Heap buffer overflow in JPXStream
While fuzzing pdftotext, located what appears to be a heap buffer overflow in JPEG / JPEG2000 handling code.
The bug was originally detected in an older version, but I have confirmed it persists on trunk.
Asan error report:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3e06cbc at pc 0xf7d8985a bp 0xffe0c7e8 sp 0xffe0c7dc
READ of size 4 at 0xf3e06cbc thread T0
#0 0xf7d89859 in JPXStream::init() /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10
#1 0xf7d8a016 in JPXStream::getChar() /poppler-0.64.0/poppler/JPEG2000Stream.cc:120:43
#2 0xf7a0bffe in Object::streamGetChar() const /poppler-0.64.0/poppler/Object.h:405:50
#3 0xf7a0bffe in Lexer::getChar(bool) /poppler-0.64.0/poppler/Lexer.cc:124
#4 0xf7a0cba4 in Lexer::getObj(int) /poppler-0.64.0/poppler/Lexer.cc:170:14
#5 0xf7a6495e in Parser::Parser(XRef*, Lexer*, bool) /poppler-0.64.0/poppler/Parser.cc:54:17
#6 0xf7864302 in Gfx::display(Object*, bool) /poppler-0.64.0/poppler/Gfx.cc:708:16
#7 0xf7a5c4f3 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:560:10
#8 0xf7a5c103 in Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/Page.cc:481:3
#9 0xf7a7410d in PDFDoc::displayPage(OutputDev*, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /poppler-0.64.0/poppler/PDFDoc.cc:518:20
#10 0xf7a7410d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) /poppler-0.64.0/poppler/PDFDoc.cc:535
#11 0x817f0eb (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x817f0eb)
#12 0xf7143636 in __libc_start_main (bin/pdf_llvm_asan/i386-linux-gnu/libc.so.6+0x18636)
#13 0x8062280 (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8062280)
0xf3e06cbc is located 0 bytes to the right of 252-byte region [0xf3e06bc0,0xf3e06cbc)
allocated by thread T0 here:
#0 0x8132bcf (/home/felixf/fuzzing/bin/pdf_llvm_asan/i386-linux-gnu/ld-linux.so.2+0x8132bcf)
#1 0xf6f9d558 (bin/pdf_llvm_asan/i386-linux-gnu/libopenjp2.so.7+0x2a558)
SUMMARY: AddressSanitizer: heap-buffer-overflow /poppler-0.64.0/poppler/JPEG2000Stream.cc:265:10 in JPXStream::init()
Shadow bytes around the buggy address:
0x3e7c0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e7c0d70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3e7c0d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e7c0d90: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
0x3e7c0da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e7c0db0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x3e7c0dc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x3e7c0dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x3e7c0de0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: ccAttached is an input file that triggers the bug when run through pdftotext.
If you need / would like any additional information, please let me know.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information