Skip to content
GitLab

Heap-Buffer-Overflow in DCTStream::getChars

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: pdftops ./poc /dev/null

The log of ASAN:

==78169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004def3c bp 0x7ffcb2d72b80 sp 0x7ffcb2d72330
WRITE of size 219 at 0x633000019830 thread T0
    #0 0x4def3b in __asan_memcpy (/src/executable/pdftops+0x4def3b)
    #1 0x7c5601 in DCTStream::getChars(int, unsigned char*) /src/poppler/poppler/DCTStream.cc:223:9
    #2 0x606c86 in Stream::doGetChars(int, unsigned char*) /src/poppler/poppler/Stream.h:130:20
    #3 0x603203 in LZWEncoder::reset() /src/poppler/poppler/Stream.cc:4940:21
    #4 0x5ffdc3 in ASCII85Encoder::reset() /src/poppler/poppler/Stream.cc:4723:10
    #5 0x6a18c6 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6047:14
    #6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
    #7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
    #8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
    #9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
    #10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
    #11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
    #12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
    #13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
    #14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
    #15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
    #16 0x7fabbbf24bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x420359 in _start (/src/executable/pdftops+0x420359)

0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
    #0 0x5187c0 in operator new(unsigned long) (/src/executable/pdftops+0x5187c0)
    #1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
    #2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/executable/pdftops+0x4def3b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78169==ABORTING

poc file: poc

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information