Bug 69434

Summary: segmentation fault (and probable stack smashing) in pdfseparate
Product: poppler Reporter: Daniel Kahn Gillmor <dkg>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Daniel Kahn Gillmor 2013-09-16 18:25:49 UTC 
originally reported at http://bugs.debian.org/723124 --

utils/pdfseparate.cc appears to invoke sprintf directly on user-passed
data without cleaning or verifying it.

bool extractPages (const char *srcFileName, const char *destFileName) {
  char pathName[1024];
 /* ... */
   sprintf (pathName, destFileName, pageNo);

This means that an attacker able to control the arguments passed to
pdfseparate, and who can make one of the arguments a multipage pdf,
can probably smash the stack.

A) they could provide a srcFileName long enough to overflow pathName.
   this will write to arbitrary memory.

B) they could provide a destFileName with other sprintf placeholders
   besides %d, which would effectively be invoked while pointing to
   uninitialized memory.

easy segfault:

 pdfseparate multipage.pdf test-%s-%d.pdf

I haven't tried to turn this into an exploit, but i'm sure someone
with more time, patience, and cleverness than me could do so.
Comment 1 Pino Toscano 2013-09-16 18:48:33 UTC 
(In reply to comment #0)
> A) they could provide a srcFileName long enough to overflow pathName.
>    this will write to arbitrary memory.

This has been fixed by me in b8682d868ddf7f741e93b791588af0932893f95c.
Comment 2 Albert Astals Cid 2013-09-25 18:36:33 UTC 
About B) I know it's fun, but I mean, someone is already running a command line application into your computer, I think they have easier ways to exploit you than finding a way to make pdfseparate crash, no?
Comment 3 Daniel Kahn Gillmor 2013-09-25 18:45:37 UTC 
Alas, web applications often invoke command-line tools that do "reasonable" things (like splitting a PDF), and they invoke them sometimes in "reasonable" ways (e.g. by providing the name of an uploaded file with a suffix as an argument).

We can argue about whether these things are actually "reasonable", but people will still do them, and pdfseparate probably shouldn't crash or execute arbitrary code in the meantime.
Comment 4 Albert Astals Cid 2013-09-25 18:52:18 UTC 
Well, I guess it should not be that hard to write a check that there is no other % than one %d and pairs of %%. Anyone up to the task?
Comment 5 Albert Astals Cid 2013-10-23 23:06:11 UTC 
will be fixed in next vesion

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.