Bug 101502 - Uninitialized memory read in GfxState.cc:4041
Summary: Uninitialized memory read in GfxState.cc:4041
Status: RESOLVED MOVED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-19 17:39 UTC by foca@salesforce.com
Modified: 2018-08-20 22:06 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (3.68 KB, application/pdf)
2017-06-19 17:39 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-19 17:39:48 UTC
Created attachment 132067 [details]
Proof of concept

There is a uninitialized memory read that leads to a Denial of Service.

The PoC crashes in the following line:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000436480 in Function::getOutputSize (this=0x2f502f2052203020) at Function.h:77
77        int getOutputSize() { return n; }

Just before call the function, GfxUnivariateShading::getColor at GfxState.cc:4041
4041      nComps = nFuncs * funcs[0]->getOutputSize();

The variable funcs is an array of nFuncs elements. But in the PoC the number of elements, nFuncs is 0, but still the code is accessing the first element, funcs[0], using uninitialized memory data. The program is expecting to get a pointer with funcs[0] and it crashes when it dereferences an invalid pointer.

The fix would be to check if there is at least one element before accessing the first one:

4041    if (nFuncs >= 1)
4042        nComps = nFuncs * funcs[0]->getOutputSize();

PoC is attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Daniel Stone 2018-08-20 21:54:24 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/fontconfig/fontconfig/issues/103
Comment 2 Daniel Stone 2018-08-20 21:54:56 UTC
Sorry, wrong bug: I typoed this!
Comment 3 GitLab Migration User 2018-08-20 22:06:07 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/192.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.