Created attachment 132065 [details] Proof of concept There is a bug reading outside bounds at Functions.cc:218 212 } 213 214 void IdentityFunction::transform(double *in, double *out) { 215 int i; 216 217 for (i = 0; i < funcMaxOutputs; ++i) { 218 out[i] = in[i]; 219 } 220 } funcMacOutputs is defined in Functions.h: #define funcMaxOutputs 32 Parsing the PoC.pdf, this function is called from GfxFunctionShading::getColor: 3957 void GfxFunctionShading::getColor(double x, double y, GfxColor *color) { 3958 double in[2], out[gfxColorMaxComps]; 3959 int i; 3960 3961 // NB: there can be one function with n outputs or n functions with 3962 // one output each (where n = number of color components) 3963 for (i = 0; i < gfxColorMaxComps; ++i) { 3964 out[i] = 0; 3965 } 3966 in[0] = x; 3967 in[1] = y; 3968 for (i = 0; i < nFuncs; ++i) { 3969 funcs[i]->transform(in, &out[i]); 3970 } 3971 for (i = 0; i < gfxColorMaxComps; ++i) { 3972 color->c[i] = dblToCol(out[i]); 3973 } 3974 } Where the variable in has only 2 elements, instead of the 32 read at IdentityFunction::transform. So 30 elements are read after the in. This could be fixed increasing the number of elements for the variable in: 3958 double in[gfxColorMaxComps], out[gfxColorMaxComps]; PoC is attached. This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Nor valgrind nor asan find anynthing wrong in that file. Which tool are you using?
I'm using ASAN. Sorry I didn't provide the command line, I used this: pdftocairo -svg PoC.pdf If still ASAN is not detecting it, try to put a breakpoint at Function.cc:218 and see how the variable in is accessed beyond the second element.
yeah, the getColor functions are a bit evil, your suggested solution won't fix the problem in that function, out may need to go to gfxColorMaxComps * 2 too, i'd like to avoid that though
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/36.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.