Bug 102688

Summary: Floating point exception vulnerability in poppler 0.59.0 Splash.cc isImageInterpolationRequired()
Product: poppler Reporter: Ziqiang Gu <etovio>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: POC file of the vulnerability

Description Ziqiang Gu 2017-09-13 02:34:31 UTC 
Created attachment 134186 [details]
POC file of the vulnerability

A floating point exception vulnerability was found in poppler 0.59.0 Splash.cc isImageInterpolationRequired() which may lead to potential attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-Splash-cc-4141-4-SIGFPE.pdf a
Floating point exception
gzq@ubuntu:~/work/vul/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml 
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -q -s ./mal-Splash-cc-4141-4-SIGFPE.pdf a
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-Splash-cc-4141-4-SIGFPE.pdf a
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGFPE, Arithmetic exception.
0x000000000063e67b in isImageInterpolationRequired (srcWidth=1000, srcHeight=<optimized out>, scaledWidth=<optimized out>, scaledHeight=<optimized out>, interpolate=<optimized out>) at Splash.cc:4141
4141	  if (scaledWidth / srcWidth >= 4 || scaledHeight / srcHeight >= 4)
(gdb) print srcWidth
$1 = 1000
(gdb) print srcHeight
$2 = <optimized out>
(gdb) bt
#0  0x000000000063e67b in isImageInterpolationRequired (srcWidth=1000, srcHeight=<optimized out>, scaledWidth=<optimized out>, scaledHeight=<optimized out>, interpolate=<optimized out>) at Splash.cc:4141
#1  Splash::scaleImage (this=<optimized out>, src=<optimized out>, srcData=<optimized out>, srcMode=<optimized out>, nComps=<optimized out>, srcAlpha=<optimized out>, srcWidth=1000, srcHeight=<optimized out>, scaledWidth=<optimized out>, scaledHeight=9, 
    interpolate=false, tilingPattern=<optimized out>) at Splash.cc:4169
#2  0x000000000063da14 in Splash::drawImage (this=<optimized out>, src=<optimized out>, tf=<optimized out>, srcData=<optimized out>, srcMode=<optimized out>, srcAlpha=<optimized out>, w=<optimized out>, h=<optimized out>, mat=<optimized out>, 
    interpolate=<optimized out>, tilingPattern=<optimized out>) at Splash.cc:3760
#3  0x000000000042fce4 in SplashOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=<optimized out>, interpolate=<optimized out>, 
    maskStr=<optimized out>, maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at SplashOutputDev.cc:4054
#4  0x00000000004d36e3 in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at Gfx.cc:4553
#5  0x00000000004a6700 in Gfx::opXObject (this=0x9e3bb0, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4130
#6  0x00000000004bf976 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#7  0x00000000004be5f1 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#8  0x00000000004bde55 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#9  0x0000000000567465 in Page::displaySlice (this=0x9e29d0, out=0x9e4560, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, 
    sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at Page.cc:560
#10 0x000000000056719e in Page::display (this=0x0, out=0xa147a0, hDPI=7.9989999999999997, vDPI=0.999, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, 
    copyXRef=<optimized out>) at Page.cc:481
#11 0x000000000056f0d0 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e4560, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, 
    abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:485
#12 0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408
Comment 1 Albert Astals Cid 2017-09-13 21:10:22 UTC 
Fixed, thanks
Comment 2 Waynem Ccollough 2018-05-21 06:13:15 UTC 
Does the issue already fixed? any current update? Thanks 

Waynem Ccollough
https://amsterdamdiary.com/

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.