[Poppler-bugs] [Bug 102601] New: NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Sep 8 03:55:17 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102601

            Bug ID: 102601
           Summary: NULL pointer dereference vulnerability in poppler
                    0.59.0 Annot.cc
           Product: poppler
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134064
  --> https://bugs.freedesktop.org/attachment.cgi?id=134064&action=edit
POC file of the vulnerability.

A NULL pointer dereference vulnerability was found in Annot.cc
AnnotRichMedia::Content::Content() which may leading to potential Denial of
Service attack when process malicious PDF files:

gzq at ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler/bin/pdfinfo
./mal-annot-cc-6577-2-07.pdf 
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
Syntax Error (1611): Dictionary key must be a name object
Syntax Error (1613): Dictionary key must be a name object
Syntax Error (1615): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault

We can debug the vulnerable applications to learn about details:

gzq at ubuntu:~/work/vul/poppler$ gdb /home/gzq/install/poppler/bin/pdfinfo
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/gzq/install/poppler/bin/pdfinfo...done.
(gdb) r ./mal-annot-cc-6577-2-07.pdf
Starting program: /home/gzq/install/poppler/bin/pdfinfo
./mal-annot-cc-6577-2-07.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
Syntax Error (1611): Dictionary key must be a name object
Syntax Error (1613): Dictionary key must be a name object
Syntax Error (1615): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.
AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized out>) at
Annot.cc:6577
6577            assets[counter] = new AnnotRichMedia::Asset;
(gdb) bt
#0  AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized
out>) at Annot.cc:6577
#1  0x0000555555606625 in AnnotRichMedia::initialize (this=0x555555c0f6d0,
docA=<optimized out>, dict=0x555555c0f820) at Annot.cc:6449
#2  0x0000555555609162 in Annots::createAnnot (this=this at entry=0x555555c0dda0,
dictObject=dictObject at entry=0x7fffffffe0a0, obj=obj at entry=0x7fffffffe0b0) at
Annot.cc:6926
#3  0x00005555556096dd in Annots::Annots (this=0x555555c0dda0, docA=<optimized
out>, page=1, annotsObj=0x7fffffffe110) at Annot.cc:6817
#4  0x000055555575f106 in Page::getAnnots (this=this at entry=0x555555c0f040,
xrefA=xrefA at entry=0x0) at Page.cc:374
#5  0x00005555555bb2f7 in JSInfo::scan (this=0x7fffffffe230, nPages=1) at
JSInfo.cc:176
#6  0x00005555555b3f34 in printInfo (doc=0x555555c0de40, uMap=<optimized out>,
filesize=2666, multiPage=false) at pdfinfo.cc:487
#7  0x00005555555af20f in main (argc=<optimized out>, argv=<optimized out>) at
pdfinfo.cc:748
(gdb) p assets
$1 = (AnnotRichMedia::Asset **) 0x0
(gdb) p nAssets
$2 = 0

nAssets maybe 0 when crafted PDF files is being handled, and thus assets
pointer maybe null.

This vulnerability has been reproduced in both the latest stable release 0.59.0
and the latest code in the repository. Evince, xpdf are also affected.

A pdf file has been attached to help to reproduce this vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170908/8cd7ed6c/attachment-0001.html>

More information about the Poppler-bugs mailing list