[Poppler-bugs] [Bug 100775] New: poppler 0.54.0: memory leak in gmalloc

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 24 16:22:28 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=100775

            Bug ID: 100775
           Summary: poppler 0.54.0: memory leak in gmalloc
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: critical
          Priority: medium
         Component: utils
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: haojunhou at gmail.com

Created attachment 131002
  --> https://bugs.freedesktop.org/attachment.cgi?id=131002&action=edit
testcase

on poppler 0.54.0

The gmalloc function in  gmem.cc:110 which allows attackers to cause a denial
of service (memory leak) via a crafted file.

#pdfinfo $FILE
=================================================================
==39456==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x7f41c4bd3b58 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x59ca1f in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110
    #2 0x59cab5 in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120
    #3 0x59cf90 in copyString
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316
    #4 0x516ef8 in Object::initCmd(char*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152
    #5 0x5169ee in Lexer::getObj(Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576
    #6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53
    #7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606
    #8 0x586eef in XRef::getEntry(int, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681
    #9 0x5821de in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167
    #10 0x581e91 in XRef::getCatalog(Object*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #11 0x44e595 in Catalog::Catalog(PDFDoc*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&,
GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*,
GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #16 0x4079c9 in main
/home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #17 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Direct leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x7f41c4bd3b58 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x59ca1f in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110
    #2 0x59cab5 in gmalloc
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120
    #3 0x59cf90 in copyString
/home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316
    #4 0x516ef8 in Object::initCmd(char*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152
    #5 0x5169ee in Lexer::getObj(Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576
    #6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53
    #7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606
    #8 0x586eef in XRef::getEntry(int, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681
    #9 0x5821de in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167
    #10 0x582f44 in XRef::fetch(int, int, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1278
    #11 0x581e91 in XRef::getCatalog(Object*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #12 0x44e595 in Catalog::Catalog(PDFDoc*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #13 0x52e4a1 in PDFDoc::setup(GooString*, GooString*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #14 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #15 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&,
GooString*, GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #16 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*,
GooString*, void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #17 0x4079c9 in main
/home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #18 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

SUMMARY: AddressSanitizer: 18 byte(s) leaked in 2 allocation(s).

The $FILE poc in the attachment.
Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170424/c4a6b1fa/attachment-0001.html>

More information about the Poppler-bugs mailing list