Segmentation Fault via poppler::embedded_file::size()
Hello, I'm from X41 D-Sec.
During fuzzing of poppler, we have discovered a segmentation fault issue in the embedded files handling.
The segfault can be triggered with the
poppler-dump test utility compiled from the current Git HEAD:
./cpp/tests/poppler-dump --show-embedded-files segfault_1.pdf poppler/error: May not be a PDF file (continuing anyway) poppler/error: End of file inside dictionary [...] poppler/error: Invalid page tree poppler/error: Invalid FileSpec UndefinedBehaviorSanitizer:DEADLYSIGNAL ==32514==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000044c8b4 bp 0x7ffc55f4ecb0 sp 0x7ffc55f4ecb0 T32514) ==32514==The signal is caused by a READ memory access. ==32514==Hint: address points to the zero page. #0 0x44c8b4 in EmbFile::size() const /poppler/poppler/FileSpec.h:30:31 #1 0x44c8b4 in poppler::embedded_file::size() const /poppler/cpp/poppler-embedded-file.cpp:99:45 #2 0x431933 in print_embedded_files(poppler::document*) /poppler/cpp/tests/poppler-dump.cpp:283:111 #3 0x431933 in main /poppler/cpp/tests/poppler-dump.cpp:496:9 #4 0x7f33f71f6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 #5 0x40a409 in _start (/poppler/build/cpp/tests/poppler-dump+0x40a409) UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV /poppler/poppler/FileSpec.h:30:31 in EmbFile::size() const ==32514==ABORTING
Minimized reproducer file: segfault_1.pdf
Other programs which make use of the embedded files functionality in poppler might also be affected.