Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 665
    • Issues 665
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 46
    • Merge requests 46
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #730
Closed
Open
Issue created Feb 28, 2019 by Loginsoft@loginsoft

recursive function call in function JBIG2Stream::readGenericBitmap()

What is vulnerability - During our research there is a recursive function call in function JBIG2Stream::readGenericBitmap() located at JBIG2Stream.cc in poppler 0.74.0.

Command- : pdfseperate -f 1 -l 2 $POC res-%d.pdf

POC- REPRODUCER

Debug -

GDB -

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax   : 0x1               
$rbx   : 0x11              
$rcx   : 0x619000001500      →  0x004e00330038003d ("="?)
$rdx   : 0x0               
$rsp   : 0x7fffffffb858      →  0x00007ffff6731a83  →  <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax
$rbp   : 0x7fffffffba10      →  0x00007fffffffbf90  →  0x00007fffffffc1d0  →  0x00007fffffffc200  →  0x00007fffffffc520  →  0x00007fffffffc780  →  0x00007fffffffc910  →  0x00007fffffffca20
$rsi   : 0x7               
$rdi   : 0x2               
$rip   : 0x7ffff6716411      →  <JArithmeticDecoder::decodeBit(unsigned+0> ret 
$r8    : 0x5b              
$r9    : 0x10007d307e93      →  0xfafafafafafafa02
$r10   : 0x4032            
$r11   : 0x202             
$r12   : 0x7fffffffb980      →  0x0000000041b58ab3
$r13   : 0xffffffff730       →  0x0000000000000000
$r14   : 0x7fffe97eb800      →  0xffffffffffffffff
$r15   : 0x7fffffffb980      →  0x0000000041b58ab3
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$ss: 0x002b  $fs: 0x0000  $es: 0x0000  $cs: 0x0033  $gs: 0x0000  $ds: 0x0000  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffb858│+0x00: 0x00007ffff6731a83  →  <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax     ← $rsp
0x00007fffffffb860│+0x08: 0x0000000000000000
0x00007fffffffb868│+0x10: 0x00007fffffffbf20  →  0x00000000ffffffd8  →  0x0000000000000000
0x00007fffffffb870│+0x18: 0x00007fffffffbee0  →  0x0000000000000000
0x00007fffffffb878│+0x20: 0x0000000000000000
0x00007fffffffb880│+0x28: 0x0000000000000000
0x00007fffffffb888│+0x30: 0x0000001700000002  →  0x0000000000000000
0x00007fffffffb890│+0x38: 0x0000000000033676
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
   0x7ffff6716408 <JArithmeticDecoder::decodeBit(unsigned+0> jmp    0x7ffff67162df <JArithmeticDecoder::decodeBit(unsigned int,  JArithmeticDecoderStats*)+2579>
   0x7ffff671640d <JArithmeticDecoder::decodeBit(unsigned+0> mov    eax, DWORD PTR [rbp-0x10]
   0x7ffff6716410 <JArithmeticDecoder::decodeBit(unsigned+0> leave  
→ 0x7ffff6716411 <JArithmeticDecoder::decodeBit(unsigned+0> ret    
   ↳  0x7ffff6731a83 <JBIG2Stream::readGenericBitmap(bool,+0> mov    DWORD PTR [rbp-0x104], eax
      0x7ffff6731a89 <JBIG2Stream::readGenericBitmap(bool,+0> cmp    DWORD PTR [rbp-0x104], 0x0
      0x7ffff6731a90 <JBIG2Stream::readGenericBitmap(bool,+0> setne  al
      0x7ffff6731a93 <JBIG2Stream::readGenericBitmap(bool,+0> test   al, al
      0x7ffff6731a95 <JBIG2Stream::readGenericBitmap(bool,+0> je     0x7ffff6731b48 <JBIG2Stream::readGenericBitmap(bool,  int,  int,  int,  bool,  bool,  JBIG2Bitmap*,  int*,  int*,  int)+21084>
      0x7ffff6731a9b <JBIG2Stream::readGenericBitmap(bool,+0> mov    rax, QWORD PTR [rbp-0xd0]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/aceteam/Desktop/packages/poppler-master/poppler/JArithmeticDecoder.cc+230 ]────
    225           c <<= 1;
    226           --ct;
    227         } while (!(a & 0x80000000));
    228       }
    229       return bit;
→  230     }
    231     
    232     int JArithmeticDecoder::decodeByte(unsigned int context,
    233                        JArithmeticDecoderStats *stats) {
    234       int byte;
    235       int i;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "pdfseparate", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff6716411 → Name: JArithmeticDecoder::decodeBit(this=0x604000001a50, context=0xaa, stats=0x602000024bb0)
[#1] 0x7ffff6731a83 → Name: JBIG2Stream::readGenericBitmap(this=0x612000000340, mmr=0x0, w=0x33676, h=0x17, templ=0x2, tpgdOn=0x0, useSkip=0x0, skip=0x0, atx=0x7fffffffbee0, aty=0x7fffffffbf20, mmrDataLength=0x0)
[#2] 0x7ffff6722b0f → Name: JBIG2Stream::readSymbolDictSeg(this=0x612000000340, segNum=0x686c73ac, length=0x7f41d7d0, refSegs=0x0, nRefSegs=0x0)
[#3] 0x7ffff671f5a2 → Name: JBIG2Stream::readSegments(this=0x612000000340)
[#4] 0x7ffff671e351 → Name: JBIG2Stream::reset(this=0x612000000340)
[#5] 0x7ffff68295a5 → Name: XRef::readXRefStream(this=0x6120000001c0, xrefStr=0x612000000340, pos=0x612000000278)
[#6] 0x7ffff68273d3 → Name: XRef::readXRef(this=0x6120000001c0, pos=0x612000000278, followedXRefStm=0x7fffffffc8a0, xrefStreamObjsNum=0x0)
[#7] 0x7ffff6824ab8 → Name: XRef::XRef(this=0x6120000001c0, strA=0x613000000040, pos=0x74, mainXRefEntriesOffsetA=0x0, wasReconstructed=0x7fffffffc970, reconstruct=0x0)
[#8] 0x7ffff676aba3 → Name: PDFDoc::setup(this=0x610000000040, ownerPassword=0x0, userPassword=0x0)
[#9] 0x7ffff676a492 → Name: PDFDoc::PDFDoc(this=0x610000000040, fileNameA=0x60300000e020, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0)
Edited Feb 28, 2019 by Loginsoft
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking