102687 – NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()

Bug 102687 - NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseEntry()

Summary: NULL pointer dereference vulnerability in poppler 0.59.0 XRef.cc XRef::parseE...

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	All Linux (All)

Importance:	medium major
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 02:16 UTC by Ziqiang Gu
Modified:	2017-09-13 21:01 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
POC file of the vulnerability (7.40 KB, application/pdf) 2017-09-13 02:16 UTC, Ziqiang Gu	Details
View All

Description Ziqiang Gu 2017-09-13 02:16:44 UTC

Created attachment 134185 [details]
POC file of the vulnerability

A NULL pointer dereference vulnerability was found in poppler XRef.cc XRef::parseEntry() which may lead to potential Denial of Service attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf 
Segmentation fault

gzq@ubuntu:~/work/vul/poppler$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml
Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done.
(gdb) r -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -s -q ./mal-XRef-cc-1539-4-49-SIGSEGV.pdf /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539
1539	      entry->offset = obj1.getInt();
(gdb) bt
#0  0x00000000005ca07f in XRef::parseEntry (this=<optimized out>, offset=<optimized out>, entry=0x0) at XRef.cc:1539
#1  0x00000000005c7734 in XRef::getEntry (this=<optimized out>, i=0, complainIfMissing=true) at XRef.cc:1601
#2  0x00000000006a72e3 in Hints::Hints (this=0x9e2190, str=<optimized out>, linearization=0x9e01e0, xref=0x9e00e0, secHdlr=0x0) at Hints.cc:114
#3  0x000000000056fcde in PDFDoc::checkLinearization (this=0x9dfe70) at PDFDoc.cc:555
#4  0x000000000056f2c2 in PDFDoc::getPage (this=0x9dfe70, page=1) at PDFDoc.cc:1955
#5  0x000000000056f024 in PDFDoc::displayPage (this=0x9dfe70, out=0x9e0c00, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, 
    abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=112) at PDFDoc.cc:484
#6  0x00000000004085cf in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408

Comment 1 Albert Astals Cid 2017-09-13 21:01:25 UTC

Fixed, thanks

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.