[Poppler-bugs] [Bug 102701] New: Memory corruption vulnerability in Object::streamGetChar()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Sep 13 10:15:45 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102701

            Bug ID: 102701
           Summary: Memory corruption vulnerability in
                    Object::streamGetChar()
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134196
  --> https://bugs.freedesktop.org/attachment.cgi?id=134196&action=edit
POC file of the vulnerability

A memory corruption vulnerability was found in poppler which may lead to
potential attack.

we can reproduce this vulnerability when we use pdftoppm to process malicious
PDF files:

gzq at ubuntu:~/tmp/install/bin$ ./pdftoppm -q ./mal-gfx-memory-corruption.pdf 
Segmentation fault


gzq at ubuntu:~/tmp/install/bin$ gdb -q ./pdftoppm
Reading symbols from ./pdftoppm...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at
Object.h:395
395       { OBJECT_TYPE_CHECK(objStream); return stream->getChar(); }
#0  0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at
Object.h:395
#1  0x00007ffff7a3d079 in Lexer::getChar (this=0x5555630833d0,
comesFromLook=true) at Lexer.cc:123
#2  0x00007ffff7a3d1c0 in Lexer::lookChar (this=0x5555630833d0) at Lexer.cc:144
#3  0x00007ffff7a3e201 in Lexer::getObj (this=0x5555630833d0, objNum=-1) at
Lexer.cc:557
#4  0x00007ffff7a4cc90 in Parser::shift (this=0x555563079c50, objNum=-1) at
Parser.cc:291
#5  0x00007ffff7a4c448 in Parser::getObj (this=0x555563079c50,
simpleOnly=false, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=0,
objGen=0, recursion=0, strict=false) at Parser.cc:149
#6  0x00007ffff7a4bcd4 in Parser::getObj (this=0x555563079c50, recursion=0) at
Parser.cc:63
#7  0x00007ffff7a7777d in XRef::fetch (this=0x55555579f130, num=22, gen=0,
recursion=0) at XRef.cc:1136
#8  0x00007ffff7a4413d in Object::fetch (this=0x5555557a1160,
xref=0x55555579f130, recursion=0) at Object.cc:125
#9  0x00007ffff79cd361 in Dict::lookup (this=0x55555579f800, key=0x5555557ab980
"P", recursion=0) at Dict.cc:259
#10 0x00007ffff79b36b4 in Object::dictLookup (this=0x5555557ab458,
key=0x5555557ab980 "P", recursion=0) at Object.h:362
...............
...............
...............
#29100 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29101 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffcc40, topLevel=false) at Gfx.cc:706
#29102 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557de160) at Gfx.cc:3961
#29103 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffcde0, numArgs=1) at Gfx.cc:3756
#29104 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffcdc0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:880
#29105 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29106 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffd1e0, topLevel=false) at Gfx.cc:706
#29107 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557b0930) at Gfx.cc:3961
#29108 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffd380, numArgs=1) at Gfx.cc:3756
#29109 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffd360, args=0x7fffffffd380, numArgs=1) at Gfx.cc:880
#29110 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29111 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffd780, topLevel=false) at Gfx.cc:706
#29112 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557af380) at Gfx.cc:3961
#29113 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffd920, numArgs=1) at Gfx.cc:3756
#29114 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffd900, args=0x7fffffffd920, numArgs=1) at Gfx.cc:880
#29115 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29116 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffdd20, topLevel=false) at Gfx.cc:706
#29117 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557ae150) at Gfx.cc:3961
#29118 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffdec0, numArgs=1) at Gfx.cc:3756
#29119 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffdea0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:880
#29120 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=true) at
Gfx.cc:744
#29121 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffe210, topLevel=true) at Gfx.cc:706
#29122 0x00007ffff7a4a1a5 in Page::displaySlice (this=0x5555557a6560,
out=0x5555557a01e0, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false,
sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, printing=false,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560
#29123 0x00007ffff7a4e2c5 in PDFDoc::displayPageSlice (this=0x55555579eea0,
out=0x5555557a01e0, page=1, hDPI=150, vDPI=150, rotate=0, useMediaBox=true,
crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:522
#29124 0x0000555555556836 in savePageSlice (doc=0x55555579eea0,
splashOut=0x5555557a01e0, pg=1, x=0, y=0, w=1240, h=1755,
pg_w=1239.5833333333335, pg_h=1754.1666666666667, ppmFile=0x0) at
pdftoppm.cc:282
#29125 0x0000555555557764 in main (argc=2, argv=0x7fffffffe598) at
pdftoppm.cc:600

The point where the program get crashed may be various.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170913/57bb49f1/attachment-0001.html>

More information about the Poppler-bugs mailing list