recursive function call in function JBIG2Stream::readGenericBitmap()
What is vulnerability - During our research there is a recursive function call in function JBIG2Stream::readGenericBitmap() located at JBIG2Stream.cc in poppler 0.74.0.
Command- : pdfseperate -f 1 -l 2 $POC res-%d.pdf
POC- REPRODUCER
Debug -
GDB -
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x1
$rbx : 0x11
$rcx : 0x619000001500 → 0x004e00330038003d ("="?)
$rdx : 0x0
$rsp : 0x7fffffffb858 → 0x00007ffff6731a83 → <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax
$rbp : 0x7fffffffba10 → 0x00007fffffffbf90 → 0x00007fffffffc1d0 → 0x00007fffffffc200 → 0x00007fffffffc520 → 0x00007fffffffc780 → 0x00007fffffffc910 → 0x00007fffffffca20
$rsi : 0x7
$rdi : 0x2
$rip : 0x7ffff6716411 → <JArithmeticDecoder::decodeBit(unsigned+0> ret
$r8 : 0x5b
$r9 : 0x10007d307e93 → 0xfafafafafafafa02
$r10 : 0x4032
$r11 : 0x202
$r12 : 0x7fffffffb980 → 0x0000000041b58ab3
$r13 : 0xffffffff730 → 0x0000000000000000
$r14 : 0x7fffe97eb800 → 0xffffffffffffffff
$r15 : 0x7fffffffb980 → 0x0000000041b58ab3
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$ss: 0x002b $fs: 0x0000 $es: 0x0000 $cs: 0x0033 $gs: 0x0000 $ds: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffb858│+0x00: 0x00007ffff6731a83 → <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax ← $rsp
0x00007fffffffb860│+0x08: 0x0000000000000000
0x00007fffffffb868│+0x10: 0x00007fffffffbf20 → 0x00000000ffffffd8 → 0x0000000000000000
0x00007fffffffb870│+0x18: 0x00007fffffffbee0 → 0x0000000000000000
0x00007fffffffb878│+0x20: 0x0000000000000000
0x00007fffffffb880│+0x28: 0x0000000000000000
0x00007fffffffb888│+0x30: 0x0000001700000002 → 0x0000000000000000
0x00007fffffffb890│+0x38: 0x0000000000033676
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff6716408 <JArithmeticDecoder::decodeBit(unsigned+0> jmp 0x7ffff67162df <JArithmeticDecoder::decodeBit(unsigned int, JArithmeticDecoderStats*)+2579>
0x7ffff671640d <JArithmeticDecoder::decodeBit(unsigned+0> mov eax, DWORD PTR [rbp-0x10]
0x7ffff6716410 <JArithmeticDecoder::decodeBit(unsigned+0> leave
→ 0x7ffff6716411 <JArithmeticDecoder::decodeBit(unsigned+0> ret
↳ 0x7ffff6731a83 <JBIG2Stream::readGenericBitmap(bool,+0> mov DWORD PTR [rbp-0x104], eax
0x7ffff6731a89 <JBIG2Stream::readGenericBitmap(bool,+0> cmp DWORD PTR [rbp-0x104], 0x0
0x7ffff6731a90 <JBIG2Stream::readGenericBitmap(bool,+0> setne al
0x7ffff6731a93 <JBIG2Stream::readGenericBitmap(bool,+0> test al, al
0x7ffff6731a95 <JBIG2Stream::readGenericBitmap(bool,+0> je 0x7ffff6731b48 <JBIG2Stream::readGenericBitmap(bool, int, int, int, bool, bool, JBIG2Bitmap*, int*, int*, int)+21084>
0x7ffff6731a9b <JBIG2Stream::readGenericBitmap(bool,+0> mov rax, QWORD PTR [rbp-0xd0]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/aceteam/Desktop/packages/poppler-master/poppler/JArithmeticDecoder.cc+230 ]────
225 c <<= 1;
226 --ct;
227 } while (!(a & 0x80000000));
228 }
229 return bit;
→ 230 }
231
232 int JArithmeticDecoder::decodeByte(unsigned int context,
233 JArithmeticDecoderStats *stats) {
234 int byte;
235 int i;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "pdfseparate", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff6716411 → Name: JArithmeticDecoder::decodeBit(this=0x604000001a50, context=0xaa, stats=0x602000024bb0)
[#1] 0x7ffff6731a83 → Name: JBIG2Stream::readGenericBitmap(this=0x612000000340, mmr=0x0, w=0x33676, h=0x17, templ=0x2, tpgdOn=0x0, useSkip=0x0, skip=0x0, atx=0x7fffffffbee0, aty=0x7fffffffbf20, mmrDataLength=0x0)
[#2] 0x7ffff6722b0f → Name: JBIG2Stream::readSymbolDictSeg(this=0x612000000340, segNum=0x686c73ac, length=0x7f41d7d0, refSegs=0x0, nRefSegs=0x0)
[#3] 0x7ffff671f5a2 → Name: JBIG2Stream::readSegments(this=0x612000000340)
[#4] 0x7ffff671e351 → Name: JBIG2Stream::reset(this=0x612000000340)
[#5] 0x7ffff68295a5 → Name: XRef::readXRefStream(this=0x6120000001c0, xrefStr=0x612000000340, pos=0x612000000278)
[#6] 0x7ffff68273d3 → Name: XRef::readXRef(this=0x6120000001c0, pos=0x612000000278, followedXRefStm=0x7fffffffc8a0, xrefStreamObjsNum=0x0)
[#7] 0x7ffff6824ab8 → Name: XRef::XRef(this=0x6120000001c0, strA=0x613000000040, pos=0x74, mainXRefEntriesOffsetA=0x0, wasReconstructed=0x7fffffffc970, reconstruct=0x0)
[#8] 0x7ffff676aba3 → Name: PDFDoc::setup(this=0x610000000040, ownerPassword=0x0, userPassword=0x0)
[#9] 0x7ffff676a492 → Name: PDFDoc::PDFDoc(this=0x610000000040, fileNameA=0x60300000e020, ownerPassword=0x0, userPassword=0x0, guiDataA=0x0)