Bug 93476

Summary: Memory Corruption while processing Blend Mode
Product: poppler Reporter: Nafiez <Hanafie.Nuruddin>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: VERIFIED FIXED QA Contact:
Severity: major    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: other   
Whiteboard:
i915 platform: i915 features:
Attachments: Test case (PoC, crashdump, stack trace)

Description Nafiez 2015-12-22 19:09:34 UTC 
Created attachment 120651 [details]
Test case (PoC, crashdump, stack trace)

Hi,

We found a memory corruption during fuzzing in a different type of PDF reader / viewer. Upon analysis, we found that bug leads to libpoppler library. The issue happened when "ExtGState" is not a valid blend mode. We noticed this is related to security issue. We have attached all the information needed for your testing.

Our lab test: Ubuntu 14.04.3 LTS (trusty)
PDF viewer / reader: diffpdf, evince, gpdftext, pdf-presenter-console, xpdf, zathura_viewer, qpdfview


Example testing:

labs@autobot:~/warez/pdf$ qpdfview crash.pdf 
"Error (10431): Invalid blend mode in ExtGState" 
*** Error in `qpdfview': malloc(): memory corruption: 0xb217ca10 ***
Aborted

Code:

GBool Gfx::checkTransparencyGroup(Dict *resDict) {
  // check the effect of compositing objects as a group:
  // look for ExtGState entries with ca != 1 or CA != 1 or BM != normal
  Object extGStates;
  GBool transpGroup = gFalse;
  double opac;

  if (resDict == NULL)
    return gFalse;
  pushResources(resDict);
  resDict->lookup("ExtGState", &extGStates);
  if (extGStates.isDict()) {
    Dict *dict = extGStates.getDict();
    for (int i = 0; i < dict->getLength() && !transpGroup; i++) {
      Object obj1, obj2;
      GfxBlendMode mode;

      if (res->lookupGState(dict->getKey(i), &obj1) && obj1.isDict()) {
        if (!obj1.dictLookup("BM", &obj2)->isNull()) { 
          if (state->parseBlendMode(&obj2, &mode)) { // failed processing blend mode
            if (mode != gfxBlendNormal)		// true
              transpGroup = gTrue;
          } else {	// 
            error(errSyntaxError, getPos(), "Invalid blend mode in ExtGState");
          }
        }


Thanks!
Comment 2 Nafiez 2015-12-22 22:19:06 UTC 
Hi,

Is this the fix or already being fixed? 

http://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


Thanks
Comment 3 Nafiez 2015-12-22 22:42:33 UTC 
Hi,

Is this the fix or already being fixed? 

http://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


Thanks
Comment 4 Albert Astals Cid 2015-12-22 22:53:02 UTC 
What part of "FIXED" you do not understand that you need to ask if it's fixed?
Comment 5 Albert Astals Cid 2015-12-22 22:54:29 UTC 
So yeah I'll be extra verbose, that commit fixes the problem on the current master branch.

I've no idea if it will still crash in Ubuntu 14.04.3 LTS (trusty), it's up to you if you want to use old versions of the software.
Comment 6 Nafiez 2015-12-22 23:10:32 UTC 
Thanks! A little confusion there :)
Comment 7 Nafiez 2015-12-22 23:35:22 UTC 
Another query, is the issue consider as security issue from your side? If yes, is there any CVE or patch release announcement? Thanks.
Comment 8 Albert Astals Cid 2015-12-24 15:43:30 UTC 
Unless you can provide an exploit, no, it's not a security issue.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.