Skip to content

Out of bounds read in JBIG2Bitmap::combine

Version:commit db6ca341

Vulnerability:

An out-of-bounds read exists within JBIG2Bitmap::combine function in JBIG2Stream.cc , allowing an attacker to crash the application via carefully crafted pdf file. This can be triggered through the pdfimages utility.

command: pdfimages poc.pdf /tmp/out

Crash log:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1217354==ERROR: AddressSanitizer: SEGV on unknown address 0x510780001bc0 (pc 0x555555efde8c bp 0x0a0600001b23 sp 0x7fffffffd190 T0)
==1217354==The signal is caused by a READ memory access.
    #0 0x555555efde8c in JBIG2Bitmap::combine(JBIG2Bitmap*, int, int, unsigned int) poppler/poppler/JBIG2Stream.cc:875:24
    #1 0x555555edd262 in JBIG2Stream::readTextRegionSeg(unsigned int, bool, bool, unsigned int, unsigned int*, unsigned int) poppler/poppler/JBIG2Stream.cc:2195:29
    #2 0x555555ecf1e8 in JBIG2Stream::readSegments() poppler/poppler/JBIG2Stream.cc
    #3 0x555555ecc3da in JBIG2Stream::reset() poppler/poppler/JBIG2Stream.cc:1177:5
    #4 0x55555599248d in ImageOutputDev::writeImageFile(ImgWriter*, ImageOutputDev::ImageFormat, char const*, Stream*, int, int, GfxImageColorMap*) poppler/utils/ImageOutputDev.cc:410:14
    #5 0x55555598f7e0 in ImageOutputDev::writeImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool) poppler/utils/ImageOutputDev.cc:687:9
    #6 0x555555afe10e in Gfx::doImage(Object*, Stream*, bool) poppler/poppler/Gfx.cc:4606:22
    #7 0x555555a8722d in Gfx::opXObject(Object*, int) poppler/poppler/Gfx.cc:4102:13
    #8 0x555555ae3e7a in Gfx::execOp(Object*, Object*, int) poppler/poppler/Gfx.cc:801:5
    #9 0x555555ae3e7a in Gfx::go(bool) poppler/poppler/Gfx.cc:676:13
    #10 0x555555ae1e5d in Gfx::display(Object*, bool) poppler/poppler/Gfx.cc:637:5
    #11 0x555555d10b7e in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/Page.cc:584:14
    #12 0x555555985e8b in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/Page.cc:534:5
    #13 0x555555985e8b in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) poppler/poppler/PDFDoc.cc:618:24
    #14 0x555555985e8b in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) poppler/poppler/PDFDoc.cc:628:9
    #15 0x555555985e8b in main poppler/utils/pdfimages.cc:195:14
    #16 0x7ffff722a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7ffff722a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #18 0x5555558a0494 in _start (poppler_fuzz/pdfimages+0x34c494) (BuildId: 3e76c6c40f2ad850)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV poppler/poppler/JBIG2Stream.cc:875:24 in JBIG2Bitmap::combine(JBIG2Bitmap*, int, int, unsigned int)
==1217354==ABORTING

poc poc.pdf

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information