102969 – Gfx displaySlice() infinite loop vulnerability

Bug 102969 - Gfx displaySlice() infinite loop vulnerability

Summary: Gfx displaySlice() infinite loop vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	All Linux (All)

Importance:	medium major
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-25 07:51 UTC by Ziqiang Gu
Modified:	2017-09-25 21:47 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
POC (2.79 KB, application/pdf) 2017-09-25 07:51 UTC, Ziqiang Gu	Details
View All

Description Ziqiang Gu 2017-09-25 07:51:03 UTC

Created attachment 134457 [details]
POC

In Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup() in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill and Gfx::drawForm calls (aka a Gfx.cc infinite loop), this is a different vulnerability than bug 102701.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005497f1 in Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at Lexer.cc:167
167	    if ((c = getChar()) == EOF) {
#0  0x00000000005497f1 in Lexer::getObj (this=<optimized out>, objNum=<optimized out>) at Lexer.cc:167
#1  0x000000000056baa6 in Parser::shift (this=<optimized out>, objNum=-1) at Parser.cc:291
#2  0x000000000056a498 in Parser::getObj (this=0xc8ca6c0, simpleOnly=<optimized out>, fileKey=<optimized out>, encAlgorithm=<optimized out>, keyLength=<optimized out>, objNum=0, objGen=<optimized out>, recursion=0, strict=<optimized out>) at Parser.cc:149
#3  0x0000000000569f9d in Parser::getObj (this=0x0, recursion=0) at Parser.cc:63
#4  0x00000000005bfad6 in XRef::fetch (this=0x9e1120, num=5, gen=<optimized out>, recursion=<optimized out>) at XRef.cc:1136
#5  0x000000000055ab11 in Object::fetch (this=0x9e53c8, xref=0x9e1120, recursion=0) at Object.cc:125
#6  0x000000000048b782 in Dict::lookup (this=0x9e5360, key=<optimized out>, recursion=0) at Dict.cc:259
#7  0x00000000004bbb28 in Object::dictLookup (key=0xc8c9ef0 "P0", recursion=0, this=<optimized out>) at ./Object.h:362
#8  GfxResources::lookupPattern (this=<optimized out>, name=<optimized out>, out=<optimized out>, state=<optimized out>) at Gfx.cc:461
#9  0x00000000004b8fe4 in Gfx::opSetFillColorN (this=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1609
#10 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#11 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#12 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#13 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8c0308, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=96, transferFunc=0x7fffff7ff9f0, backdropColor=0xc8c9540) at Gfx.cc:4828
#14 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#15 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#16 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#17 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#18 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#19 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#20 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8b5f68, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=96, transferFunc=0x7fffff8000d0, backdropColor=0xc8bf1a0) at Gfx.cc:4828
#21 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#22 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#23 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#24 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#25 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#26 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#27 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8abb28, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=240, transferFunc=0x7fffff8007b0, backdropColor=0xc8b4d80) at Gfx.cc:4828
#28 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#29 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#30 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#31 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#32 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#33 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#34 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8a16e8, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=176, transferFunc=0x7fffff800e90, backdropColor=0xc8aa920) at Gfx.cc:4828
#35 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#36 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#37 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#38 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#39 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#40 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#41 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8972c8, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=32, transferFunc=0x7fffff801570, backdropColor=0xc8a0500) at Gfx.cc:4828
#42 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#43 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#44 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#45 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#46 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#47 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#48 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc88cf28, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=32, transferFunc=0x7fffff801c50, backdropColor=0xc896160) at Gfx.cc:4828
#49 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#50 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#51 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#52 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#53 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#54 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#55 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc882ae8, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=176, transferFunc=0x7fffff802330, backdropColor=0xc88bd40) at Gfx.cc:4828
#56 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#57 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#58 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#59 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#60 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#61 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#62 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0xc8786a8, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=112, transferFunc=0x7fffff802a10, backdropColor=0xc8818e0) at Gfx.cc:4828
#63 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#64 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#65 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#66 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#67 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#68 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
......
......
......

#33340 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0x9e86d8, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=160, transferFunc=0x7fffffffd5d0, backdropColor=0xa0f710) at Gfx.cc:4828
#33341 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#33342 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#33343 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#33344 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#33345 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#33346 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#33347 0x00000000004c1a23 in Gfx::drawForm (this=0x9e5120, str=<optimized out>, resDict=<optimized out>, matrix=<optimized out>, bbox=0x9e6958, transpGroup=<optimized out>, softMask=<optimized out>, blendingColorSpace=<optimized out>, isolated=<optimized out>, knockout=<optimized out>, alpha=144, transferFunc=0x7fffffffdcb0, backdropColor=0x9e73d0) at Gfx.cc:4828
#33348 0x00000000004c3e80 in Gfx::doTilingPatternFill (this=<optimized out>, tPat=<optimized out>, stroke=<optimized out>, eoFill=<optimized out>, text=<optimized out>) at Gfx.cc:2234
#33349 0x00000000004c244a in Gfx::doPatternFill (this=0x9e5120, eoFill=false) at Gfx.cc:1951
#33350 0x00000000004a7679 in Gfx::opFill (this=0x9e5120, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1820
#33351 0x00000000004bf8c6 in Gfx::execOp (this=<optimized out>, cmd=<optimized out>, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:880
#33352 0x00000000004be541 in Gfx::go (this=<optimized out>, topLevel=<optimized out>) at Gfx.cc:744
#33353 0x00000000004bdda5 in Gfx::display (this=<optimized out>, obj=<optimized out>, topLevel=<optimized out>) at Gfx.cc:706
#33354 0x0000000000567c25 in Page::displaySlice (this=0x9e4ce0, out=0x9e1d90, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>) at Page.cc:560
#33355 0x000000000056795e in Page::display (this=0xc8ca710, out=0x0, hDPI=0, vDPI=0, rotate=10010656, useMediaBox=true, crop=false, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>) at Page.cc:481
#33356 0x000000000056fef6 in PDFDoc::displayPage (this=0x9e0eb0, out=0x9e1d90, page=<optimized out>, hDPI=108, vDPI=108, rotate=0, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=false, useMediaBox=<optimized out>, crop=<optimized out>, printing=<optimized out>) at PDFDoc.cc:485
#33357 PDFDoc::displayPages (this=<optimized out>, out=<optimized out>, firstPage=<optimized out>, lastPage=<optimized out>, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>) at PDFDoc.cc:502
#33358 0x00000000004083df in main (argc=<optimized out>, argv=<optimized out>) at pdftohtml.cc:389

A full callstack and the POC file has been attached to help to reproduce this issue.

Comment 1 Albert Astals Cid 2017-09-25 21:47:04 UTC

Fix pushed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.