[Poppler-bugs] [Bug 102969] New: Gfx displaySlice() infinite loop vulnerability

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Sep 25 07:51:03 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=102969

            Bug ID: 102969
           Summary: Gfx displaySlice() infinite loop vulnerability
           Product: poppler
           Version: unspecified
          Hardware: All
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: etovio at gmail.com

Created attachment 134457
  --> https://bugs.freedesktop.org/attachment.cgi?id=134457&action=edit
POC

In Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup()
in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp,
Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill and Gfx::drawForm
calls (aka a Gfx.cc infinite loop), this is a different vulnerability than bug
102701.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005497f1 in Lexer::getObj (this=<optimized out>, objNum=<optimized
out>) at Lexer.cc:167
167         if ((c = getChar()) == EOF) {
#0  0x00000000005497f1 in Lexer::getObj (this=<optimized out>,
objNum=<optimized out>) at Lexer.cc:167
#1  0x000000000056baa6 in Parser::shift (this=<optimized out>, objNum=-1) at
Parser.cc:291
#2  0x000000000056a498 in Parser::getObj (this=0xc8ca6c0, simpleOnly=<optimized
out>, fileKey=<optimized out>, encAlgorithm=<optimized out>,
keyLength=<optimized out>, objNum=0, objGen=<optimized out>, recursion=0,
strict=<optimized out>) at Parser.cc:149
#3  0x0000000000569f9d in Parser::getObj (this=0x0, recursion=0) at
Parser.cc:63
#4  0x00000000005bfad6 in XRef::fetch (this=0x9e1120, num=5, gen=<optimized
out>, recursion=<optimized out>) at XRef.cc:1136
#5  0x000000000055ab11 in Object::fetch (this=0x9e53c8, xref=0x9e1120,
recursion=0) at Object.cc:125
#6  0x000000000048b782 in Dict::lookup (this=0x9e5360, key=<optimized out>,
recursion=0) at Dict.cc:259
#7  0x00000000004bbb28 in Object::dictLookup (key=0xc8c9ef0 "P0", recursion=0,
this=<optimized out>) at ./Object.h:362
#8  GfxResources::lookupPattern (this=<optimized out>, name=<optimized out>,
out=<optimized out>, state=<optimized out>) at Gfx.cc:461
#9  0x00000000004b8fe4 in Gfx::opSetFillColorN (this=<optimized out>,
args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1609
#10 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#11 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#12 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#13 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8c0308,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=96, transferFunc=0x7fffff7ff9f0,
backdropColor=0xc8c9540) at Gfx.cc:4828
#14 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#15 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#16 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#17 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#18 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#19 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#20 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8b5f68,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=96, transferFunc=0x7fffff8000d0,
backdropColor=0xc8bf1a0) at Gfx.cc:4828
#21 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#22 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#23 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#24 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#25 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#26 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#27 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8abb28,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=240, transferFunc=0x7fffff8007b0,
backdropColor=0xc8b4d80) at Gfx.cc:4828
#28 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#29 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#30 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#31 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#32 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#33 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#34 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8a16e8,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=176, transferFunc=0x7fffff800e90,
backdropColor=0xc8aa920) at Gfx.cc:4828
#35 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#36 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#37 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#38 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#39 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#40 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#41 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8972c8,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=32, transferFunc=0x7fffff801570,
backdropColor=0xc8a0500) at Gfx.cc:4828
#42 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#43 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#44 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#45 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#46 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#47 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#48 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc88cf28,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=32, transferFunc=0x7fffff801c50,
backdropColor=0xc896160) at Gfx.cc:4828
#49 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#50 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#51 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#52 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#53 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#54 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#55 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc882ae8,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=176, transferFunc=0x7fffff802330,
backdropColor=0xc88bd40) at Gfx.cc:4828
#56 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#57 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#58 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#59 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#60 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#61 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#62 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8786a8,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=112, transferFunc=0x7fffff802a10,
backdropColor=0xc8818e0) at Gfx.cc:4828
#63 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#64 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at
Gfx.cc:1951
#65 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#66 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#67 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#68 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
......
......
......

#33340 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0x9e86d8,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=160, transferFunc=0x7fffffffd5d0,
backdropColor=0xa0f710) at Gfx.cc:4828
#33341 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#33342 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false)
at Gfx.cc:1951
#33343 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#33344 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#33345 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#33346 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#33347 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>,
resDict=<optimized out>, matrix=<optimized out>, bbox=0x9e6958,
transpGroup=<optimized out>, softMask=<optimized out>,
blendingColorSpace=<optimized out>, isolated=<optimized out>,
knockout=<optimized out>, alpha=144, transferFunc=0x7fffffffdcb0,
backdropColor=0x9e73d0) at Gfx.cc:4828
#33348 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>,
tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>,
text=<optimized out>) at Gfx.cc:2234
#33349 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false)
at Gfx.cc:1951
#33350 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:1820
#33351 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#33352 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#33353 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#33354 0x0000000000567c25 in Page::displaySlice (this=0x9e4ce0, out=0x9e1d90,
hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>,
sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>,
printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at
Page.cc:560
#33355 0x000000000056795e in Page::display (this=0xc8ca710, out=0x0, hDPI=0,
vDPI=0, rotate=10010656, useMediaBox=true, crop=false, printing=false,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481
#33356 0x000000000056fef6 in PDFDoc::displayPage (this=0x9e0eb0, out=0x9e1d90,
page=<optimized out>, hDPI=108, vDPI=108, rotate=0, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=false,
useMediaBox=<optimized out>, crop=<optimized out>, printing=<optimized out>) at
PDFDoc.cc:485
#33357 PDFDoc::displayPages (this=<optimized out>, out=<optimized out>,
firstPage=<optimized out>, lastPage=<optimized out>, hDPI=<optimized out>,
vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>,
crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>) at PDFDoc.cc:502
#33358 0x00000000004083df in main (argc=<optimized out>, argv=<optimized out>)
at pdftohtml.cc:389

A full callstack and the POC file has been attached to help to reproduce this
issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170925/ff4233b5/attachment-0001.html>

More information about the Poppler-bugs mailing list