Bug 102687 - NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()
Summary: NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseE...
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium major
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-13 02:16 UTC by Ziqiang Gu
Modified: 2017-09-13 21:01 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
POC file of the vulnerability (7.40 KB, application/pdf)
2017-09-13 02:16 UTC, Ziqiang Gu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ziqiang Gu 2017-09-13 02:16:44 UTC
Created attachment 134185 [details]
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler XRef.cc XRef::parseEntry() which may lead to potential Denial of Service attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf 
Segmentation fault

gzq@ubuntu:~/work/vul/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539
1539	      entry->offset = obj1.getInt();
(gdb) bt
#0  0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539
#1  0x00000000005c7734 in XRef::getEntry (this=<optimized out>, i=0, complainIfMissing=true) at XRef.cc:1601
#2  0x00000000006a72e3 in Hints::Hints (this=0x9e2190, str=<optimized out>, linearization=0x9e01e0, xref=0x9e00e0, secHdlr=0x0) at Hints.cc:114
#3  0x000000000056fcde in PDFDoc::checkLinearization (this=0x9dfe70) at PDFDoc.cc:555
#4  0x000000000056f2c2 in PDFDoc::getPage (this=0x9dfe70, page=1) at PDFDoc.cc:1955
#5  0x000000000056f024 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e0c00, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, 
    abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=112) at PDFDoc.cc:484
#6  0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408
Comment 1 Albert Astals Cid 2017-09-13 21:01:25 UTC
Fixed, thanks


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.