Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 698
    • Issues 698
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 55
    • Merge requests 55
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Admin message

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

  • poppler
  • poppler
  • Issues
  • #1011

Heap-Buffer-Overflow in DCTStream::getChars

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: pdftops ./poc /dev/null

The log of ASAN:

==78169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004def3c bp 0x7ffcb2d72b80 sp 0x7ffcb2d72330
WRITE of size 219 at 0x633000019830 thread T0
    #0 0x4def3b in __asan_memcpy (/src/executable/pdftops+0x4def3b)
    #1 0x7c5601 in DCTStream::getChars(int, unsigned char*) /src/poppler/poppler/DCTStream.cc:223:9
    #2 0x606c86 in Stream::doGetChars(int, unsigned char*) /src/poppler/poppler/Stream.h:130:20
    #3 0x603203 in LZWEncoder::reset() /src/poppler/poppler/Stream.cc:4940:21
    #4 0x5ffdc3 in ASCII85Encoder::reset() /src/poppler/poppler/Stream.cc:4723:10
    #5 0x6a18c6 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6047:14
    #6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
    #7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
    #8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
    #9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
    #10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
    #11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
    #12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
    #13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
    #14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
    #15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
    #16 0x7fabbbf24bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #17 0x420359 in _start (/src/executable/pdftops+0x420359)

0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
    #0 0x5187c0 in operator new(unsigned long) (/src/executable/pdftops+0x5187c0)
    #1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
    #2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/executable/pdftops+0x4def3b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78169==ABORTING

poc file: poc

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking