Bug 101541 - Integer overflow leading to heap overflow in JBIG2Stream.cc, CVE-2017-9776
Summary: Integer overflow leading to heap overflow in JBIG2Stream.cc, CVE-2017-9776
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-21 17:52 UTC by foca@salesforce.com
Modified: 2017-06-22 21:55 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-21 17:52:30 UTC
This vulnerability has been reported privately. Albert Astals Cid already fixed it in the following commit:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc

The CVE-2017-9775 has been assigned to this vulnerability.

The vulnerability is due of an integer overflow in the file JBIG2Stream.cc:895 at the function JBIG2Bitmap::combine:
894  for (yy = y0; yy < y1; ++yy) {
895    if (unlikely(y + yy) >= h)
896      continue;
897
898    // one byte per line -- need to mask both left and right side
899    if (oneByte) {
900      if (x >= 0) {
901        destPtr = data + (y + yy) * line + (x >> 3);
902        srcPtr = bitmap->data + yy * bitmap->line;
903        dest = *destPtr;
904        src1 = *srcPtr;

The user controls the variables y, line and x. During the addition y + yy an integer overflow could happens if the user uses a very high values for y , for example 0x7ffffff.

The code is checking for overflows with the code at the beggining of the loop:
895    if (unlikely(y + yy) >= h)
896      continue;

But when the integer overflow happens this check is bypassed and it's possible to overflow the data variable in line 901. The variable data is in the heap.

The vulnerability leads to a heap overflow vulnerability. The different samples corrupt the heap in different ways. Some of then finish in a double free, other in an error calling malloc and free.

The file JBIG2Stream.cc_903_smallest_possible.pdf contains the minimum data to trigger the bug.

This bug could be used by an attacker to control the heap.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 foca@salesforce.com 2017-06-22 21:55:16 UTC
The CVE number in the description is wrong.

The correct id for this vulnerability is: CVE-2017-9776


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.