use after free in pdfsig, decref, dict.h:116
Hi, there.
There is a use-after-free in Dict.h:116, which causes a segmentation fault and may lead to denial of service in version 96067bdb, version 23.03.0.
To reproduce, run
./pdfsig -add-signature -nick "lalala" POC /dev/null
Here is my environment:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"
Here is the call stack reported by ASAN:
==32203==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000006fd0 at pc 0x7faafc029e13 bp 0x7ffe74158760 sp 0x7ffe74158758
WRITE of size 4 at 0x607000006fd0 thread T0
#0 0x7faafc029e12 in std::__atomic_base<int>::operator--() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/atomic_base.h:327:16
#1 0x7faafc029e12 in Dict::decRef() /benchmark/poppler/poppler/Dict.h:116:27
#2 0x7faafc029e12 in Object::free() /benchmark/poppler/poppler/Object.cc:131:20
#3 0x7faafc051122 in Object::~Object() /benchmark/poppler/poppler/Object.h:171:17
#4 0x7faafc051122 in PDFDoc::sign(char const*, char const*, char const*, GooString*, int, PDFRectangle const&, GooString const&, GooString const&, double, double, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, double, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, GooString const*, GooString const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::optional<GooString> const&, std::optional<GooString> const&) /benchmark/poppler/poppler/PDFDoc.cc:2265:1
#5 0x500c01 in main /benchmark/poppler/utils/pdfsig.cc:374:35
#6 0x7faafb4d5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41e7fd in _start ( /benchmark/poppler/build-new/utils/pdfsig+0x41e7fd)
0x607000006fd0 is located 32 bytes inside of 80-byte region [0x607000006fb0,0x607000007000)
freed by thread T0 here:
#0 0x4f97c7 in operator delete(void*) /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
#1 0x7faafc029db2 in Object::free() /benchmark/poppler/poppler/Object.cc:132:13
previously allocated by thread T0 here:
#0 0x4f8dc7 in operator new(unsigned long) /dependence/llvm11/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
#1 0x7faafc04fe22 in PDFDoc::sign(char const*, char const*, char const*, GooString*, int, PDFRectangle const&, GooString const&, GooString const&, double, double, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, double, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, std::unique_ptr<AnnotColor, std::default_delete<AnnotColor> >&&, GooString const*, GooString const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::optional<GooString> const&, std::optional<GooString> const&) /benchmark/poppler/poppler/PDFDoc.cc:2198:30
#2 0x500c01 in main /benchmark/poppler/utils/pdfsig.cc:374:35
#3 0x7faafb4d5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/atomic_base.h:327:16 in std::__atomic_base<int>::operator--()
Shadow bytes around the buggy address:
0x0c0e7fff8da0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fff8db0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fff8dc0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
0x0c0e7fff8dd0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8de0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff8df0: 00 00 fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd
0x0c0e7fff8e00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
0x0c0e7fff8e10: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0e7fff8e20: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
0x0c0e7fff8e30: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0e7fff8e40: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32203==ABORTING
poc.zip (unzip first)