[poppler] A few vulnerabilitiess in libpoppler
mpsuzuki at hiroshima-u.ac.jp
mpsuzuki at hiroshima-u.ac.jp
Thu Oct 21 16:19:25 PDT 2010
Dear Robert,
On Thu, 21 Oct 2010 14:02:05 +0200
<robert at swiecki.net> wrote:
>On Thu, Oct 21, 2010 at 12:53 PM, <mpsuzuki at hiroshima-u.ac.jp> wrote:
>> On Thu, 21 Oct 2010 12:09:40 +0200
>> <robert at swiecki.net> wrote:
>>>http://alt.swiecki.net/j/poppler_2010.10.20.tgz
>>>
>>>I tested it with Ubuntu's pdftoppm from poppler-utils_0.12.4-0ubuntu5
>>>package on a 64bit system.
>> But poppler-0.12.4 might be slightly
>> too old to ask for poppler maintainers' efforts. I will
>> check your samples by the latest revision on git, on
>> GNU/Linux on amd64.
>
>Ah.. ok, sure, I'll clone the latest repo and give it another round of
>testing sometime soon.
Just I've finished your 64 PDFs on my amd64 (sorry for
slow response, my amd64 is Intel Atom) with latest revision
on GIT (0.15.1, c64a49307782299cb7a950a66419f9d59707f38b).
16 PDFs made pdftoppm crashed. My test was something like:
for f in *.pdf
do
b=`basename $f .pdf`
valgrind --log-file=${b}.log \
pdftoppm $f /dev/null \
2>${b}.stderr 1>${b}.stdout
done
By grepping valgrind log files with keyword "signal 11",
following PDFs reproduced SEGV crash on my machine. I will
check them. If you find more SEGV, please let me know.
SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x7ffff6aa043a.CODE.1.ADDR.0x7fffff5fef38.INSTR.call_0x7ffff6ae3250.pdf
SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf
SIGSEGV.PC.0x7ffff6ad0c61.CODE.1.ADDR.0x7fffff5feff8.INSTR.push_rbp.pdf
SIGSEGV.PC.0x7ffff6ad7520.CODE.1.ADDR.0x7fffff5feff8.INSTR.mov_[rsp-0x10],_r12.pdf
SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf
SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf
SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a8b34c.CODE.1.ADDR.0x3fffffc7c.INSTR.mov_[rax+r12*4],_r14d.pdf
SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf
SIGSEGV.PC.0x7ffff7ae07c0.CODE.1.ADDR.0x7fffff5feff8.INSTR.call_qword_near_[rax+0x28].pdf
SIGSEGV.PC.0x7ffff7b356c8.CODE.1.ADDR.(nil).INSTR.movzx_ebx,_byte_[rsi].pdf
I uploaded all log files (stdout, stderr, valgrind log) with
tested binary at:
http://home.hiroshima-u.ac.jp/~mpsuzuki/test-def_mps20101022a.tar.rz
Regards,
mpsuzuki
More information about the poppler
mailing list