<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Floating point exception vulnerability in poppler 0.59.0 Stream.cc ImageStream::ImageStream()"
href="https://bugs.freedesktop.org/show_bug.cgi?id=102854">102854</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Floating point exception vulnerability in poppler 0.59.0 Stream.cc ImageStream::ImageStream()
</td>
</tr>
<tr>
<th>Product</th>
<td>poppler
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>poppler-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>etovio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=134331" name="attach_134331" title="POC file of the vulnerability">attachment 134331</a> <a href="attachment.cgi?id=134331&action=edit" title="POC file of the vulnerability">[details]</a></span>
POC file of the vulnerability
A floating point exception vulnerability was found in poppler 0.59.0 Stream.cc
ImageStream::ImageStream() which may lead to potential attack when handling
malicious PDF files:
gzq@ubuntu:~$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s
/home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null
Bogus memory allocation size
Floating point exception
gzq@ubuntu:~$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -q -s /home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -q -s
/home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bogus memory allocation size
Program received signal SIGFPE, Arithmetic exception.
0x00000000005980d3 in ImageStream::ImageStream (this=0xa27b60, strA=<optimized
out>, widthA=<optimized out>, nCompsA=<optimized out>, nBitsA=3) at
Stream.cc:457
457 if (width > INT_MAX / nComps) {
(gdb) bt
#0 0x00000000005980d3 in ImageStream::ImageStream (this=0xa27b60,
strA=<optimized out>, widthA=<optimized out>, nCompsA=<optimized out>,
nBitsA=3) at Stream.cc:457
#1 0x0000000000432865 in SplashOutputDev::drawSoftMaskedImage (this=<optimized
out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>,
width=<optimized out>, height=<optimized out>, colorMap=<optimized out>,
interpolate=<optimized out>,
maskStr=<optimized out>, maskWidth=<optimized out>, maskHeight=<optimized
out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at
SplashOutputDev.cc:4073
#2 0x00000000004dd8fa in Gfx::doImage (this=<optimized out>, ref=<optimized
out>, str=<optimized out>, inlineImg=<optimized out>) at Gfx.cc:4574
#3 0x00000000004af1eb in Gfx::opXObject (this=0xa02a80, args=<optimized out>,
numArgs=<optimized out>) at Gfx.cc:4151
#4 0x00000000004c9127 in Gfx::execOp (this=<optimized out>, cmd=<optimized
out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#5 0x00000000004c7d8e in Gfx::go (this=<optimized out>, topLevel=<optimized
out>) at Gfx.cc:744
#6 0x00000000004c75d3 in Gfx::display (this=<optimized out>, obj=<optimized
out>, topLevel=<optimized out>) at Gfx.cc:706
#7 0x0000000000577ad9 in Page::displaySlice (this=0xa02060, out=0xa00190,
hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>,
sliceY=<optimized out>, sliceW=<optimized out>,
sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized
out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at
Page.cc:560
#8 0x00000000005777ec in Page::display (this=0x2, out=0x0, hDPI=0, vDPI=-0,
rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0,
abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0,
annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)
at Page.cc:481
#9 0x000000000057fb6e in PDFDoc::displayPage (this=0x9feeb0, out=0xa00190,
page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>,
useMediaBox=true, crop=<optimized out>, printing=<optimized out>,
abortCheckCbk=<optimized out>,
abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>,
annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:485
#10 0x000000000040879f in main (argc=<optimized out>, argv=<optimized out>) at
pdftohtml.cc:408
(gdb) print nComps
$1 = 0</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>