out-of-bounds read at FileSpec.cc:96
pdfdetch
version
The latest stable release poppler-0.71.0.tar.xz, released on Oct 31, 2018
others
this bug is reported by pwd@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have any questions.
Test Target
./pdfdetch --save 1 poc
debug info
pwndbg> list
91 }
92
93 bool EmbFile::save2(FILE *f) {
94 int c;
95
96 m_objStr.streamReset();
97 while ((c = m_objStr.streamGetChar()) != EOF) {
98 fputc(c, f);
99 }
100 return true;
pwndbg> p m_objStr
Cannot access memory at address 0x28
pwndbg>
ASAN Report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11393==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f24cb2c11c9 bp 0x7ffc847cbd50 sp 0x7ffc847cb640 T0)
==11393==The signal is caused by a READ memory access.
==11393==Hint: address points to the zero page.
#0 0x7f24cb2c11c8 in Object::streamReset() /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/Object.h:397:5
#1 0x7f24cb2c11c8 in EmbFile::save2(_IO_FILE*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/FileSpec.cc:96
#2 0x7f24cb2c1131 in EmbFile::save(char const*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/FileSpec.cc:88:9
#3 0x51d197 in main /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/utils/pdfdetach.cc:299:39
#4 0x7f24c9b6bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41b4f9 in _start (/home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/installed-asan/bin/pdfdetach+0x41b4f9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/Object.h:397:5 in Object::streamReset()
==11393==ABORTING