Bug 100776 - poppler 0.54.0: memory leak in Object::initArray
Summary: poppler 0.54.0: memory leak in Object::initArray
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: utils (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium critical
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-24 16:24 UTC by bestshow
Modified: 2017-04-25 17:49 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
testcase (26.05 KB, application/pdf)
2017-04-24 16:24 UTC, bestshow
Details

Description bestshow 2017-04-24 16:24:23 UTC
Created attachment 131003 [details]
testcase

on poppler 0.54.0

The Object::initArray function in Object.cc:67 which allows attackers to cause a denial of service (memory leak) via a crafted file.

#pdfinfo $FILE
==113897==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x7f90d5a81a20 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:60
    #1 0x52040d in Object::initArray(XRef*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.cc:67
    #2 0x52bb32 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:93
    #3 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221
    #4 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #5 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #6 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #7 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #8 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #9 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #10 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #11 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 2304 byte(s) in 1 object(s) allocated from:
    #0 0x7f90d5a80ec0 in __interceptor_realloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:75
    #1 0x59cb29 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:159
    #2 0x59cbd7 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:173
    #3 0x59b22e in GooString::resize(int) /home/haojun/Downloads/testopensourcecode/poppler/goo/GooString.cc:158
    #4 0x596dc1 in GooString::append(char const*, int) /home/haojun/Downloads/testopensourcecode/poppler/goo/GooString.cc:291
    #5 0x515be6 in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:378
    #6 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300
    #7 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146
    #8 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95
    #9 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221
    #10 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #11 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #16 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #17 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 1024 byte(s) in 1 object(s) allocated from:
    #0 0x7f90d5a80ec0 in __interceptor_realloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:75
    #1 0x59cb29 in grealloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:159
    #2 0x59cef2 in greallocn /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:240
    #3 0x59cf1d in greallocn /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:244
    #4 0x44d668 in Array::add(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Array.cc:98
    #5 0x44ae3e in Object::arrayAdd(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:299
    #6 0x52bbdc in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:96
    #7 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221
    #8 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #9 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #10 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #11 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #12 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #13 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #14 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #15 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7f90d5a81a20 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:60
    #1 0x515ba9 in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:376
    #2 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300
    #3 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146
    #4 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95
    #5 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221
    #6 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #7 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #8 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #9 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #10 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #11 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #12 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #13 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7f90d5a80b58 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x59ca1f in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:110
    #2 0x59cab5 in gmalloc /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:120
    #3 0x59cf90 in copyString /home/haojun/Downloads/testopensourcecode/poppler/goo/gmem.cc:316
    #4 0x516ef8 in Object::initCmd(char*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Object.h:152
    #5 0x5169ee in Lexer::getObj(Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Lexer.cc:576
    #6 0x52cf1d in Parser::shift(int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:300
    #7 0x52c07d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:146
    #8 0x52bbc3 in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Parser.cc:95
    #9 0x58295a in XRef::fetch(int, int, Object*, int) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1221
    #10 0x581e91 in XRef::getCatalog(Object*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/XRef.cc:1147
    #11 0x44e595 in Catalog::Catalog(PDFDoc*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/Catalog.cc:110
    #12 0x52e4a1 in PDFDoc::setup(GooString*, GooString*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:285
    #13 0x52db6c in PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDoc.cc:169
    #14 0x65191e in LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/LocalPDFDocBuilder.cc:31
    #15 0x53fd5e in PDFDocFactory::createPDFDoc(GooString const&, GooString*, GooString*, void*) /home/haojun/Downloads/testopensourcecode/poppler/poppler/PDFDocFactory.cc:58
    #16 0x4079c9 in main /home/haojun/Downloads/testopensourcecode/poppler/utils/pdfinfo.cc:538
    #17 0x7f90d3d7cb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

SUMMARY: AddressSanitizer: 3436 byte(s) leaked in 5 allocation(s).

The $FILE poc in the attachment.
Credit:The bug was discovered by Haojun Hou in ADLab of Venustech.
Comment 1 Albert Astals Cid 2017-04-25 17:49:38 UTC
Fixed, thanks for the report :)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.