[Poppler-bugs] [Bug 102605] New: NULL pointer dereference vulnerability in poppler 0.59.0 SplashOutputDev.cc

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Sep 8 06:59:44 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102605

            Bug ID: 102605
           Summary: NULL pointer dereference vulnerability in poppler
                    0.59.0 SplashOutputDev.cc
           Product: poppler
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134068
  --> https://bugs.freedesktop.org/attachment.cgi?id=134068&action=edit
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler
SplashOutputDev.cc SplashOutputDev::type3D0() which may lead to potential
Denial of Service attack when handling malicious PDF files:

gzq at ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s
./mal-SplashOutputDev-cc-2719-2-12.pdf a
Syntax Error: Invalid XRef entry
Internal Error: xref num 12 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Syntax Error (1994): Too few (3) args to 'cm' operator
Page-1
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Segmentation fault

We can debug the vulnerable applications to learn about details:

gzq at ubuntu:~/work/vul/poppler$ gdb
.//home/gzq/install/poppler-dev/bin/pdftohtml
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
.//home/gzq/install/poppler-dev/bin/pdftohtml: No such file or directory.
(gdb) r -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
Starting program:  -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
No executable file specified.
Use the "file" or "exec-file" command.
(gdb) q
gzq at ubuntu:~/work/vul/poppler$ gdb /home/gzq/install/poppler-dev/bin/pdftohtml 
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s
./mal-SplashOutputDev-cc-2719-2-12.pdf a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Syntax Error: Invalid XRef entry
Internal Error: xref num 12 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Syntax Error (1994): Too few (3) args to 'cm' operator
Page-1
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object

Program received signal SIGSEGV, Segmentation fault.
0x00005555555b8a17 in SplashOutputDev::type3D0 (this=0x5555559a3f20,
state=0x5555559b5b90, wx=200, wy=0) at SplashOutputDev.cc:2719
2719      t3GlyphStack->haveDx = gTrue;
(gdb) bt
#0  0x00005555555b8a17 in SplashOutputDev::type3D0 (this=0x5555559a3f20,
state=0x5555559b5b90, wx=200, wy=0) at SplashOutputDev.cc:2719
#1  0x00005555555fb041 in Gfx::go (this=this at entry=0x5555559a3720,
topLevel=topLevel at entry=false) at Gfx.cc:744
#2  0x00005555555fb57f in Gfx::display (this=this at entry=0x5555559a3720,
obj=obj at entry=0x7fffffffe230, topLevel=topLevel at entry=false) at Gfx.cc:706
#3  0x00005555555fb98a in Gfx::drawForm (this=0x5555559a3720,
str=0x7fffffffe230, resDict=<optimized out>, matrix=<optimized out>,
bbox=0x7fffffffe190, transpGroup=<optimized out>, softMask=false,
blendingColorSpace=0x0, isolated=false, knockout=false, alpha=false, 
    transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4807
#4  0x0000555555602c48 in Gfx::drawAnnot (this=this at entry=0x5555559a3720,
str=str at entry=0x7fffffffe230, border=border at entry=0x0, aColor=0x0,
xMin=<optimized out>, yMin=<optimized out>, xMax=<optimized out>,
yMax=<optimized out>, rotate=<optimized out>) at Gfx.cc:5247
#5  0x00005555555ca630 in Annot::draw (this=0x5555559a3c40, gfx=0x5555559a3720,
printing=<optimized out>) at Annot.cc:1831
#6  0x000055555563167c in Page::displaySlice (this=0x5555559a33e0,
out=0x5555559a3f20, hDPI=<optimized out>, vDPI=<optimized out>, rotate=0,
useMediaBox=<optimized out>, crop=<optimized out>, sliceX=sliceX at entry=-1,
sliceY=-1, sliceW=-1, sliceH=-1, printing=false, 
    abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580
#7  0x0000555555631878 in Page::display (this=<optimized out>, out=<optimized
out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=<optimized out>, crop=<optimized out>, printing=<optimized out>,
abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:483
#8  0x00005555555b0586 in main (argc=<optimized out>, argv=<optimized out>) at
pdftohtml.cc:410
(gdb) print t3GlyphStack
$1 = (T3GlyphStack *) 0x0

Here we can see the global variable T3GlyphStack is null which means it might
not be initialized correctly when a malicious, crafted PDF file is being
handled.

This vulnerability has been reproduced in both the latest stable release 0.59.0
and the latest code in the repository.

A pdf file has been attached to help to reproduce this vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170908/ad01e3ec/attachment-0001.html>

More information about the Poppler-bugs mailing list