Bug 102604

Created attachment 134067 [details]
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler SplashOutputDev.cc SplashOutputDev::type3D0() which may lead to potential Denial of Service attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
Syntax Error: Invalid XRef entry
Internal Error: xref num 12 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Syntax Error (1994): Too few (3) args to 'cm' operator
Page-1
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Segmentation fault

We can debug the vulnerable applications to learn about details:

gzq@ubuntu:~/work/vul/poppler$ gdb .//home/gzq/install/poppler-dev/bin/pdftohtml
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
.//home/gzq/install/poppler-dev/bin/pdftohtml: No such file or directory.
(gdb) r -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
Starting program:  -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
No executable file specified.
Use the "file" or "exec-file" command.
(gdb) q
gzq@ubuntu:~/work/vul/poppler$ gdb /home/gzq/install/poppler-dev/bin/pdftohtml 
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s ./mal-SplashOutputDev-cc-2719-2-12.pdf a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Syntax Error: Invalid XRef entry
Internal Error: xref num 12 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object
Syntax Error (1994): Too few (3) args to 'cm' operator
Page-1
Syntax Error (1967): Unknown operator '<fc>q'
Syntax Error (2046): Dictionary key must be a name object

Program received signal SIGSEGV, Segmentation fault.
0x00005555555b8a17 in SplashOutputDev::type3D0 (this=0x5555559a3f20, state=0x5555559b5b90, wx=200, wy=0) at SplashOutputDev.cc:2719
2719	  t3GlyphStack->haveDx = gTrue;
(gdb) bt
#0  0x00005555555b8a17 in SplashOutputDev::type3D0 (this=0x5555559a3f20, state=0x5555559b5b90, wx=200, wy=0) at SplashOutputDev.cc:2719
#1  0x00005555555fb041 in Gfx::go (this=this@entry=0x5555559a3720, topLevel=topLevel@entry=false) at Gfx.cc:744
#2  0x00005555555fb57f in Gfx::display (this=this@entry=0x5555559a3720, obj=obj@entry=0x7fffffffe230, topLevel=topLevel@entry=false) at Gfx.cc:706
#3  0x00005555555fb98a in Gfx::drawForm (this=0x5555559a3720, str=0x7fffffffe230, resDict=<optimized out>, matrix=<optimized out>, bbox=0x7fffffffe190, transpGroup=<optimized out>, softMask=false, blendingColorSpace=0x0, isolated=false, knockout=false, alpha=false, 
    transferFunc=0x0, backdropColor=0x0) at Gfx.cc:4807
#4  0x0000555555602c48 in Gfx::drawAnnot (this=this@entry=0x5555559a3720, str=str@entry=0x7fffffffe230, border=border@entry=0x0, aColor=0x0, xMin=<optimized out>, yMin=<optimized out>, xMax=<optimized out>, yMax=<optimized out>, rotate=<optimized out>) at Gfx.cc:5247
#5  0x00005555555ca630 in Annot::draw (this=0x5555559a3c40, gfx=0x5555559a3720, printing=<optimized out>) at Annot.cc:1831
#6  0x000055555563167c in Page::displaySlice (this=0x5555559a33e0, out=0x5555559a3f20, hDPI=<optimized out>, vDPI=<optimized out>, rotate=0, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, 
    abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580
#7  0x0000555555631878 in Page::display (this=<optimized out>, out=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:483
#8  0x00005555555b0586 in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:410
(gdb) print t3GlyphStack
$1 = (T3GlyphStack *) 0x0

Here we can see the global variable T3GlyphStack is null which means it might not be initialized correctly when a malicious, crafted PDF file is being handled.

This vulnerability has been reproduced in both the latest stable release 0.59.0 and the latest code in the repository.

A pdf file has been attached to help to reproduce this vulnerability.