Reading outside bounds at Functions.cc:218
foca@salesforce.com
Submitted byAssigned to poppler-bugs
Link to original bug (#101501)
Description
Created attachment 132065 Proof of concept
There is a bug reading outside bounds at Functions.cc:218
212 } 213 214 void IdentityFunction::transform(double *in, double *out) { 215 int i; 216 217 for (i = 0; i < funcMaxOutputs; ++i) { 218 out[i] = in[i]; 219 } 220 }
funcMacOutputs is defined in Functions.h: #define funcMaxOutputs 32
Parsing the PoC.pdf, this function is called from GfxFunctionShading::getColor:
3957 void GfxFunctionShading::getColor(double x, double y, GfxColor *color) { 3958 double in[2], out[gfxColorMaxComps]; 3959 int i; 3960 3961 // NB: there can be one function with n outputs or n functions with 3962 // one output each (where n = number of color components) 3963 for (i = 0; i < gfxColorMaxComps; ++i) { 3964 out[i] = 0; 3965 } 3966 in[0] = x; 3967 in[1] = y; 3968 for (i = 0; i < nFuncs; ++i) { 3969 funcs[i]->transform(in, &out[i]); 3970 } 3971 for (i = 0; i < gfxColorMaxComps; ++i) { 3972 color->c[i] = dblToCol(out[i]); 3973 } 3974 }
Where the variable in has only 2 elements, instead of the 32 read at IdentityFunction::transform. So 30 elements are read after the in.
This could be fixed increasing the number of elements for the variable in: 3958 double in[gfxColorMaxComps], out[gfxColorMaxComps];
PoC is attached.
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132065, "Proof of concept":
PoC.pdf