Created attachment 134331 [details] POC file of the vulnerability A floating point exception vulnerability was found in poppler 0.59.0 Stream.cc ImageStream::ImageStream() which may lead to potential attack when handling malicious PDF files: gzq@ubuntu:~$ /home/gzq/install/poppler-dev/bin/pdftohtml -q -s /home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null Bogus memory allocation size Floating point exception gzq@ubuntu:~$ gdb -q /home/gzq/install/poppler-dev/bin/pdftohtml Reading symbols from /home/gzq/install/poppler-dev/bin/pdftohtml...done. (gdb) r -q -s /home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null Starting program: /home/gzq/install/poppler-dev/bin/pdftohtml -q -s /home/gzq/work/vul/poppler/mal-Stream-cc-457-4-47.pdf /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Bogus memory allocation size Program received signal SIGFPE, Arithmetic exception. 0x00000000005980d3 in ImageStream::ImageStream (this=0xa27b60, strA=<optimized out>, widthA=<optimized out>, nCompsA=<optimized out>, nBitsA=3) at Stream.cc:457 457 if (width > INT_MAX / nComps) { (gdb) bt #0 0x00000000005980d3 in ImageStream::ImageStream (this=0xa27b60, strA=<optimized out>, widthA=<optimized out>, nCompsA=<optimized out>, nBitsA=3) at Stream.cc:457 #1 0x0000000000432865 in SplashOutputDev::drawSoftMaskedImage (this=<optimized out>, state=<optimized out>, ref=<optimized out>, str=<optimized out>, width=<optimized out>, height=<optimized out>, colorMap=<optimized out>, interpolate=<optimized out>, maskStr=<optimized out>, maskWidth=<optimized out>, maskHeight=<optimized out>, maskColorMap=<optimized out>, maskInterpolate=<optimized out>) at SplashOutputDev.cc:4073 #2 0x00000000004dd8fa in Gfx::doImage (this=<optimized out>, ref=<optimized out>, str=<optimized out>, inlineImg=<optimized out>) at Gfx.cc:4574 #3 0x00000000004af1eb in Gfx::opXObject (this=0xa02a80, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4151 #4 0x00000000004c9127 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880 #5 0x00000000004c7d8e in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744 #6 0x00000000004c75d3 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706 #7 0x0000000000577ad9 in Page::displaySlice (this=0xa02060, out=0xa00190, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at Page.cc:560 #8 0x00000000005777ec in Page::display (this=0x2, out=0x0, hDPI=0, vDPI=-0, rotate=0, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481 #9 0x000000000057fb6e in PDFDoc::displayPage (this=0x9feeb0, out=0xa00190, page=1, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=true, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false) at PDFDoc.cc:485 #10 0x000000000040879f in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:408 (gdb) print nComps $1 = 0
Fixed, thanks :)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.