Segmentation Fault via poppler::embedded_file::size()
Hello, I'm from X41 D-Sec.
During fuzzing of poppler, we have discovered a segmentation fault issue in the embedded files handling.
The segfault can be triggered with the poppler-dump test utility compiled from the current Git HEAD:
./cpp/tests/poppler-dump --show-embedded-files segfault_1.pdf
poppler/error: May not be a PDF file (continuing anyway)
poppler/error: End of file inside dictionary
[...]
poppler/error: Invalid page tree
poppler/error: Invalid FileSpec
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==32514==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000044c8b4 bp 0x7ffc55f4ecb0 sp 0x7ffc55f4ecb0 T32514)
==32514==The signal is caused by a READ memory access.
==32514==Hint: address points to the zero page.
#0 0x44c8b4 in EmbFile::size() const /poppler/poppler/FileSpec.h:30:31
#1 0x44c8b4 in poppler::embedded_file::size() const /poppler/cpp/poppler-embedded-file.cpp:99:45
#2 0x431933 in print_embedded_files(poppler::document*) /poppler/cpp/tests/poppler-dump.cpp:283:111
#3 0x431933 in main /poppler/cpp/tests/poppler-dump.cpp:496:9
#4 0x7f33f71f6cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#5 0x40a409 in _start (/poppler/build/cpp/tests/poppler-dump+0x40a409)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /poppler/poppler/FileSpec.h:30:31 in EmbFile::size() const
==32514==ABORTINGMinimized reproducer file: segfault_1.pdf
Other programs which make use of the embedded files functionality in poppler might also be affected.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information