Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • P poppler
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 687
    • Issues 687
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 52
    • Merge requests 52
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • poppler
  • poppler
  • Issues
  • #768
Closed
Open
Issue created May 22, 2019 by felixphew@felixphew

Heap buffer overflow in JPXStream

While fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.

The bug was originally detected in an older version, but I have confirmed it persists on trunk.

Asan error report:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3e06cbc at pc 0xf7d8985a bp 0xffe0c7e8 sp 0xffe0c7dc
READ of size 4 at 0xf3e06cbc thread T0
    #0 0xf7d89859 in JPXStream::init() /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10
    #1 0xf7d8a016 in JPXStream::getChar() /poppler-0.64.0/poppler/JPEG2000Stream.cc:120:43
    #2 0xf7a0bffe in Object::streamGetChar() const /poppler-0.64.0/poppler/Object.h:405:50
    #3 0xf7a0bffe in Lexer::getChar(bool) /poppler-0.64.0/poppler/Lexer.cc:124
    #4 0xf7a0cba4 in Lexer::getObj(int) /poppler-0.64.0/poppler/Lexer.cc:170:14
    #5 0xf7a6495e in Parser::Parser(XRef*, Lexer*, bool) /poppler-0.64.0/poppler/Parser.cc:54:17
    #6 0xf7864302 in Gfx::display(Object*, bool) /poppler-0.64.0/poppler/Gfx.cc:708:16
    #7 0xf7a5c4f3 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:560:10
    #8 0xf7a5c103 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:481:3
    #9 0xf7a7410d in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/PDFDoc.cc:518:20
    #10 0xf7a7410d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /poppler-0.64.0/poppler/PDFDoc.cc:535
    #11 0x817f0eb  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x817f0eb)
    #12 0xf7143636 in __libc_start_main (bin/pdf_llvm_asan/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x8062280  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8062280)

0xf3e06cbc is located 0 bytes to the right of 252-byte region [0xf3e06bc0,0xf3e06cbc)
allocated by thread T0 here:
    #0 0x8132bcf  (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8132bcf)
    #1 0xf6f9d558  (bin/pdf_llvm_asan/i386-linux-gnu/libopenjp2.so.7+0x2a558)

SUMMARY: AddressSanitizer: heap-buffer-overflow /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10 in JPXStream::init()
Shadow bytes around the buggy address:
  0x3e7c0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e7c0d70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e7c0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e7c0d90: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x3e7c0da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0db0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x3e7c0dc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x3e7c0dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3e7c0de0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Attached is an input file that triggers the bug when run through pdftotext.

If you need / would like any additional information, please let me know.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking