Skip to content

GitLab

Open
Created by pwd@YourButterfly

A heap-buffer-overflow in function PSOutputDev::checkPageSlice

poppler-0.74

version

poppler-0.74 0.74

description

None

download link

None

PSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow

description

An issue was discovered in poppler-0.74 0.74, There is a/an heap-buffer-overflow in function PSOutputDev::checkPageSlice at PSOutputDev.cc:3468-23

commandline

pdftops -level1sep  @@ /dev/null

source

3464 	      }
3465 	    } else {
3466 	      // Gray color image
3467 	      for (x = 0; x < w; ++x) {
>3468 	        col[comp] |= p[4*x + comp];
3469 	        digit = p[4*x + comp] / 16;
3470 	        hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3471 	        digit = p[4*x + comp] % 16;
3472 	        hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
3473 	        if (i >= 64) {

bug report

=================================================================
==31131==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdf3a598400 at pc 0x7fdf454415e0 bp 0x7ffe233c2770 sp 0x7ffe233c2768
READ of size 1 at 0x7fdf3a598400 thread T0
    #0 0x7fdf454415df in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23
    #1 0x7fdf4527de72 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:527:13
    #2 0x7fdf4527dd00 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:469:3
    #3 0x7fdf4529a925 in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:633:20
    #4 0x5204ac in main /src/poppler-0.74/utils/pdftops.cc:424:12
    #5 0x7fdf4390182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41b5b8 in _start (/src/aflbuild/installed/bin/pdftops+0x41b5b8)

0x7fdf3a598400 is located 0 bytes to the right of 519168-byte region [0x7fdf3a519800,0x7fdf3a598400)
allocated by thread T0 here:
    #0 0x4df7e8 in __interceptor_malloc /work/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x7fdf455e1963 in gmalloc(unsigned long, bool) /src/poppler-0.74/goo/gmem.h:41:17
    #2 0x7fdf455e1963 in gmallocn(int, int, bool) /src/poppler-0.74/goo/gmem.h:115
    #3 0x7fdf455e1963 in gmallocn_checkoverflow(int, int) /src/poppler-0.74/goo/gmem.h:119
    #4 0x7fdf455e1963 in SplashBitmap::SplashBitmap(int, int, int, SplashColorMode, bool, bool, GooList*) /src/poppler-0.74/splash/SplashBitmap.cc:113

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/poppler-0.74/poppler/PSOutputDev.cc:3468:23 in PSOutputDev::checkPageSlice(Page*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*)
Shadow bytes around the buggy address:
  0x0ffc674ab030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc674ab040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc674ab050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc674ab060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc674ab070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffc674ab080:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc674ab090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc674ab0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc674ab0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc674ab0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffc674ab0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31131==ABORTING

others

from fuzz project pwd-poppler-pdftops-06
crash name pwd-poppler-pdftops-06-00000000-20190401.pdf
Auto-generated by pyspider at 2019-04-01 15:07:53

poc.tar.gz

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information