[Poppler-bugs] [Bug 103016] New: NULL pointer dereference vulnerability in poppler 0.59.0 GfxState.cc
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Sep 28 02:00:59 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103016
Bug ID: 103016
Summary: NULL pointer dereference vulnerability in poppler
0.59.0 GfxState.cc
Product: poppler
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: etovio at gmail.com
Created attachment 134518
--> https://bugs.freedesktop.org/attachment.cgi?id=134518&action=edit
POC file of the vulnerability
In Poppler 0.59.0, a NULL Pointer Dereference exists in the
GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF
document. Attackers may exploit this vulnerability by persuading users to open
crafted PDF files.
GDB track is as follow:
gzq at ubuntu:~/fuzz/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftocairo
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftocairo...done.
(gdb) r -q -svg /home/gzq/work/backup/poppler-gfxstat-5933.pdf
Starting program: /home/gzq/install/poppler-dev/bin/pdftocairo -q -svg
/home/gzq/work/backup/poppler-gfxstat-5933.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bogus memory allocation size
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>,
in=<optimized out>, out=<optimized out>, length=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
5933 *inp = byte_lookup[*inp * nComps + i];
(gdb) bt
#0 0x00007ffff7325979 in GfxImageColorMap::getGrayLine (this=<optimized out>,
in=<optimized out>, out=<optimized out>, length=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/GfxState.cc:5933
#1 0x000000000042542b in CairoOutputDev::drawSoftMaskedImage (this=<optimized
out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>,
width=<optimized out>, height=<optimized out>, colorMap=0x14b,
interpolate=<optimized out>, maskStr=<optimized out>,
maskWidth=<optimized out>, maskHeight=<optimized out>,
maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/CairoOutputDev.cc:2717
#2 0x00007ffff72abd4c in Gfx::doImage (this=<optimized out>, ref=<optimized
out>, str=<optimized out>, inlineImg=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4596
#3 0x00007ffff727444b in Gfx::opXObject (this=0x68fd00, args=<optimized out>,
numArgs=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:4173
#4 0x00007ffff7295587 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:886
#5 0x00007ffff729391d in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at /home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:750
#6 0x00007ffff7292fb5 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<error reading variable: access outside bounds of object
referenced via synthetic pointer>) at
/home/gzq/work/sourcecode/poppler/poppler/Gfx.cc:712
#7 0x00007ffff73a347e in Page::displaySlice (this=<optimized out>,
out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>,
rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>,
sliceX=-1, sliceY=<optimized out>, sliceW=<optimized out>,
sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
at /home/gzq/work/sourcecode/poppler/poppler/Page.cc:560
#8 0x00007ffff73b0641 in PDFDoc::displayPageSlice (this=0x68bd00,
out=0x68cdb0, page=1, hDPI=<optimized out>, vDPI=<optimized out>,
rotate=<optimized out>, useMediaBox=false, crop=false, printing=<optimized
out>, sliceX=<optimized out>, sliceY=<optimized out>,
sliceW=<optimized out>, sliceH=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
at /home/gzq/work/sourcecode/poppler/poppler/PDFDoc.cc:517
#9 0x0000000000411e8d in renderPage (doc=0x68bd00, cairoOut=<optimized out>,
pg=<optimized out>, page_w=<optimized out>, page_h=<optimized out>,
output_w=<optimized out>, output_h=<optimized out>) at
/home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:728
#10 main (argc=<optimized out>, argv=<optimized out>) at
/home/gzq/work/sourcecode/poppler/utils/pdftocairo.cc:1268
(gdb)
The POC file has been attached to reproduce this issue.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170928/511116dc/attachment.html>
More information about the Poppler-bugs
mailing list