Bug 101501 - Reading outside bounds at Functions.cc:218
Summary: Reading outside bounds at Functions.cc:218
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: poppler-bugs
QA Contact:
Depends on:
Reported: 2017-06-19 17:32 UTC by foca@salesforce.com
Modified: 2018-08-20 21:35 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (2.17 KB, application/pdf)
2017-06-19 17:32 UTC, foca@salesforce.com

Description foca@salesforce.com 2017-06-19 17:32:51 UTC
Created attachment 132065 [details]
Proof of concept

There is a bug reading outside bounds at Functions.cc:218

 212 }
 214 void IdentityFunction::transform(double *in, double *out) {
 215   int i;
 217   for (i = 0; i < funcMaxOutputs; ++i) {
 218     out[i] = in[i];
 219   }
 220 }

funcMacOutputs is defined in Functions.h:
#define funcMaxOutputs       32

Parsing the PoC.pdf, this function is called from GfxFunctionShading::getColor:

3957 void GfxFunctionShading::getColor(double x, double y, GfxColor *color) {
3958   double in[2], out[gfxColorMaxComps];
3959   int i;
3961   // NB: there can be one function with n outputs or n functions with
3962   // one output each (where n = number of color components)
3963   for (i = 0; i < gfxColorMaxComps; ++i) {
3964     out[i] = 0;
3965   }
3966   in[0] = x;
3967   in[1] = y;
3968   for (i = 0; i < nFuncs; ++i) {
3969     funcs[i]->transform(in, &out[i]);
3970   }
3971   for (i = 0; i < gfxColorMaxComps; ++i) {
3972     color->c[i] = dblToCol(out[i]);
3973   }
3974 }

Where the variable in has only 2 elements, instead of the 32 read at IdentityFunction::transform. So 30 elements are read after the in.

This could be fixed increasing the number of elements for the variable in:
3958   double in[gfxColorMaxComps], out[gfxColorMaxComps];

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Albert Astals Cid 2017-06-19 21:23:11 UTC
Nor valgrind nor asan find anynthing wrong in that file.

Which tool are you using?
Comment 2 foca@salesforce.com 2017-06-19 21:34:14 UTC
I'm using ASAN.

Sorry I didn't provide the command line, I used this:
pdftocairo -svg PoC.pdf

If still ASAN is not detecting it, try to put a breakpoint at Function.cc:218 and see how the variable in is accessed beyond the second element.
Comment 3 Albert Astals Cid 2017-06-19 21:53:12 UTC
yeah, the getColor functions are a bit evil, your suggested solution won't fix the problem in that function, out may need to go to gfxColorMaxComps * 2 too, i'd like to avoid that though
Comment 4 GitLab Migration User 2018-08-20 21:35:54 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/36.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.