Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 662
    • Issues 662
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 42
    • Merge requests 42
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #661
Closed
Open
Created Nov 06, 2018 by pwd@Daniel

out-of-bounds read at FileSpec.cc:96

pdfdetch

version

The latest stable release poppler-0.71.0.tar.xz, released on Oct 31, 2018

others

this bug is reported by pwd@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have any questions.

Test Target

./pdfdetch --save 1 poc

debug info

pwndbg> list
91  }
92  
93  bool EmbFile::save2(FILE *f) {
94    int c;
95  
96    m_objStr.streamReset();
97    while ((c = m_objStr.streamGetChar()) != EOF) {
98      fputc(c, f);
99    }
100   return true;
pwndbg> p m_objStr
Cannot access memory at address 0x28
pwndbg>

ASAN Report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==11393==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f24cb2c11c9 bp 0x7ffc847cbd50 sp 0x7ffc847cb640 T0)
==11393==The signal is caused by a READ memory access.
==11393==Hint: address points to the zero page.
    #0 0x7f24cb2c11c8 in Object::streamReset() /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/Object.h:397:5
    #1 0x7f24cb2c11c8 in EmbFile::save2(_IO_FILE*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/FileSpec.cc:96
    #2 0x7f24cb2c1131 in EmbFile::save(char const*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/FileSpec.cc:88:9
    #3 0x51d197 in main /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/utils/pdfdetach.cc:299:39
    #4 0x7f24c9b6bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41b4f9 in _start (/home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/installed-asan/bin/pdfdetach+0x41b4f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/Object.h:397:5 in Object::streamReset()
==11393==ABORTING

outofboundsread_FileSpec.cc_96

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking