Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
P
poppler
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 612
    • Issues 612
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 39
    • Merge Requests 39
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #1011

Closed
Open
Opened Dec 20, 2020 by bin24151@bin24151

Heap-Buffer-Overflow in DCTStream::getChars

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: pdftops ./poc /dev/null

The log of ASAN:

==78169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004def3c bp 0x7ffcb2d72b80 sp 0x7ffcb2d72330
WRITE of size 219 at 0x633000019830 thread T0
    #0 0x4def3b in __asan_memcpy (/src/executable/pdftops+0x4def3b)
    #1 0x7c5601 in DCTStream::getChars(int, unsigned char*) /src/poppler/poppler/DCTStream.cc:223:9
    #2 0x606c86 in Stream::doGetChars(int, unsigned char*) /src/poppler/poppler/Stream.h:130:20
    #3 0x603203 in LZWEncoder::reset() /src/poppler/poppler/Stream.cc:4940:21
    #4 0x5ffdc3 in ASCII85Encoder::reset() /src/poppler/poppler/Stream.cc:4723:10
    #5 0x6a18c6 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6047:14
    #6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
    #7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
    #8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
    #9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
    #10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
    #11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
    #12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
    #13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
    #14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
    #15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
    #16 0x7fabbbf24bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x420359 in _start (/src/executable/pdftops+0x420359)

0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
    #0 0x5187c0 in operator new(unsigned long) (/src/executable/pdftops+0x5187c0)
    #1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
    #2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/executable/pdftops+0x4def3b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78169==ABORTING

poc file: poc

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: poppler/poppler#1011