Skip to content

GitLab

Closed
Opened by bin24151@bin24151

Heap-buffer-overflow in `LZWEncoder::fillBuf()`

  • Version: 20.12.1
  • Commit: e1f56258
  • How to reproduce: pdftops ./poc /dev/null

The log of ASAN:

==42490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000019830 at pc 0x0000004df9fd bp 0x7fffe400da20 sp 0x7fffe400d1d0
READ of size 65459 at 0x633000019830 thread T0
    #0 0x4df9fc in __asan_memmove (/src/poppler/build/utils/pdftops+0x4df9fc)
    #1 0x603ddc in LZWEncoder::fillBuf() /src/poppler/poppler/Stream.cc:5031:5
    #2 0x6034eb in LZWEncoder::getChar() /src/poppler/poppler/Stream.cc:4956:9
    #3 0x5ffff6 in ASCII85Encoder::fillBuf() /src/poppler/poppler/Stream.cc:4739:15
    #4 0x60dc0c in ASCII85Encoder::getChar() /src/poppler/poppler/Stream.h:1303:59
    #5 0x6a1951 in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6049:26
    #6 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9
    #7 0x91bfc0 in Gfx::doImage(Object*, Stream*, bool) /src/poppler/poppler/Gfx.cc:4520:22
    #8 0x8c70a9 in Gfx::opXObject(Object*, int) /src/poppler/poppler/Gfx.cc:4097:13
    #9 0x8f0006 in Gfx::execOp(Object*, Object*, int) /src/poppler/poppler/Gfx.cc:802:5
    #10 0x8ee669 in Gfx::go(bool) /src/poppler/poppler/Gfx.cc:679:13
    #11 0x8edc20 in Gfx::display(Object*, bool) /src/poppler/poppler/Gfx.cc:640:5
    #12 0xa78ecf in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:576:14
    #13 0xa78a4e in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/Page.cc:521:5
    #14 0x54b820 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler/poppler/PDFDoc.cc:639:24
    #15 0x5218dc in main /src/poppler/utils/pdftops.cc:475:18
    #16 0x7fc782dd3bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x420359 in _start (/src/poppler/build/utils/pdftops+0x420359)

0x633000019830 is located 0 bytes to the right of 102448-byte region [0x633000000800,0x633000019830)
allocated by thread T0 here:
    #0 0x5187c0 in operator new(unsigned long) (/src/poppler/build/utils/pdftops+0x5187c0)
    #1 0x6a105a in PSOutputDev::doImageL2(GfxState*, Object*, GfxImageColorMap*, bool, bool, Stream*, int, int, int, int const*, Stream*, int, int, bool) /src/poppler/poppler/PSOutputDev.cc:6001:19
    #2 0x6ad7d3 in PSOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int const*, bool) /src/poppler/poppler/PSOutputDev.cc:5181:9

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/poppler/build/utils/pdftops+0x4df9fc) in __asan_memmove
Shadow bytes around the buggy address:
  0x0c667fffb2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb300: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c667fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==42490==ABORTING

poc

Edited by bin24151
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information