[Poppler-bugs] [Bug 76442] New: Heap-buffer-overflow in TextPage::updateFont

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Mar 21 04:10:09 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=76442

          Priority: medium
            Bug ID: 76442
          Assignee: poppler-bugs at lists.freedesktop.org
           Summary: Heap-buffer-overflow in TextPage::updateFont
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: a.husa at hushmail.com
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: general
           Product: poppler

Created attachment 96152
  --> https://bugs.freedesktop.org/attachment.cgi?id=96152&action=edit
Fuzzed PDF file that causes heap-buffer-overflow

ASAN reports heap-buffer-overflow when malformed PDF file is opened.

Reproduced on Evince, Zathura and apvlv with Poppler version 0.24.5.

Distrubution: Gentoo Linux 64bit
Evince version: 3.10.3
Zathura version: 0.2.1
Zathura-pdf-poppler version: 0.2.3

Malformed file is given as an attachment.

ASAN report:
==8131== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6004000cda11 at pc 0x7f91ae3434e1 bp 0x7f91ab918190 sp 0x7f91ab918188
READ of size 1 at 0x6004000cda11 thread T3 (pool)
    #0 0x7f91ae3434e0 (/usr/lib64/libpoppler.so.44.0.0+0x36a4e0)
    #1 0x7f91ae8f0bb7 (/usr/lib64/libpoppler-glib.so.8.6.0+0x4cbb7)
    #2 0x7f91ae215840 (/usr/lib64/libpoppler.so.44.0.0+0x23c840)
    #3 0x7f91ae1feb45 (/usr/lib64/libpoppler.so.44.0.0+0x225b45)
    #4 0x7f91ae1ff50f (/usr/lib64/libpoppler.so.44.0.0+0x22650f)
    #5 0x7f91ae2bb6d7 (/usr/lib64/libpoppler.so.44.0.0+0x2e26d7)
    #6 0x7f91ae8d8a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92)
    #7 0x7f91aeb3fca4 (/usr/lib64/zathura/pdf.so+0x3ca4)
    #8 0x42f8b7 (/usr/bin/zathura+0x42f8b7)
    #9 0x7f91b6d6dea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5)
    #10 0x7f91b6d6d4e4 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6f4e4)
    #11 0x7f91b8420c07 (/usr/lib64/libasan.so.0.0.0+0x18c07)
    #12 0x7f91b66e3f39 (/lib64/libpthread-2.17.so+0x8f39)
    #13 0x7f91b6120c3c (/lib64/libc-2.17.so+0xedc3c)
0x6004000cda11 is located 0 bytes to the right of 1-byte region
[0x6004000cda10,0x6004000cda11)
allocated by thread T3 (pool) here:
    #0 0x7f91b841d54a (/usr/lib64/libasan.so.0.0.0+0x1554a)
    #1 0x7f91ae11481d (/usr/lib64/libpoppler.so.44.0.0+0x13b81d)
    #2 0x7f91ae114e4e (/usr/lib64/libpoppler.so.44.0.0+0x13be4e)
    #3 0x7f91ae2218a1 (/usr/lib64/libpoppler.so.44.0.0+0x2488a1)
    #4 0x7f91ae22c9b3 (/usr/lib64/libpoppler.so.44.0.0+0x2539b3)
    #5 0x7f91ae22ce2d (/usr/lib64/libpoppler.so.44.0.0+0x253e2d)
    #6 0x7f91ae1e189c (/usr/lib64/libpoppler.so.44.0.0+0x20889c)
    #7 0x7f91ae1fcdcc (/usr/lib64/libpoppler.so.44.0.0+0x223dcc)
    #8 0x7f91ae2bafb0 (/usr/lib64/libpoppler.so.44.0.0+0x2e1fb0)
    #9 0x7f91ae2bb67b (/usr/lib64/libpoppler.so.44.0.0+0x2e267b)
    #10 0x7f91ae8d8a92 (/usr/lib64/libpoppler-glib.so.8.6.0+0x34a92)
    #11 0x7f91aeb3fca4 (/usr/lib64/zathura/pdf.so+0x3ca4)
    #12 0x7f91b6d6dea5 (/usr/lib64/libglib-2.0.so.0.3800.2+0x6fea5)
Thread T3 (pool) created by T0 here:
    #0 0x7f91b8412c5b (/usr/lib64/libasan.so.0.0.0+0xac5b)
    #1 0x7f91b6d88941 (/usr/lib64/libglib-2.0.so.0.3800.2+0x8a941)
Shadow bytes around the buggy address:
  0x0c0100011af0: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
  0x0c0100011b00: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
  0x0c0100011b10: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
  0x0c0100011b20: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
  0x0c0100011b30: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa fd fa
=>0x0c0100011b40: fa fa[01]fa fa fa fd fa fa fa 03 fa fa fa fd fa
  0x0c0100011b50: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa
  0x0c0100011b60: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa
  0x0c0100011b70: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa
  0x0c0100011b80: fa fa 03 fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c0100011b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==8131== ABORTING


gdb backtrace:
gdb$ bt
#0  __asan_report_error (pc=0x7fffead884e1, bp=0x7fffe835d190,
sp=0x7fffe835d188, addr=0x6004000cda11, is_write=0x0, access_size=0x1) at
../../.././libsanitizer/asan/asan_report.cc:628
#1  0x00007ffff4e5f7c4 in __asan::__asan_report_load1 (addr=<optimized out>) at
../../.././libsanitizer/asan/asan_rtl.cc:226
#2  0x00007fffead884e1 in TextPage::updateFont (this=0x60220000fe80,
state=state at entry=0x603c0001ea80) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/TextOutputDev.cc:2199
#3  0x00007fffeb335bb8 in CairoOutputDev::updateFont (this=0x603600004540,
state=0x603c0001ea80) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/CairoOutputDev.cc:624
#4  0x00007fffeac5a841 in Gfx::opShowText (this=0x60240007f5c0,
args=0x7fffe835d5a0, numArgs=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:3742
#5  0x00007fffeac43b46 in Gfx::go (this=this at entry=0x60240007f5c0,
topLevel=topLevel at entry=0x1) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:712
#6  0x00007fffeac44510 in Gfx::display (this=this at entry=0x60240007f5c0,
obj=obj at entry=0x7fffe835d9d0, topLevel=topLevel at entry=0x1) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Gfx.cc:678
#7  0x00007fffead006d8 in Page::displaySlice (this=0x6022000190c0,
out=out at entry=0x603600004540, hDPI=hDPI at entry=72, vDPI=vDPI at entry=72,
rotate=rotate at entry=0x0, useMediaBox=useMediaBox at entry=0x0,
crop=crop at entry=0x1, sliceX=sliceX at entry=0xffffffff,
sliceY=sliceY at entry=0xffffffff, sliceW=sliceW at entry=0xffffffff,
sliceH=sliceH at entry=0xffffffff, printing=printing at entry=0x0,
abortCheckCbk=abortCheckCbk at entry=0x0,
abortCheckCbkData=abortCheckCbkData at entry=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=annotDisplayDecideCbkData at entry=0x0,
copyXRef=copyXRef at entry=0x0) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/poppler/Page.cc:584
#8  0x00007fffeb31da93 in _poppler_page_render (page=0x605200035180,
cairo=0x604a0000f100, printing=<optimized out>, print_flags=<optimized out>) at
/var/tmp/portage/app-text/poppler-0.24.5/work/poppler-0.24.5/glib/poppler-page.cc:362
#9  0x00007fffeb584ca5 in pdf_page_render_cairo () from
/usr/lib64/zathura/pdf.so
#10 0x000000000042f8b8 in render (page=0x60080002a110, zathura=0x60260000f660)
at render.c:183
#11 render_job (data=0x60080002a110, user_data=0x60260000f660) at render.c:37
#12 0x00007ffff37b2ea6 in ?? () from /usr/lib64/libglib-2.0.so.0
#13 0x00007ffff37b24e5 in ?? () from /usr/lib64/libglib-2.0.so.0
#14 0x00007ffff4e65c08 in __asan::AsanThread::ThreadStart (this=0x7fffe835f000)
at ../../.././libsanitizer/asan/asan_thread.cc:99
#15 0x00007ffff3128f3a in start_thread (arg=0x7fffe835e700) at
pthread_create.c:308
#16 0x00007ffff2b65c3d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113


--
Antti Husa
Research Assistant, OUSPG

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20140321/3be7bba6/attachment-0001.html>

More information about the Poppler-bugs mailing list