Bug 93476 - Memory Corruption while processing Blend Mode
Summary: Memory Corruption while processing Blend Mode
Status: VERIFIED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) other
: medium major
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-22 19:09 UTC by Nafiez
Modified: 2015-12-24 15:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Test case (PoC, crashdump, stack trace) (184.48 KB, text/plain)
2015-12-22 19:09 UTC, Nafiez
Details

Description Nafiez 2015-12-22 19:09:34 UTC
Created attachment 120651 [details]
Test case (PoC, crashdump, stack trace)

Hi,

We found a memory corruption during fuzzing in a different type of PDF reader / viewer. Upon analysis, we found that bug leads to libpoppler library. The issue happened when "ExtGState" is not a valid blend mode. We noticed this is related to security issue. We have attached all the information needed for your testing.

Our lab test: Ubuntu 14.04.3 LTS (trusty)
PDF viewer / reader: diffpdf, evince, gpdftext, pdf-presenter-console, xpdf, zathura_viewer, qpdfview


Example testing:

labs@autobot:~/warez/pdf$ qpdfview crash.pdf 
"Error (10431): Invalid blend mode in ExtGState" 
*** Error in `qpdfview': malloc(): memory corruption: 0xb217ca10 ***
Aborted

Code:

GBool Gfx::checkTransparencyGroup(Dict *resDict) {
  // check the effect of compositing objects as a group:
  // look for ExtGState entries with ca != 1 or CA != 1 or BM != normal
  Object extGStates;
  GBool transpGroup = gFalse;
  double opac;

  if (resDict == NULL)
    return gFalse;
  pushResources(resDict);
  resDict->lookup("ExtGState", &extGStates);
  if (extGStates.isDict()) {
    Dict *dict = extGStates.getDict();
    for (int i = 0; i < dict->getLength() && !transpGroup; i++) {
      Object obj1, obj2;
      GfxBlendMode mode;

      if (res->lookupGState(dict->getKey(i), &obj1) && obj1.isDict()) {
        if (!obj1.dictLookup("BM", &obj2)->isNull()) { 
          if (state->parseBlendMode(&obj2, &mode)) { // failed processing blend mode
            if (mode != gfxBlendNormal)		// true
              transpGroup = gTrue;
          } else {	// 
            error(errSyntaxError, getPos(), "Invalid blend mode in ExtGState");
          }
        }


Thanks!
Comment 2 Nafiez 2015-12-22 22:19:06 UTC
Hi,

Is this the fix or already being fixed? 

http://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


Thanks
Comment 3 Nafiez 2015-12-22 22:42:33 UTC
Hi,

Is this the fix or already being fixed? 

http://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


Thanks
Comment 4 Albert Astals Cid 2015-12-22 22:53:02 UTC
What part of "FIXED" you do not understand that you need to ask if it's fixed?
Comment 5 Albert Astals Cid 2015-12-22 22:54:29 UTC
So yeah I'll be extra verbose, that commit fixes the problem on the current master branch.

I've no idea if it will still crash in Ubuntu 14.04.3 LTS (trusty), it's up to you if you want to use old versions of the software.
Comment 6 Nafiez 2015-12-22 23:10:32 UTC
Thanks! A little confusion there :)
Comment 7 Nafiez 2015-12-22 23:35:22 UTC
Another query, is the issue consider as security issue from your side? If yes, is there any CVE or patch release announcement? Thanks.
Comment 8 Albert Astals Cid 2015-12-24 15:43:30 UTC
Unless you can provide an exploit, no, it's not a security issue.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.