Heap buffer overflow in JPXStream (#768) · Issues · poppler / poppler

Heap buffer overflow in JPXStream

While fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.

The bug was originally detected in an older version, but I have confirmed it persists on trunk.

Asan error report:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3e06cbc at pc 0xf7d8985a bp 0xffe0c7e8 sp 0xffe0c7dc
READ of size 4 at 0xf3e06cbc thread T0
    #0 0xf7d89859 in JPXStream::init() /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10
    #1 0xf7d8a016 in JPXStream::getChar() /poppler-0.64.0/poppler/JPEG2000Stream.cc:120:43
    #2 0xf7a0bffe in Object::streamGetChar() const /poppler-0.64.0/poppler/Object.h:405:50
    #3 0xf7a0bffe in Lexer::getChar(bool) /poppler-0.64.0/poppler/Lexer.cc:124
    #4 0xf7a0cba4 in Lexer::getObj(int) /poppler-0.64.0/poppler/Lexer.cc:170:14
    #5 0xf7a6495e in Parser::Parser(XRef*, Lexer*, bool) /poppler-0.64.0/poppler/Parser.cc:54:17
    #6 0xf7864302 in Gfx::display(Object*, bool) /poppler-0.64.0/poppler/Gfx.cc:708:16
    #7 0xf7a5c4f3 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:560:10
    #8 0xf7a5c103 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:481:3
    #9 0xf7a7410d in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/PDFDoc.cc:518:20
    #10 0xf7a7410d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /poppler-0.64.0/poppler/PDFDoc.cc:535
    #11 0x817f0eb  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x817f0eb)
    #12 0xf7143636 in __libc_start_main (bin/pdf_llvm_asan/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x8062280  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8062280)

0xf3e06cbc is located 0 bytes to the right of 252-byte region [0xf3e06bc0,0xf3e06cbc)
allocated by thread T0 here:
    #0 0x8132bcf  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8132bcf)
    #1 0xf6f9d558  (bin/pdf_llvm_asan/i386-linux-gnu/libopenjp2.so.7+0x2a558)

SUMMARY: AddressSanitizer: heap-buffer-overflow /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10 in JPXStream::init()
Shadow bytes around the buggy address:
  0x3e7c0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e7c0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e7c0d90: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x3e7c0da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0db0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x3e7c0dc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x3e7c0dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0de0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Attached is an input file that triggers the bug when run through pdftotext.

If you need / would like any additional information, please let me know.

While fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.

The bug was originally detected in an older version, but I have confirmed it persists on trunk.

Asan error report:

```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3e06cbc at pc 0xf7d8985a bp 0xffe0c7e8 sp 0xffe0c7dc
READ of size 4 at 0xf3e06cbc thread T0
    #0 0xf7d89859 in JPXStream::init() /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10
    #1 0xf7d8a016 in JPXStream::getChar() /poppler-0.64.0/poppler/JPEG2000Stream.cc:120:43
    #2 0xf7a0bffe in Object::streamGetChar() const /poppler-0.64.0/poppler/Object.h:405:50
    #3 0xf7a0bffe in Lexer::getChar(bool) /poppler-0.64.0/poppler/Lexer.cc:124
    #4 0xf7a0cba4 in Lexer::getObj(int) /poppler-0.64.0/poppler/Lexer.cc:170:14
    #5 0xf7a6495e in Parser::Parser(XRef*, Lexer*, bool) /poppler-0.64.0/poppler/Parser.cc:54:17
    #6 0xf7864302 in Gfx::display(Object*, bool) /poppler-0.64.0/poppler/Gfx.cc:708:16
    #7 0xf7a5c4f3 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:560:10
    #8 0xf7a5c103 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:481:3
    #9 0xf7a7410d in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/PDFDoc.cc:518:20
    #10 0xf7a7410d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /poppler-0.64.0/poppler/PDFDoc.cc:535
    #11 0x817f0eb  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x817f0eb)
    #12 0xf7143636 in __libc_start_main (bin/pdf_llvm_asan/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x8062280  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8062280)

0xf3e06cbc is located 0 bytes to the right of 252-byte region [0xf3e06bc0,0xf3e06cbc)
allocated by thread T0 here:
    #0 0x8132bcf  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8132bcf)
    #1 0xf6f9d558  (bin/pdf_llvm_asan/i386-linux-gnu/libopenjp2.so.7+0x2a558)

SUMMARY: AddressSanitizer: heap-buffer-overflow /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10 in JPXStream::init()
Shadow bytes around the buggy address:
  0x3e7c0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e7c0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e7c0d90: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x3e7c0da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0db0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x3e7c0dc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x3e7c0dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0de0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
```

Attached is an [input file](/uploads/3a902c7b97ebff3df1b884c8271de294/id_000011_sig_06_src_000099+004407_op_splice_rep_32) that triggers the bug when run through pdftotext.

If you need / would like any additional information, please let me know.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information