Summary: |
Memory corruption vulnerability in Object::streamGetChar() |
Product: |
poppler
|
Reporter: |
Ziqiang Gu <etovio> |
Component: |
general | Assignee: |
poppler-bugs <poppler-bugs> |
Status: |
RESOLVED
FIXED
|
QA Contact: |
|
Severity: |
major
|
|
|
Priority: |
medium
|
CC: |
luanjunchao
|
Version: |
unspecified | |
|
Hardware: |
All | |
|
OS: |
Linux (All) | |
|
Whiteboard: |
|
i915 platform:
|
|
i915 features:
|
|
Attachments: |
POC file of the vulnerability
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 134196 [details] POC file of the vulnerability A memory corruption vulnerability was found in poppler which may lead to potential attack. we can reproduce this vulnerability when we use pdftoppm to process malicious PDF files: gzq@ubuntu:~/tmp/install/bin$ ./pdftoppm -q ./mal-gfx-memory-corruption.pdf Segmentation fault gzq@ubuntu:~/tmp/install/bin$ gdb -q ./pdftoppm Reading symbols from ./pdftoppm...done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at Object.h:395 395 { OBJECT_TYPE_CHECK(objStream); return stream->getChar(); } #0 0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at Object.h:395 #1 0x00007ffff7a3d079 in Lexer::getChar (this=0x5555630833d0, comesFromLook=true) at Lexer.cc:123 #2 0x00007ffff7a3d1c0 in Lexer::lookChar (this=0x5555630833d0) at Lexer.cc:144 #3 0x00007ffff7a3e201 in Lexer::getObj (this=0x5555630833d0, objNum=-1) at Lexer.cc:557 #4 0x00007ffff7a4cc90 in Parser::shift (this=0x555563079c50, objNum=-1) at Parser.cc:291 #5 0x00007ffff7a4c448 in Parser::getObj (this=0x555563079c50, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=0, objGen=0, recursion=0, strict=false) at Parser.cc:149 #6 0x00007ffff7a4bcd4 in Parser::getObj (this=0x555563079c50, recursion=0) at Parser.cc:63 #7 0x00007ffff7a7777d in XRef::fetch (this=0x55555579f130, num=22, gen=0, recursion=0) at XRef.cc:1136 #8 0x00007ffff7a4413d in Object::fetch (this=0x5555557a1160, xref=0x55555579f130, recursion=0) at Object.cc:125 #9 0x00007ffff79cd361 in Dict::lookup (this=0x55555579f800, key=0x5555557ab980 "P", recursion=0) at Dict.cc:259 #10 0x00007ffff79b36b4 in Object::dictLookup (this=0x5555557ab458, key=0x5555557ab980 "P", recursion=0) at Object.h:362 ............... ............... ............... #29100 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744 #29101 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffcc40, topLevel=false) at Gfx.cc:706 #29102 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557de160) at Gfx.cc:3961 #29103 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:3756 #29104 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffcdc0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:880 #29105 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744 #29106 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffd1e0, topLevel=false) at Gfx.cc:706 #29107 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557b0930) at Gfx.cc:3961 #29108 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffd380, numArgs=1) at Gfx.cc:3756 #29109 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffd360, args=0x7fffffffd380, numArgs=1) at Gfx.cc:880 #29110 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744 #29111 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffd780, topLevel=false) at Gfx.cc:706 #29112 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557af380) at Gfx.cc:3961 #29113 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffd920, numArgs=1) at Gfx.cc:3756 #29114 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffd900, args=0x7fffffffd920, numArgs=1) at Gfx.cc:880 #29115 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744 #29116 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffdd20, topLevel=false) at Gfx.cc:706 #29117 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557ae150) at Gfx.cc:3961 #29118 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:3756 #29119 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffdea0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:880 #29120 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=true) at Gfx.cc:744 #29121 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffe210, topLevel=true) at Gfx.cc:706 #29122 0x00007ffff7a4a1a5 in Page::displaySlice (this=0x5555557a6560, out=0x5555557a01e0, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560 #29123 0x00007ffff7a4e2c5 in PDFDoc::displayPageSlice (this=0x55555579eea0, out=0x5555557a01e0, page=1, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:522 #29124 0x0000555555556836 in savePageSlice (doc=0x55555579eea0, splashOut=0x5555557a01e0, pg=1, x=0, y=0, w=1240, h=1755, pg_w=1239.5833333333335, pg_h=1754.1666666666667, ppmFile=0x0) at pdftoppm.cc:282 #29125 0x0000555555557764 in main (argc=2, argv=0x7fffffffe598) at pdftoppm.cc:600 The point where the program get crashed may be various.