Summary: | poppler 0.54.0: memory leak in gmalloc | ||
---|---|---|---|
Product: | poppler | Reporter: | bestshow <haojunhou> |
Component: | utils | Assignee: | poppler-bugs <poppler-bugs> |
Status: | RESOLVED FIXED | QA Contact: | |
Severity: | critical | ||
Priority: | medium | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux (All) | ||
Whiteboard: | |||
i915 platform: | i915 features: | ||
Attachments: | testcase |
Fixed, thanks for the report :) |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 131002 [details] testcase on poppler 0.54.0 The gmalloc function in gmem.cc:110 which allows attackers to cause a denial of service (memory leak) via a crafted file. #pdfinfo $FILE ================================================================= ==39456==ERROR: LeakSanitizer: detected memory leaks Direct leak of 9 byte(s) in 1 object(s) allocated from: #0 0x7f41c4bd3b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x59ca1f in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110 #2 0x59cab5 in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120 #3 0x59cf90 in copyString /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316 #4 0x516ef8 in Object::initCmd(char*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152 #5 0x5169ee in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576 #6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53 #7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606 #8 0x586eef in XRef::getEntry(int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681 #9 0x5821de in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167 #10 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #11 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #16 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #17 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) Direct leak of 9 byte(s) in 1 object(s) allocated from: #0 0x7f41c4bd3b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x59ca1f in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110 #2 0x59cab5 in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120 #3 0x59cf90 in copyString /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316 #4 0x516ef8 in Object::initCmd(char*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152 #5 0x5169ee in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576 #6 0x52b76f in Parser::Parser(XRef*, Lexer*, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:53 #7 0x5861c7 in XRef::parseEntry(long long, XRefEntry*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1606 #8 0x586eef in XRef::getEntry(int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1681 #9 0x5821de in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1167 #10 0x582f44 in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1278 #11 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147 #12 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110 #13 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285 #14 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169 #15 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31 #16 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58 #17 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538 #18 0x7f41c2ecfb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: 18 byte(s) leaked in 2 allocation(s). The $FILE poc in the attachment. Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.