[Poppler-bugs] [Bug 101502] New: Uninitialized memory read in GfxState.cc:4041
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Jun 19 17:39:48 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101502
Bug ID: 101502
Summary: Uninitialized memory read in GfxState.cc:4041
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: foca at salesforce.com
Created attachment 132067
--> https://bugs.freedesktop.org/attachment.cgi?id=132067&action=edit
Proof of concept
There is a uninitialized memory read that leads to a Denial of Service.
The PoC crashes in the following line:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000436480 in Function::getOutputSize (this=0x2f502f2052203020) at
Function.h:77
77 int getOutputSize() { return n; }
Just before call the function, GfxUnivariateShading::getColor at
GfxState.cc:4041
4041 nComps = nFuncs * funcs[0]->getOutputSize();
The variable funcs is an array of nFuncs elements. But in the PoC the number of
elements, nFuncs is 0, but still the code is accessing the first element,
funcs[0], using uninitialized memory data. The program is expecting to get a
pointer with funcs[0] and it crashes when it dereferences an invalid pointer.
The fix would be to check if there is at least one element before accessing the
first one:
4041 if (nFuncs >= 1)
4042 nComps = nFuncs * funcs[0]->getOutputSize();
PoC is attached.
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170619/e8346736/attachment.html>
More information about the Poppler-bugs
mailing list