This vulnerability has been reported privately. Albert Astals Cid already fixed it in the following commit: https://cgit.freedesktop.org/poppler/poppler/commit/?id=8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9 The CVE-2017-9775 has been assigned to this vulnerability. There is a stack based overflow. The vulnerability is in GfxState.cc:4066. 4065 for (i = 0; i < nComps; ++i) { 4066 out[i] = 0; 4067 } The variable out is a stack variable with a defined size of 32 items: #define gfxColorMaxComps funcMaxOutputs ... #define funcMaxOutputs 32 This variable out is defined at the beginning of the getColor function: 4035 void GfxUnivariateShading::getColor(double t, GfxColor *color) { 4036 double out[gfxColorMaxComps]; 4037 int i, nComps; 4038 4039 // NB: there can be one function with n outputs or n functions with 4040 // one output each (where n = number of color components) 4041 nComps = nFuncs * funcs[0]->getOutputSize(); nComps is user controllable (in the PoC has the value 42), and it is used to write into the variable out at GfxState.cc:4066. 4065 for (i = 0; i < nComps; ++i) { 4066 out[i] = 0; 4067 } Parsing the file PoC.pdf 10 bytes of the stack are overwritten with 00. Due to some restrictions in the lines after the bug, an attacker can't control the values written in the stack so it unlikely this could lead to a code execution. A solution could be: 4065 for (i = 0; i < nComps && i < gfxColorMaxComps; ++i) { This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
great post. http://www.winmilliongame.com http://www.gtagame100.com http://www.subway-game.com http://www.zumagame100.com
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.