Bug 102701

Summary: Memory corruption vulnerability in Object::streamGetChar()
Product: poppler Reporter: Ziqiang Gu <etovio>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: luanjunchao
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: POC file of the vulnerability

Description Ziqiang Gu 2017-09-13 10:15:45 UTC
Created attachment 134196 [details]
POC file of the vulnerability

A memory corruption vulnerability was found in poppler which may lead to potential attack.

we can reproduce this vulnerability when we use pdftoppm to process malicious PDF files:

gzq@ubuntu:~/tmp/install/bin$ ./pdftoppm -q ./mal-gfx-memory-corruption.pdf 
Segmentation fault


gzq@ubuntu:~/tmp/install/bin$ gdb -q ./pdftoppm
Reading symbols from ./pdftoppm...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at Object.h:395
395	  { OBJECT_TYPE_CHECK(objStream); return stream->getChar(); }
#0  0x00007ffff79cfbc4 in Object::streamGetChar (this=0x5555630833e8) at Object.h:395
#1  0x00007ffff7a3d079 in Lexer::getChar (this=0x5555630833d0, comesFromLook=true) at Lexer.cc:123
#2  0x00007ffff7a3d1c0 in Lexer::lookChar (this=0x5555630833d0) at Lexer.cc:144
#3  0x00007ffff7a3e201 in Lexer::getObj (this=0x5555630833d0, objNum=-1) at Lexer.cc:557
#4  0x00007ffff7a4cc90 in Parser::shift (this=0x555563079c50, objNum=-1) at Parser.cc:291
#5  0x00007ffff7a4c448 in Parser::getObj (this=0x555563079c50, simpleOnly=false, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=0, objGen=0, recursion=0, strict=false) at Parser.cc:149
#6  0x00007ffff7a4bcd4 in Parser::getObj (this=0x555563079c50, recursion=0) at Parser.cc:63
#7  0x00007ffff7a7777d in XRef::fetch (this=0x55555579f130, num=22, gen=0, recursion=0) at XRef.cc:1136
#8  0x00007ffff7a4413d in Object::fetch (this=0x5555557a1160, xref=0x55555579f130, recursion=0) at Object.cc:125
#9  0x00007ffff79cd361 in Dict::lookup (this=0x55555579f800, key=0x5555557ab980 "P", recursion=0) at Dict.cc:259
#10 0x00007ffff79b36b4 in Object::dictLookup (this=0x5555557ab458, key=0x5555557ab980 "P", recursion=0) at Object.h:362
...............
...............
...............
#29100 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744
#29101 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffcc40, topLevel=false) at Gfx.cc:706
#29102 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557de160) at Gfx.cc:3961
#29103 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:3756
#29104 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffcdc0, args=0x7fffffffcde0, numArgs=1) at Gfx.cc:880
#29105 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744
#29106 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffd1e0, topLevel=false) at Gfx.cc:706
#29107 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557b0930) at Gfx.cc:3961
#29108 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffd380, numArgs=1) at Gfx.cc:3756
#29109 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffd360, args=0x7fffffffd380, numArgs=1) at Gfx.cc:880
#29110 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744
#29111 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffd780, topLevel=false) at Gfx.cc:706
#29112 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557af380) at Gfx.cc:3961
#29113 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffd920, numArgs=1) at Gfx.cc:3756
#29114 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffd900, args=0x7fffffffd920, numArgs=1) at Gfx.cc:880
#29115 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=false) at Gfx.cc:744
#29116 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffdd20, topLevel=false) at Gfx.cc:706
#29117 0x00007ffff79f454b in Gfx::doShowText (this=0x5555557a67a0, s=0x5555557ae150) at Gfx.cc:3961
#29118 0x00007ffff79f326f in Gfx::opShowText (this=0x5555557a67a0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:3756
#29119 0x00007ffff79e21f0 in Gfx::execOp (this=0x5555557a67a0, cmd=0x7fffffffdea0, args=0x7fffffffdec0, numArgs=1) at Gfx.cc:880
#29120 0x00007ffff79e1a88 in Gfx::go (this=0x5555557a67a0, topLevel=true) at Gfx.cc:744
#29121 0x00007ffff79e180c in Gfx::display (this=0x5555557a67a0, obj=0x7fffffffe210, topLevel=true) at Gfx.cc:706
#29122 0x00007ffff7a4a1a5 in Page::displaySlice (this=0x5555557a6560, out=0x5555557a01e0, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:560
#29123 0x00007ffff7a4e2c5 in PDFDoc::displayPageSlice (this=0x55555579eea0, out=0x5555557a01e0, page=1, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1240, sliceH=1755, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at PDFDoc.cc:522
#29124 0x0000555555556836 in savePageSlice (doc=0x55555579eea0, splashOut=0x5555557a01e0, pg=1, x=0, y=0, w=1240, h=1755, pg_w=1239.5833333333335, pg_h=1754.1666666666667, ppmFile=0x0) at pdftoppm.cc:282
#29125 0x0000555555557764 in main (argc=2, argv=0x7fffffffe598) at pdftoppm.cc:600

The point where the program get crashed may be various.
Comment 1 Albert Astals Cid 2017-09-13 21:05:10 UTC
Fixed, thanks.
Comment 2 Albert Astals Cid 2017-09-14 07:03:43 UTC
*** Bug 102718 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.