| Summary: | Uninitialized memory read in GfxState.cc:4041 | ||
|---|---|---|---|
| Product: | poppler | Reporter: | foca <foca> |
| Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
| Status: | RESOLVED MOVED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | Proof of concept | ||
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/fontconfig/fontconfig/issues/103 Sorry, wrong bug: I typoed this! -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/192. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132067 [details] Proof of concept There is a uninitialized memory read that leads to a Denial of Service. The PoC crashes in the following line: Program received signal SIGSEGV, Segmentation fault. 0x0000000000436480 in Function::getOutputSize (this=0x2f502f2052203020) at Function.h:77 77 int getOutputSize() { return n; } Just before call the function, GfxUnivariateShading::getColor at GfxState.cc:4041 4041 nComps = nFuncs * funcs[0]->getOutputSize(); The variable funcs is an array of nFuncs elements. But in the PoC the number of elements, nFuncs is 0, but still the code is accessing the first element, funcs[0], using uninitialized memory data. The program is expecting to get a pointer with funcs[0] and it crashes when it dereferences an invalid pointer. The fix would be to check if there is at least one element before accessing the first one: 4041 if (nFuncs >= 1) 4042 nComps = nFuncs * funcs[0]->getOutputSize(); PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)