Bug 92450

Summary: Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)
Product: poppler Reporter: alex.park <saintlinu>
Component: utilsAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: major    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Use of this file could lead to crash the products using poppler library
removed a finding file
Warn that the DCT/JPX internal decoders are unmaintained
Synchronize cmake warnings with configure warnings

Description alex.park 2015-10-13 20:56:39 UTC 
Created attachment 118861 [details]
Use of this file could lead to crash the products using poppler library

Hello,

I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.

This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached some findings.

Thanks
-Alex

in details:

alex@vm64:$ LD_LIBRARY_PATH=/usr/local/lib gdb --args ./evince ~/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./evince...done.
gdb$ r
Starting program: /home/alex/hack/project/evince/evince-3.18.0/shell/.libs/evince /home/alex/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffece5e700 (LWP 17556)]
[New Thread 0x7fffec65d700 (LWP 17557)]
[New Thread 0x7fffebe5c700 (LWP 17558)]
[New Thread 0x7fffeb038700 (LWP 17563)]
[New Thread 0x7fffe9a4e700 (LWP 17564)]
[New Thread 0x7fffda2ab700 (LWP 17565)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a4e700 (LWP 17564)]
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x0000000000000000  RBX: 0x0000000000000000  RBP: 0x00007FFFD005DA40  RSP: 0x00007FFFE9A4CF50  o d I t s z A p c 
  RDI: 0x00007FFFD0042BA0  RSI: 0x0000000000000000  RDX: 0x0000000000000018  RCX: 0x0000000000000001  RIP: 0x00007FFFE8A04C49
  R8 : 0x0000000000000000  R9 : 0x0000000000000006  R10: 0x00000000000000A8  R11: 0x00007FFFD005DAB0  R12: 0x00007FFFD0042850
  R13: 0x00007FFFD005A0E0  R14: 0x00007FFFD005DAB0  R15: 0x0000000000001923
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
[0x002B:0x00007FFFE9A4CF50]-------------------------------------------------------------------------------------------[stack]
0x00007FFFE9A4CFA0 : 01 00 00 00 FF 7F 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF90 : 00 00 00 00 03 00 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF80 : 50 A1 05 D0 FF 7F 00 00 - 90 BA 06 D0 FF 7F 00 00 P...............
0x00007FFFE9A4CF70 : B4 CF A4 E9 FF 7F 00 00 - 03 00 00 00 00 00 00 00 ................
0x00007FFFE9A4CF60 : 50 28 04 D0 FF 7F 00 00 - 80 C2 05 D0 FF 7F 00 00 P(..............
0x00007FFFE9A4CF50 : 40 2D 04 D0 FF 7F 00 00 - 00 00 00 00 00 00 00 00 @-..............
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffe8a04c49 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+265>:  mov    rbp,QWORD PTR [rax+0x10]
   0x7fffe8a04c4d <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+269>:  lea    r11,[rbp+rbx*1+0x0]
   0x7fffe8a04c52 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+274>:  mov    r9d,DWORD PTR [r11+0x14]
   0x7fffe8a04c56 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+278>:  test   r9d,r9d
   0x7fffe8a04c59 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+281>:  je     0x7fffe8a04ca3 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+355>
   0x7fffe8a04c5b <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+283>:  mov    r8d,DWORD PTR [r11+0x10]
   0x7fffe8a04c5f <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+287>:  xor    eax,eax
   0x7fffe8a04c61 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+289>:  xor    edi,edi
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
2142        if (!bits) {

gdb$ bt
#0  0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
#1  0x00007fffe8a05f89 in JPXStream::readTilePart (this=this@entry=0x7fffd0042d40) at JPXStream.cc:2100
#2  0x00007fffe8a06f17 in JPXStream::readCodestream (this=this@entry=0x7fffd0042d40, len=<optimized out>) at JPXStream.cc:1488
#3  0x00007fffe8a08df1 in JPXStream::readBoxes (this=this@entry=0x7fffd0042d40) at JPXStream.cc:780
#4  0x00007fffe8a09036 in JPXStream::reset (this=0x7fffd0042d40) at JPXStream.cc:275
#5  0x00007fffe8e1c812 in RescaleDrawImage::getSourceImage (this=this@entry=0x7fffe9a4d310, str=str@entry=0x7fffd0042d40, widthA=widthA@entry=0x66, height=height@entry=0xf1, scaledWidth=0x2f9, scaledHeight=0x6fd, printing=0x0, colorMapA=0x7fffd0042f30, maskColorsA=0x0) at CairoOutputDev.cc:2881
#6  0x00007fffe8e1ae21 in CairoOutputDev::drawImage (this=0x7fffd003e030, state=0x7fffd00421c0, ref=0x7fffe9a4d640, str=0x7fffd0042d40, widthA=0x66, heightA=0xf1, colorMap=0x7fffd0042f30, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at CairoOutputDev.cc:3028
#7  0x00007fffe8a4ba9e in Gfx::doImage (this=this@entry=0x7fffd0041f60, ref=ref@entry=0x7fffe9a4d640, str=0x7fffd0042d40, inlineImg=inlineImg@entry=0x0) at Gfx.cc:4663
#8  0x00007fffe8a4c6af in Gfx::opXObject (this=0x7fffd0041f60, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4189
#9  0x00007fffe8a46f26 in Gfx::go (this=this@entry=0x7fffd0041f60, topLevel=topLevel@entry=0x1) at Gfx.cc:763
#10 0x00007fffe8a47409 in Gfx::display (this=this@entry=0x7fffd0041f60, obj=obj@entry=0x7fffe9a4da40, topLevel=topLevel@entry=0x1) at Gfx.cc:729
#11 0x00007fffe8a85c28 in Page::displaySlice (this=0x7fffd00407e0, out=out@entry=0x7fffd003e030, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at Page.cc:599
#12 0x00007fffe8e03ace in _poppler_page_render (page=0xa8c6c0, cairo=0xa30510, printing=<optimized out>, print_flags=<optimized out>) at poppler-page.cc:362
#13 0x00007fffe90450b3 in pdf_page_render (page=page@entry=0xa8c6c0, width=0x2f9, height=0x6fd, rc=rc@entry=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:415
#14 0x00007fffe90452f1 in pdf_document_render (document=<optimized out>, rc=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:442
#15 0x00007ffff7968832 in ev_job_render_run (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-jobs.c:638
#16 0x00007ffff796a68a in ev_job_thread (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:184
#17 ev_job_thread_proxy (data=<optimized out>) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:217
#18 0x00007ffff5714965 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007ffff51856aa in start_thread (arg=0x7fffe9a4e700) at pthread_create.c:333
#20 0x00007ffff4ebaeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Comment 1 Albert Astals Cid 2015-10-13 21:07:06 UTC 
You should be using the openjpeg version of the JPXStream, the other version is basically unmaintained and just there for convenience.

Meaning i won't be working on fixing this, but of course patches are welcome.
Comment 2 alex.park 2015-10-14 12:03:58 UTC 
Created attachment 118869 [details]
removed a finding file
Comment 3 alex.park 2015-10-14 12:06:35 UTC 
Oh, I see. Thank you for quick response

-Alex
Comment 4 Adrian Johnson 2015-10-14 20:51:54 UTC 
Created attachment 118877 [details] [review]
Warn that the DCT/JPX internal decoders are unmaintained
Comment 5 Adrian Johnson 2015-10-14 20:52:33 UTC 
Created attachment 118878 [details] [review]
Synchronize cmake warnings with configure warnings
Comment 6 Albert Astals Cid 2015-10-14 20:55:05 UTC 
looks good to me.
Comment 7 GitLab Migration User 2018-08-20 21:48:52 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/86.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.