Bug 101540 - Stack buffer overflow in GfxState.cc:4066, CVE-2017-9775
Summary: Stack buffer overflow in GfxState.cc:4066, CVE-2017-9775
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-21 17:47 UTC by foca@salesforce.com
Modified: 2017-06-21 17:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-21 17:47:57 UTC
This vulnerability has been reported privately. Albert Astals Cid already fixed it in the following commit:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9

The CVE-2017-9775 has been assigned to this vulnerability.

There is a stack based overflow. The vulnerability is in GfxState.cc:4066.

4065     for (i = 0; i < nComps; ++i) {
4066       out[i] = 0;
4067     }
The variable out is a stack variable with a defined size of 32 items:

#define gfxColorMaxComps funcMaxOutputs
...
#define funcMaxOutputs       32
This variable out is defined at the beginning of the getColor function:

4035 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
4036   double out[gfxColorMaxComps];
4037   int i, nComps;
4038 
4039   // NB: there can be one function with n outputs or n functions with
4040   // one output each (where n = number of color components)
4041   nComps = nFuncs * funcs[0]->getOutputSize();
nComps is user controllable (in the PoC has the value 42), and it is used to write into the variable out at GfxState.cc:4066.

4065     for (i = 0; i < nComps; ++i) {
4066       out[i] = 0;
4067     }
Parsing the file PoC.pdf 10 bytes of the stack are overwritten with 00.

Due to some restrictions in the lines after the bug, an attacker can't control the values written in the stack so it unlikely this could lead to a code execution.

A solution could be:
4065     for (i = 0; i < nComps && i < gfxColorMaxComps; ++i) {

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.