[Poppler-bugs] [Bug 101540] New: Stack buffer overflow in GfxState.cc:4066, CVE-2017-9775

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jun 21 17:47:57 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101540

            Bug ID: 101540
           Summary: Stack buffer overflow in GfxState.cc:4066,
                    CVE-2017-9775
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

This vulnerability has been reported privately. Albert Astals Cid already fixed
it in the following commit:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9

The CVE-2017-9775 has been assigned to this vulnerability.

There is a stack based overflow. The vulnerability is in GfxState.cc:4066.

4065     for (i = 0; i < nComps; ++i) {
4066       out[i] = 0;
4067     }
The variable out is a stack variable with a defined size of 32 items:

#define gfxColorMaxComps funcMaxOutputs
...
#define funcMaxOutputs       32
This variable out is defined at the beginning of the getColor function:

4035 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
4036   double out[gfxColorMaxComps];
4037   int i, nComps;
4038 
4039   // NB: there can be one function with n outputs or n functions with
4040   // one output each (where n = number of color components)
4041   nComps = nFuncs * funcs[0]->getOutputSize();
nComps is user controllable (in the PoC has the value 42), and it is used to
write into the variable out at GfxState.cc:4066.

4065     for (i = 0; i < nComps; ++i) {
4066       out[i] = 0;
4067     }
Parsing the file PoC.pdf 10 bytes of the stack are overwritten with 00.

Due to some restrictions in the lines after the bug, an attacker can't control
the values written in the stack so it unlikely this could lead to a code
execution.

A solution could be:
4065     for (i = 0; i < nComps && i < gfxColorMaxComps; ++i) {

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170621/266cfe7f/attachment.html>

More information about the Poppler-bugs mailing list