Bug 102601 - NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc
Summary: NULL pointer dereference vulnerability in poppler 0.59.0 Annot.cc
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: high major
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-08 03:55 UTC by Ziqiang Gu
Modified: 2017-09-08 16:28 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
POC file of the vulnerability. (2.60 KB, application/pdf)
2017-09-08 03:55 UTC, Ziqiang Gu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ziqiang Gu 2017-09-08 03:55:17 UTC
Created attachment 134064 [details]
POC file of the vulnerability.

A NULL pointer dereference vulnerability was found in Annot.cc AnnotRichMedia::Content::Content() which may leading to potential Denial of Service attack when process malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler/bin/pdfinfo ./mal-annot-cc-6577-2-07.pdf 
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
Syntax Error (1611): Dictionary key must be a name object
Syntax Error (1613): Dictionary key must be a name object
Syntax Error (1615): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault

We can debug the vulnerable applications to learn about details:

gzq@ubuntu:~/work/vul/poppler$ gdb /home/gzq/install/poppler/bin/pdfinfo
GNU gdb (Ubuntu 7.11.90.20161005-0ubuntu2) 7.11.90.20161005-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/gzq/install/poppler/bin/pdfinfo...done.
(gdb) r ./mal-annot-cc-6577-2-07.pdf
Starting program: /home/gzq/install/poppler/bin/pdfinfo ./mal-annot-cc-6577-2-07.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
Syntax Error (1611): Dictionary key must be a name object
Syntax Error (1613): Dictionary key must be a name object
Syntax Error (1615): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.
AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized out>) at Annot.cc:6577
6577	        assets[counter] = new AnnotRichMedia::Asset;
(gdb) bt
#0  AnnotRichMedia::Content::Content (this=0x555555c0f490, dict=<optimized out>) at Annot.cc:6577
#1  0x0000555555606625 in AnnotRichMedia::initialize (this=0x555555c0f6d0, docA=<optimized out>, dict=0x555555c0f820) at Annot.cc:6449
#2  0x0000555555609162 in Annots::createAnnot (this=this@entry=0x555555c0dda0, dictObject=dictObject@entry=0x7fffffffe0a0, obj=obj@entry=0x7fffffffe0b0) at Annot.cc:6926
#3  0x00005555556096dd in Annots::Annots (this=0x555555c0dda0, docA=<optimized out>, page=1, annotsObj=0x7fffffffe110) at Annot.cc:6817
#4  0x000055555575f106 in Page::getAnnots (this=this@entry=0x555555c0f040, xrefA=xrefA@entry=0x0) at Page.cc:374
#5  0x00005555555bb2f7 in JSInfo::scan (this=0x7fffffffe230, nPages=1) at JSInfo.cc:176
#6  0x00005555555b3f34 in printInfo (doc=0x555555c0de40, uMap=<optimized out>, filesize=2666, multiPage=false) at pdfinfo.cc:487
#7  0x00005555555af20f in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:748
(gdb) p assets
$1 = (AnnotRichMedia::Asset **) 0x0
(gdb) p nAssets
$2 = 0

nAssets maybe 0 when crafted PDF files is being handled, and thus assets pointer maybe null.

This vulnerability has been reproduced in both the latest stable release 0.59.0 and the latest code in the repository. Evince, xpdf are also affected.

A pdf file has been attached to help to reproduce this vulnerability.
Comment 1 Albert Astals Cid 2017-09-08 16:28:42 UTC
Fixed, thanks.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.