[poppler] A few vulnerabilitiess in libpoppler

Robert Święcki robert at swiecki.net
Thu Oct 21 03:09:40 PDT 2010 

Hi,

I was recently fuzzing libpoppler and found lots of crashes in it.
Some of them are of lesser importance, some look more serious. The
archive is here:

http://alt.swiecki.net/j/poppler_2010.10.20.tgz

I tested it with Ubuntu's pdftoppm from poppler-utils_0.12.4-0ubuntu5
package on a 64bit system.

There's so many of those crashes that I didn't bother with
investigating, hopping that you guys might have better familiarity
with the library internals and you'd be much faster in analyzing and
fixing those problems. Here's proof that some of those problems might
be quite easily exploitable.

 $ gdb /usr/bin/pdftoppm
(gdb) r SIGSEGV.PC.0x100000001.CODE.1.ADDR.0x100000001.INSTR.[NOT_MMAPED].pdf
>/dev/null  2>/dev/null

Program received signal SIGSEGV, Segmentation fault.
0x0000000100000001 in ?? ()   <-- looks kinda controllable to me

(gdb) bt
#0  0x0000000100000001 in ?? ()
#1  0x00007ffff660fcff in ?? () from /usr/lib/libjpeg.so.62
#2  0x00007ffff660f8af in jinit_master_decompress () from /usr/lib/libjpeg.so.62
#3  0x00007ffff660eb95 in jpeg_start_decompress () from /usr/lib/libjpeg.so.62
#4  0x00007ffff7a66f68 in DCTStream::reset() () from /usr/lib/libpoppler.so.5
#5  0x00007ffff7a62212 in SplashOutputDev::drawImage(GfxState*,
Object*, Stream*, int, int, GfxImageColorMap*, int, int*, int) () from
/usr/lib/libpoppler.so.5
#6  0x00007ffff7aabcc9 in Gfx::doImage(Object*, Stream*, int) () from
/usr/lib/libpoppler.so.5
#7  0x00007ffff7ab1e69 in Gfx::opXObject(Object*, int) () from
/usr/lib/libpoppler.so.5
#8  0x00007ffff7a9ffaf in Gfx::go(int) () from /usr/lib/libpoppler.so.5
#9  0x00007ffff7aa3244 in Gfx::display(Object*, int) () from
/usr/lib/libpoppler.so.5
#10 0x00007ffff7aa4e75 in Gfx::doForm1(Object*, Dict*, double*,
double*, int, int, GfxColorSpace*, int, int, int, Function*,
GfxColor*) () from /usr/lib/libpoppler.so.5
#11 0x00007ffff7ab1843 in Gfx::doForm(Object*) () from /usr/lib/libpoppler.so.5
#12 0x00007ffff7ab1ee3 in Gfx::opXObject(Object*, int) () from
/usr/lib/libpoppler.so.5
#13 0x00007ffff7a9ffaf in Gfx::go(int) () from /usr/lib/libpoppler.so.5
#14 0x00007ffff7aa3244 in Gfx::display(Object*, int) () from
/usr/lib/libpoppler.so.5


Another one

$ gdb /usr/bin/pdftoppm
(gdb) r SIGSEGV.PC.0x7ffff7a8b34c.CODE.1.ADDR.0x3fffffc7c.INSTR.mov_[rax+r12*4],_r14d.pdf
>/dev/null 2>/dev/null
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a8b34c in CharCodeToUnicode::addMapping(unsigned int,
char*, int, int) () from /usr/lib/libpoppler.so.5
(gdb) x/i $pc
=> 0x7ffff7a8b34c <_ZN17CharCodeToUnicode10addMappingEjPcii+540>:       mov
 DWORD PTR [rax+r12*4],r14d
(gdb) p/x $rax+$r12*4
$1 = 0x3fffffc7c    <-- bogus, looks like user-controllable memory-write


List of files, the names should help with initial analysis:

SIGSEGV.PC.(nil).CODE.1.ADDR.(nil).INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x100000001.CODE.1.ADDR.0x100000001.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x7fff00000001.CODE.1.ADDR.0x7fff00000001.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x7ffff5e35f4d.CODE.1.ADDR.0x230000006f.INSTR.mov_rsi,_[rax+0x40].pdf
SIGSEGV.PC.0x7ffff5e63f68.CODE.1.ADDR.(nil).INSTR.add_word_[rbx],_0x1.pdf
SIGSEGV.PC.0x7ffff660e777.CODE.1.ADDR.(nil).INSTR.call_qword_near_[rax].pdf
SIGSEGV.PC.0x7ffff660fcf1.CODE.1.ADDR.(nil).INSTR.call_qword_near_[rax].pdf
SIGSEGV.PC.0x7ffff660fcfd.CODE.1.ADDR.0x200000002.INSTR.call_qword_near_[rax].pdf
SIGSEGV.PC.0x7ffff660fd87.CODE.1.ADDR.(nil).INSTR.rep_movsq_.pdf
SIGSEGV.PC.0x7ffff661186d.CODE.1.ADDR.0x1.INSTR.mov_[rax],_rcx.pdf
SIGSEGV.PC.0x7ffff66119ad.CODE.1.ADDR.0x112.INSTR.mov_[rdi],_dx.pdf
SIGSEGV.PC.0x7ffff6612fde.CODE.1.ADDR.0x10000000208.INSTR.mov_[r12+0x118],_rbx.pdf
SIGSEGV.PC.0x7ffff6612ffb.CODE.1.ADDR.0x1.INSTR.movzx_ebx,_byte_[rax+0x1].pdf
SIGSEGV.PC.0x7ffff661324e.CODE.1.ADDR.0x20000002a.INSTR.mov_dword_[rax+0x28],_0x9.pdf
SIGSEGV.PC.0x7ffff661bddd.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x50].pdf
SIGSEGV.PC.0x7ffff661c930.CODE.128.ADDR.(nil).INSTR.mov_rbp,_[rsi+0x8].pdf
SIGSEGV.PC.0x7ffff661c989.CODE.1.ADDR.0x6730402c.INSTR.mov_ecx,_[rbp+0x2c].pdf
SIGSEGV.PC.0x7ffff661c9a0.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rbp+0x48].pdf
SIGSEGV.PC.0x7ffff661c9e6.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rbp+0x48].pdf
SIGSEGV.PC.0x7ffff6aa043a.CODE.1.ADDR.0x7fffff5fef38.INSTR.call_0x7ffff6ae3250.pdf
SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf
SIGSEGV.PC.0x7ffff6ad0c61.CODE.1.ADDR.0x7fffff5feff8.INSTR.push_rbp.pdf
SIGSEGV.PC.0x7ffff6ad2258.CODE.1.ADDR.0x146fffffff8.INSTR.mov_rbp,_[rdi-0x8].pdf
SIGSEGV.PC.0x7ffff6ad26bd.CODE.128.ADDR.(nil).INSTR.cmp_r12,_[r13+0x18].pdf
SIGSEGV.PC.0x7ffff6ad4828.CODE.128.ADDR.(nil).INSTR.mov_rax,_[r13+0x8].pdf
SIGSEGV.PC.0x7ffff6ad5f0f.CODE.128.ADDR.(nil).INSTR.mov_rax,_[r15+0x18].pdf
SIGSEGV.PC.0x7ffff6ad5f13.CODE.128.ADDR.(nil).INSTR.cmp_r15,_[rax+0x10].pdf
SIGSEGV.PC.0x7ffff6ad7520.CODE.1.ADDR.0x7fffff5feff8.INSTR.mov_[rsp-0x10],_r12.pdf
SIGSEGV.PC.0x7ffff7a630ba.CODE.1.ADDR.0x8.INSTR.mov_rbp,_[rax+0x8].pdf
SIGSEGV.PC.0x7ffff7a635f1.CODE.1.ADDR.0x10.INSTR.cmp_qword_[rax+0x10],_0x0.pdf
SIGSEGV.PC.0x7ffff7a672d9.CODE.1.ADDR.0x6a9e68c8.INSTR.add_rcx,_[r9+rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a67576.CODE.1.ADDR.0x400c970fc.INSTR.mov_r10d,_[rax+r10*4].pdf
SIGSEGV.PC.0x7ffff7a67971.CODE.2.ADDR.0x7ffff4f5c008.INSTR.mov_[r14+r10*4],_eax.pdf
SIGSEGV.PC.0x7ffff7a67d06.CODE.1.ADDR.0x10.INSTR.mov_r13,_[rax+0x10].pdf
SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7a69bf0.CODE.1.ADDR.0x196071c778.INSTR.mov_rcx,_[rcx+0x68].pdf
SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf
SIGSEGV.PC.0x7ffff7a69c72.CODE.1.ADDR.0x10.INSTR.add_rbp,_[rbx+0x10].pdf
SIGSEGV.PC.0x7ffff7a69c76.CODE.1.ADDR.0x3006c1f95.INSTR.cmp_dword_[rbp+0x14],_0x0.pdf
SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf
SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a8b34c.CODE.1.ADDR.0x3fffffc7c.INSTR.mov_[rax+r12*4],_r14d.pdf
SIGSEGV.PC.0x7ffff7a973e6.CODE.1.ADDR.0xfffffffc00652a10.INSTR.mov_rcx,_[r15+r9*8].pdf
SIGSEGV.PC.0x7ffff7a9f6e0.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rax+0x8].pdf
SIGSEGV.PC.0x7ffff7aa60bd.CODE.1.ADDR.(nil).INSTR.mov_rax,_[rbp+0x0].pdf
SIGSEGV.PC.0x7ffff7ab0f59.CODE.1.ADDR.0x8.INSTR.cmp_dword_[rax+0x8],_0x1.pdf
SIGSEGV.PC.0x7ffff7abe497.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x28].pdf
SIGSEGV.PC.0x7ffff7abe4c0.CODE.128.ADDR.(nil).INSTR.movzx_r9d,_byte_[rax].pdf
SIGSEGV.PC.0x7ffff7abe4e4.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7abfa60.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x8].pdf
SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf
SIGSEGV.PC.0x7ffff7ae07c0.CODE.1.ADDR.0x7fffff5feff8.INSTR.call_qword_near_[rax+0x28].pdf
SIGSEGV.PC.0x7ffff7af22c7.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rax+0x20].pdf
SIGSEGV.PC.0x7ffff7af23a6.CODE.1.ADDR.0x6feb3828.INSTR.call_qword_near_[rax+0x28].pdf
SIGSEGV.PC.0x7ffff7af2936.CODE.1.ADDR.(nil).INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7b24be5.CODE.1.ADDR.0x18.INSTR.mov_edx,_[rsi+0x18].pdf
SIGSEGV.PC.0x7ffff7b356c8.CODE.1.ADDR.(nil).INSTR.movzx_ebx,_byte_[rsi].pdf
SIGSEGV.PC.0x7ffff7b408a9.CODE.1.ADDR.0x7ffff4fb5ad1.INSTR.movzx_r12d,_byte_[rax].pdf
SIGSEGV.PC.0x7ffff7b40fbf.CODE.128.ADDR.(nil).INSTR.mov_[rax],_dl.pdf
SIGSEGV.PC.0xf7e7d7.CODE.1.ADDR.0xf7e7d7.INSTR.[NOT_MMAPED].pdf

-- 
Robert Święcki

More information about the poppler mailing list