Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
P
poppler
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 612
    • Issues 612
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 39
    • Merge Requests 39
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #1012

Closed
Open
Opened Dec 20, 2020 by bin24151@bin24151

Heap-buffer-overflow in `LZWEncoder::fillBuf()`

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: pdftops ./poc /dev/null

The log of ASAN:

==42490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004df9fd bp 0x7fffe400da20 sp 0x7fffe400d1d0
READ of size 65459 at 0x633000019830 thread T0
    #0 0x4df9fc in __asan_memmove (/src/poppler/build/utils/pdftops+0x4df9fc)
    #1 0x603ddc in LZWEncoder::fillBuf() /src/poppler/poppler/Stream.cc:5031:5
    #2 0x6034eb in LZWEncoder::getChar() /src/poppler/poppler/Stream.cc:4956:9
    #3 0x5ffff6 in ASCII85Encoder::fillBuf() /src/poppler/poppler/Stream.cc:4739:15
    #4 0x60dc0c in ASCII85Encoder::getChar() /src/poppler/poppler/Stream.h:1303:59
    #5 0x6a1951 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6049:26
    #6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
    #7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
    #8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
    #9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
    #10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
    #11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
    #12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
    #13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
    #14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
    #15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
    #16 0x7fc782dd3bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x420359 in _start (/src/poppler/build/utils/pdftops+0x420359)

0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
    #0 0x5187c0 in operator new(unsigned long) (/src/poppler/build/utils/pdftops+0x5187c0)
    #1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
    #2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/poppler/build/utils/pdftops+0x4df9fc) in __asan_memmove
Shadow bytes around the buggy address:
  0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42490==ABORTING

poc

Edited Dec 20, 2020 by bin24151
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: poppler/poppler#1012