Bug 38209 - Problematic flow at poppler while 'startxref' is missing
Summary: Problematic flow at poppler while 'startxref' is missing
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium major
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-12 05:51 UTC by Ilya Gorenbein
Modified: 2011-07-25 15:12 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
NOTE MALICIOUS FILE!!! (13.39 KB, application/x-stuffit)
2011-06-12 05:51 UTC, Ilya Gorenbein
Details
missing startxref patch (442 bytes, patch)
2011-06-12 05:53 UTC, Ilya Gorenbein
Details | Splinter Review
0001-Handle-missing-startxref-properly.patch (759 bytes, patch)
2011-07-25 02:39 UTC, Hib Eris
Details | Splinter Review

Description Ilya Gorenbein 2011-06-12 05:51:55 UTC
Created attachment 47866 [details]
NOTE MALICIOUS FILE!!!

Hello,

Recently I suffered a crash in poppler version 0.16.0 library. The crash is very hardly reproducible. 

At the sample file, startxref keyword is missing. The code at poppler/PDFDoc.cc Guint PDFDoc::getStartXRef() function, tries to assign the value to startXRefPos. But for this specific sample it finally will equal to 1111000110. Which is wrong and leads to crash (in some cases). This huge value is assigned to the startXRefPos  variable by the following code startXRefPos =  strToUnsigned(p); 

I do not understand why the strToUnsigned function should be called. I think that it will be correctly to stop at:

if (i < 0) {
        startXRefPos = 0;
      }

so, startXRefPos will be equal to 0.


The sample file is attached. NOTE, IT IS MALICIOUS!!! The file is password protected archive (pass is malicious).
I checked the latest 0.16.6 version, but this, specific part of the code was not changed.

Regards
Comment 1 Ilya Gorenbein 2011-06-12 05:53:18 UTC
Created attachment 47867 [details] [review]
missing startxref patch
Comment 2 Albert Astals Cid 2011-07-21 11:00:06 UTC
Hmmm, i do not think removing that loop is ok, i mean we are calculating that value to use it afterwards, i'll bring in two persons that might have some more knowledge about that code so they can give their opinion
Comment 3 Albert Astals Cid 2011-07-21 11:01:04 UTC
Hib can you have a look at the bug/patch it seems to touch something you might have some knowledge over
Comment 4 Albert Astals Cid 2011-07-21 11:01:49 UTC
Axel this touches something similar to the patch you sent to the mailing list, i'm adding you here in case you can give a look to it, i'd be interested in knowing your opinion.
Comment 5 Axel Struebing 2011-07-22 11:38:08 UTC
(In reply to comment #4)
> Axel this touches something similar to the patch you sent to the mailing list,
> i'm adding you here in case you can give a look to it, i'd be interested in
> knowing your opinion.

Only partly because my patch just covers a minor issue with linearized files. That means if we need to search for another xref near the beginning of the file.

If the cross-refererence stream/table is completely missing - as in the attached file - the only thing we probably could meaningful do is gracefully exit. This is by no means an valid pdf file. The most important would be not to read or try to execute the suspicious javascript.

You asked for my opinion ;-)

If a file has no valid xref information, throw error and exit. Nothing can be done without this required information and 'startxref' is required in every valid pdf file.
Comment 6 Albert Astals Cid 2011-07-24 15:22:20 UTC
Ilya I can not reproduce the crash with this file.

Hib will hopefully have a look at the code since he wrote it, but i would like to investigate why a "wrong" startXRefPos value can lead to a crash, so could you please post valgrind and gdb traces of the crashes?
Comment 7 Hib Eris 2011-07-25 02:39:09 UTC
Created attachment 49495 [details] [review]
0001-Handle-missing-startxref-properly.patch

I agree that it would be better if the strToUnsigned function is not called for the case that no startxref can be found.

Looking back at were this code came from, I copied and adapted it from the original XRef.cc, but made a mistake in adapting it. Thanks for finding and reporting this issue.

This new patch will correct my mistake.

However, I also agree with Albert that there must be another issue here: in the test document, the startxref is missing completely, but any malicious document could just as well have a valid startxref section returning an arbitrary value like the value 1111000110 that was reported in the bug report.
Comment 8 Albert Astals Cid 2011-07-25 15:12:12 UTC
I've commited Hib's patch. Ilya please if you have time to provide the gdb/valgrind traces of the crash you were experiencing, attach them


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.