[Poppler-bugs] [Bug 69434] New: segmentation fault (and probable stack smashing) in pdfseparate

Mon Sep 16 11:25:49 PDT 2013

https://bugs.freedesktop.org/show_bug.cgi?id=69434

          Priority: medium
            Bug ID: 69434
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: segmentation fault (and probable stack smashing) in
                    pdfseparate
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: dkg at fifthhorseman.net
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: utils
           Product: poppler

originally reported at http://bugs.debian.org/723124 --

utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.

bool extractPages (const char *srcFileName, const char *destFileName) {
  char pathName[1024];
 /* ... */
   sprintf (pathName, destFileName, pageNo);

This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.

A) they could provide a srcFileName long enough to overflow pathName.
   this will write to arbitrary memory.

B) they could provide a destFileName with other sprintf placeholders
   besides %d, which would effectively be invoked while pointing to
   uninitialized memory.

easy segfault:

 pdfseparate multipage.pdf test-%s-%d.pdf

I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20130916/829c3016/attachment.html>