[Poppler-bugs] [Bug 23074] New: buffer overflow in the Abiword backend
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Aug 1 06:27:59 PDT 2009
http://bugs.freedesktop.org/show_bug.cgi?id=23074
Summary: buffer overflow in the Abiword backend
Product: poppler
Version: unspecified
Platform: x86 (IA32)
OS/Version: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: general
AssignedTo: poppler-bugs at lists.freedesktop.org
ReportedBy: ubanus at users.sf.net
(Tested with poppler 0.10.6)
The Abiword backend is susceptible to buffer overflows.
Proof of concept:
$ gdb pdftoabw
[snip]
(gdb) break ABWOutputDev::endWord()
Function "ABWOutputDev::endWord()" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (ABWOutputDev::endWord()) pending.
(gdb) run test.pdf /tmp/tmp
[snip]
Breakpoint 1, ABWOutputDev::endWord (this=0x97a12d0) at ABWOutputDev.cc:424
424 if (N_word) {
(gdb) cont
Continuing.
Breakpoint 1, ABWOutputDev::endWord (this=0x97a12d0) at ABWOutputDev.cc:424
424 if (N_word) {
(gdb) n
425 sprintf(buf, "%f", X2); xmlNewProp(N_word, BAD_CAST "X2",
BAD_CAST buf);
(gdb) n
426 sprintf(buf, "%f", Y2); xmlNewProp(N_word, BAD_CAST "Y2",
BAD_CAST buf);
(gdb) print sizeof buf
$1 = 20
(gdb) print strlen(buf)
$2 = 20
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list