[Poppler-bugs] [Bug 102607] New: NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc AnnotRichMedia::Configuration::Configuration()
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri Sep 8 07:37:27 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=102607
Bug ID: 102607
Summary: NULL pointer dereference vulnerability in poppler
0.59.0 Annot.cc
AnnotRichMedia::Configuration::Configuration()
Product: poppler
Version: unspecified
Hardware: x86-64 (AMD64)
OS: Linux (All)
Status: NEW
Severity: major
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: etovio at gmail.com
Created attachment 134071
--> https://bugs.freedesktop.org/attachment.cgi?id=134071&action=edit
POC file of the vulnerability
A NULL pointer dereference vulnerability was found in poppler Annot.cc
AnnotRichMedia::Configuration::Configuration() which may lead to potential
Denial of Service attack when handling malicious PDF files:
gzq at ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s
./mal-Annot-cc-6770-3-16.pdf a
Syntax Error: End of file inside dictionary
Syntax Warning: No valid XRef size in trailer
Syntax Error (1884): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault
The Configuation() function code is as below:
AnnotRichMedia::Configuration::Configuration(Dict *dict)
{
Object obj1 = dict->lookup("Instances");
if (obj1.isArray()) {
nInstances = obj1.arrayGetLength();
instances = (Instance **)gmallocn(nInstances, sizeof(Instance *));
for (int i = 0; i < nInstances; ++i) {
Object obj2 = obj1.arrayGet(i);
if (obj2.isDict()) {
instances[i] = new AnnotRichMedia::Instance(obj2.getDict());
} else {
instances[i] = NULL;
}
}
} else {
instances = NULL;
}
obj1 = dict->lookup("Name");
if (obj1.isString()) {
name = new GooString(obj1.getString());
} else {
name = NULL;
}
obj1 = dict->lookup("Subtype");
if (obj1.isName()) {
const char *name = obj1.getName();
if (!strcmp(name, "3D")) {
type = type3D;
} else if (!strcmp(name, "Flash")) {
type = typeFlash;
} else if (!strcmp(name, "Sound")) {
type = typeSound;
} else if (!strcmp(name, "Video")) {
type = typeVideo;
} else {
// determine from first instance
if (instances && nInstances > 0) {
AnnotRichMedia::Instance *instance = instances[0];
switch (instance->getType()) {
case AnnotRichMedia::Instance::type3D:
type = type3D;
break;
case AnnotRichMedia::Instance::typeFlash:
type = typeFlash;
break;
case AnnotRichMedia::Instance::typeSound:
type = typeSound;
break;
case AnnotRichMedia::Instance::typeVideo:
type = typeVideo;
break;
default:
type = typeFlash;
break;
}
}
}
}
}
>From the for() loop we can see that it is possible that instances[i] is set to
NULL if a crafted PDF file is being handled, but the following call
instance->getType() is not aware of it.
This vulnerability has been reproduced in both the latest stable release 0.59.0
and the latest code in the repository. xpdf also affected.
A pdf file has been attached to help to reproduce this vulnerability.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170908/3d9436e5/attachment.html>
More information about the Poppler-bugs
mailing list