<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Memory corruption vulnerability in Object::streamGetChar()"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102701">102701</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Memory corruption vulnerability in Object::streamGetChar()
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>etovio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134196" name="attach_134196" title="POC file of the vulnerability">attachment 134196</a> <a href="attachment.cgi?id=134196&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability
A memory corruption vulnerability was found in poppler which may lead to
potential attack.
we can reproduce this vulnerability when we use pdftoppm to process malicious
PDF files:
gzq@ubuntu:~/tmp/install/bin$ ./pdftoppm -q ./mal-gfx-memory-corruption.pdf
Segmentation fault
gzq@ubuntu:~/tmp/install/bin$ gdb -q ./pdftoppm
Reading symbols from ./pdftoppm...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at
Object.h:395
395 { OBJECT_TYPE_CHECK(objStream); return stream->getChar(); }
#0 0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at
Object.h:395
#1 0x00007ffff7a3d079 in Lexer::getChar (this=0x5555630833d0,
comesFromLook=true) at Lexer.cc:123
#2 0x00007ffff7a3d1c0 in Lexer::lookChar (this=0x5555630833d0) at Lexer.cc:144
#3 0x00007ffff7a3e201 in Lexer::getObj (this=0x5555630833d0, objNum=-1) at
Lexer.cc:557
#4 0x00007ffff7a4cc90 in Parser::shift (this=0x555563079c50, objNum=-1) at
Parser.cc:291
#5 0x00007ffff7a4c448 in Parser::getObj (this=0x555563079c50,
simpleOnly=false, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=0,
objGen=0, recursion=0, strict=false) at Parser.cc:149
#6 0x00007ffff7a4bcd4 in Parser::getObj (this=0x555563079c50, recursion=0) at
Parser.cc:63
#7 0x00007ffff7a7777d in XRef::fetch (this=0x55555579f130, num=22, gen=0,
recursion=0) at XRef.cc:1136
#8 0x00007ffff7a4413d in Object::fetch (this=0x5555557a1160,
xref=0x55555579f130, recursion=0) at Object.cc:125
#9 0x00007ffff79cd361 in Dict::lookup (this=0x55555579f800, key=0x5555557ab980
"P", recursion=0) at Dict.cc:259
#10 0x00007ffff79b36b4 in Object::dictLookup (this=0x5555557ab458,
key=0x5555557ab980 "P", recursion=0) at Object.h:362
...............
...............
...............
#29100 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29101 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffcc40, topLevel=false) at Gfx.cc:706
#29102 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557de160) at Gfx.cc:3961
#29103 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffcde0, numArgs=1) at Gfx.cc:3756
#29104 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffcdc0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:880
#29105 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29106 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffd1e0, topLevel=false) at Gfx.cc:706
#29107 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557b0930) at Gfx.cc:3961
#29108 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffd380, numArgs=1) at Gfx.cc:3756
#29109 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffd360, args=0x7fffffffd380, numArgs=1) at Gfx.cc:880
#29110 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29111 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffd780, topLevel=false) at Gfx.cc:706
#29112 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557af380) at Gfx.cc:3961
#29113 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffd920, numArgs=1) at Gfx.cc:3756
#29114 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffd900, args=0x7fffffffd920, numArgs=1) at Gfx.cc:880
#29115 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at
Gfx.cc:744
#29116 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffdd20, topLevel=false) at Gfx.cc:706
#29117 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0,
s=0x5555557ae150) at Gfx.cc:3961
#29118 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0,
args=0x7fffffffdec0, numArgs=1) at Gfx.cc:3756
#29119 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0,
cmd=0x7fffffffdea0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:880
#29120 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=true) at
Gfx.cc:744
#29121 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0,
obj=0x7fffffffe210, topLevel=true) at Gfx.cc:706
#29122 0x00007ffff7a4a1a5 in Page::displaySlice (this=0x5555557a6560,
out=0x5555557a01e0, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false,
sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, printing=false,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560
#29123 0x00007ffff7a4e2c5 in PDFDoc::displayPageSlice (this=0x55555579eea0,
out=0x5555557a01e0, page=1, hDPI=150, vDPI=150, rotate=0, useMediaBox=true,
crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755,
abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:522
#29124 0x0000555555556836 in savePageSlice (doc=0x55555579eea0,
splashOut=0x5555557a01e0, pg=1, x=0, y=0, w=1240, h=1755,
pg_w=1239.5833333333335, pg_h=1754.1666666666667, ppmFile=0x0) at
pdftoppm.cc:282
#29125 0x0000555555557764 in main (argc=2, argv=0x7fffffffe598) at
pdftoppm.cc:600
The point where the program get crashed may be various.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>