffpdf, evince, gpdftext, pdf-presenter-console, xpdf,
zathura_viewer, qpdfview


Example testing:

labs@autobot:~/warez/pdf$ qpdfview crash.pdf 
"Error (10431): Invalid blend mode in ExtGState" 
*** Error in `qpdfview': malloc(): memory corruption: 0xb217ca10 ***
Aborted

Code:

GBool Gfx::checkTransparencyGroup(Dict *resDict) {
  // check the effect of compositing objects as a group:
  // look for ExtGState entries with ca != 1 or CA != 1 or BM != normal
  Object extGStates;
  GBool transpGroup = gFalse;
  double opac;

  if (resDict == NULL)
    return gFalse;
  pushResources(resDict);
  resDict->lookup("ExtGState", &extGStates);
  if (extGStates.isDict()) {
    Dict *dict = extGStates.getDict();
    for (int i = 0; i < dict->getLength() && !transpGroup; i++) {
      Object obj1, obj2;
      GfxBlendMode mode;

      if (res->lookupGState(dict->getKey(i), &obj1) && obj1.isDict()) {
        if (!obj1.dictLookup("BM", &obj2)->isNull()) { 
          if (state->parseBlendMode(&obj2, &mode)) { // failed processing blend
mode
            if (mode != gfxBlendNormal)        // true
              transpGroup = gTrue;
          } else {    // 
            error(errSyntaxError, getPos(), "Invalid blend mode in ExtGState");
          }
        }


Thanks!</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>