<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - poppler 0.54.0: stack buffer overflow in GfxImageColorMap::getGray"
href="https://bugs.freedesktop.org/show_bug.cgi?id=100774">100774</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>poppler 0.54.0: stack buffer overflow in GfxImageColorMap::getGray
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>critical
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>utils
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>haojunhou@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=131001" name="attach_131001" title="testcase">attachment 131001</a> <a href="attachment.cgi?id=131001&action=edit" title="testcase">[details]</a></span>
testcase
on poppler 0.54.0
The GfxImageColorMap::getGray function in GfxState.cc:6064 allows attackers to
cause a denial of service (stack buffer overflow) via a crafted file.
#pdfimages $FILE out
==88072==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffef185eb1 at pc 0x0000004fd590 bp 0x7fffef185cd0 sp 0x7fffef185cc8
READ of size 1 at 0x7fffef185eb1 thread T0
#0 0x4fd58f in GfxImageColorMap::getGray(unsigned char*, int*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/GfxState.cc:6064
#1 0x408407 in ImageOutputDev::writeImageFile(ImgWriter*,
ImageOutputDev::ImageFormat, char const*, Stream*, int, int, GfxImageColorMap*)
/home/haojun/Downloads/testopensourcecode/poppler/utils/ImageOutputDev.cc:386
#2 0x40a557 in ImageOutputDev::writeImage(GfxState*, Object*, Stream*, int,
int, GfxImageColorMap*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/utils/ImageOutputDev.cc:647
#3 0x40a9d1 in ImageOutputDev::drawSoftMaskedImage(GfxState*, Object*,
Stream*, int, int, GfxImageColorMap*, bool, Stream*, int, int,
GfxImageColorMap*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/utils/ImageOutputDev.cc:703
#4 0x4a7630 in Gfx::doImage(Object*, Stream*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Gfx.cc:4702
#5 0x4a445f in Gfx::opXObject(Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Gfx.cc:4208
#6 0x47efd0 in Gfx::execOp(Object*, Object*, int)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Gfx.cc:904
#7 0x47e091 in Gfx::go(bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Gfx.cc:763
#8 0x47dbec in Gfx::display(Object*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Gfx.cc:729
#9 0x52c8f6 in Page::displaySlice(OutputDev*, double, double, int, bool,
bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*,
void*), void*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Page.cc:601
#10 0x52be69 in Page::display(OutputDev*, double, double, int, bool, bool,
bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/Page.cc:523
#11 0x533614 in PDFDoc::displayPage(OutputDev*, int, double, double, int,
bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:494
#12 0x5336b9 in PDFDoc::displayPages(OutputDev*, int, int, double, double,
int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*)
/home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:510
#13 0x406119 in main
/home/haojun/Downloads/testopensourcecode/poppler/utils/pdfimages.cc:218
#14 0x7fecc4ca0b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
#15 0x4059a8
(/home/haojun/Downloads/testopensourcecode/poppler-build/bin/pdfimages+0x4059a8)
Address 0x7fffef185eb1 is located in stack of thread T0 at offset 33 in frame
#0 0x407fa3 in ImageOutputDev::writeImageFile(ImgWriter*,
ImageOutputDev::ImageFormat, char const*, Stream*, int, int, GfxImageColorMap*)
/home/haojun/Downloads/testopensourcecode/poppler/utils/ImageOutputDev.cc:338
This frame has 5 object(s):
[32, 33) 'zero' <== Memory access at offset 33 overflows this variable
[96, 100) 'gray'
[160, 168) 'row'
[224, 236) 'rgb'
[288, 304) 'cmyk'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/haojun/Downloads/testopensourcecode/poppler/poppler/GfxState.cc:6064 in
GfxImageColorMap::getGray(unsigned char*, int*)
Shadow bytes around the buggy address:
0x10007de28b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007de28b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007de28ba0: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
0x10007de28bb0: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
0x10007de28bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007de28bd0: 00 00 f1 f1 f1 f1[01]f4 f4 f4 f2 f2 f2 f2 04 f4
0x10007de28be0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 04
0x10007de28bf0: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f3 f3 f3 f3 00 00
0x10007de28c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007de28c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007de28c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==88072==ABORTING
The $FILE poc in the attachment.
Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>