<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Floating point exception vulnerability in poppler 0.59.0 Splash.cc Splash::scaleImageYuXu()" href="https://bugs.freedesktop.org/show_bug.cgi?id=102689">102689</a> </td> </tr> <tr> <th>Summary</th> <td>Floating point exception vulnerability in poppler 0.59.0 Splash.cc Splash::scaleImageYuXu() </td> </tr> <tr> <th>Product</th> <td>poppler </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>All </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>major </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>poppler-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>etovio@gmail.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=134187" name="attach_134187" title="POC file of the vulnerability">attachment 134187</a> <a href="attachment.cgi?id=134187&action=edit" title="POC file of the vulnerability">[details]</a></span> POC file of the vulnerability A floating point exception vulnerability was found in poppler 0.59.0 Splash.cc Splash::scaleImageYuXu() which may lead to potential attack when handling malicious PDF files: gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-Splash-cc-4745-4-SIGFPE.pdf a Floating point exception gzq@ubuntu:~/work/vul/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done. (gdb) r -q -s ./mal-Splash-cc-4745-4-SIGFPE.pdf a Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-Splash-cc-4745-4-SIGFPE.pdf a [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGFPE, Arithmetic exception. 0x000000000064c51e in Splash::scaleImageYuXu (this=<optimized out>, src=0x429700 <SplashOutputDev::imageSrc(void*, unsigned char*, unsigned char*)>, srcData=0x7fffffffd270, srcMode=splashModeMono8, nComps=1, srcAlpha=false, srcWidth=10, srcHeight=0, scaledWidth=12631, scaledHeight=76, dest=0x3157) at Splash.cc:4745 4745 yq = scaledHeight % srcHeight; (gdb) bt #0 0x000000000064c51e in Splash::scaleImageYuXu (this=<optimized out>, src=0x429700 <SplashOutputDev::imageSrc(void*, unsigned char*, unsigned char*)>, srcData=0x7fffffffd270, srcMode=splashModeMono8, nComps=1, srcAlpha=false, srcWidth=10, srcHeight=0, scaledWidth=12631, scaledHeight=76, dest=0x3157) at Splash.cc:4745 #1 0x000000000063e753 in Splash::scaleImage (this=<optimized out>, src=<optimized out>, srcData=<optimized out>, srcMode=<optimized out>, nComps=<optimized out>, srcAlpha=<optimized out>, srcWidth=10, srcHeight=<optimized out>, scaledWidth=<optimized out>, scaledHeight=76, interpolate=<optimized out>, tilingPattern=<optimized out>) at Splash.cc:4173 #2 0x000000000063dede in Splash::drawImage (this=<optimized out>, src=<optimized out>, tf=<optimized out>, srcData=<optimized out>, srcMode=<optimized out>, srcAlpha=<optimized out>, w=<optimized out>, h=<optimized out>, mat=<optimized out>, interpolate=<optimized out>, tilingPattern=<optimized out>) at Splash.cc:3801 #3 0x000000000042fce4 in SplashOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=<optimized out>, interpolate=<optimized out>, maskStr=<optimized out>, maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at SplashOutputDev.cc:4054 #4 0x00000000004d36e3 in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at Gfx.cc:4553 #5 0x00000000004a6700 in Gfx::opXObject (this=0x9e6ac0, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4130 #6 0x00000000004bf976 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880 #7 0x00000000004be5f1 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744 #8 0x00000000004bde55 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706 #9 0x0000000000567465 in Page::displaySlice (this=0x9e29d0, out=0x9e4590, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at Page.cc:560 #10 0x000000000056719e in Page::display (this=0x0, out=0x429700 <SplashOutputDev::imageSrc(void*, unsigned char*, unsigned char*)>, hDPI=7.9989999999999997, vDPI=0.999, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481 #11 0x000000000056f0d0 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e4590, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:485 #12 0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408 (gdb)</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>