Segmentation fault in JPXStream::readTilePartData(JPXStream.cc:2142)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Poppler |
Unknown
|
High
|
|||
poppler (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hello,
I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.
This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached a finding as comment below
To be honest, I already posted this bug on popplers' and developer answered the question (https:/
As far as I can tell, all of these software what I tested such as evince, xpdf okular on Ubuntu system have same problem.
So I'd like to post this issue in here.
in details:
alex@vm64 $ uname -a
Linux vm64 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:35:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
alex@vm64 $ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
okular:
Installed: 4:15.08.1-0ubuntu1
Candidate: 4:15.08.1-0ubuntu1
Version table:
*** 4:15.08.1-0ubuntu1 0
500 http://
100 /var/lib/
xpdf:
Installed: 3.03-17ubuntu2
Candidate: 3.03-17ubuntu2
Version table:
*** 3.03-17ubuntu2 0
500 http://
100 /var/lib/
evince:
Installed: 3.16.1-0ubuntu1
Candidate: 3.16.1-0ubuntu1
Version table:
*** 3.16.1-0ubuntu1 0
500 http://
100 /var/lib/
libpoppler-dev:
Installed: 0.33.0-0ubuntu3
Candidate: 0.33.0-0ubuntu3
Version table:
*** 0.33.0-0ubuntu3 0
500 http://
100 /var/lib/
+ I used latest version of poppler too.
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib/x86_
pthread_
[Current thread is 1 (Thread 0x7f640ae42840 (LWP 6180))]
Thread 4 (Thread 0x7f63f36f1700 (LWP 6184)):
#0 0x00007f6407db6743 in select () at ../sysdeps/
#1 0x00007f64087ed51f in ?? () from /usr/lib/
#2 0x00007f6408702d1c in ?? () from /usr/lib/
#3 0x00007f640537c6aa in start_thread (arg=0x7f63f36f
#4 0x00007f6407dbfeed in clone () at ../sysdeps/
Thread 3 (Thread 0x7f63f253c700 (LWP 6200)):
[KCrash Handler]
#6 0x00007f63f25f5619 in JPXStream:
#7 0x00007f63f25f6b73 in JPXStream:
#8 0x00007f63f25f7a77 in JPXStream:
#9 0x00007f63f25f9c95 in JPXStream:
#10 0x00007f63f25fa0d6 in JPXStream::reset() () from /usr/lib/
#11 0x00007f63f25edbf9 in SplashOutputDev
#12 0x00007f63f26419ca in Gfx::doImage(
#13 0x00007f63f2642ce8 in Gfx::opXObject(
#14 0x00007f63f263cffe in Gfx::go(bool) () from /usr/lib/
#15 0x00007f63f263d4a0 in Gfx::display(
#16 0x00007f63f2683255 in Page::displaySl
#17 0x00007f63f29dadc6 in Poppler:
#18 0x00007f63f2c2be74 in ?? () from /usr/lib/
#19 0x00007f63f738c613 in ?? () from /usr/lib/
#20 0x00007f6408702d1c in ?? () from /usr/lib/
#21 0x00007f640537c6aa in start_thread (arg=0x7f63f253
#22 0x00007f6407dbfeed in clone () at ../sysdeps/
Thread 2 (Thread 0x7f63f1d3b700 (LWP 6201)):
#0 syscall () at ../sysdeps/
#1 0x00007f6408701622 in ?? () from /usr/lib/
#2 0x00007f64086fd8e5 in QMutex:
#3 0x00007f63f2c2acf4 in ?? () from /usr/lib/
#4 0x00007f63f738bf12 in ?? () from /usr/lib/
#5 0x00007f6408702d1c in ?? () from /usr/lib/
#6 0x00007f640537c6aa in start_thread (arg=0x7f63f1d3
#7 0x00007f6407dbfeed in clone () at ../sysdeps/
Thread 1 (Thread 0x7f640ae42840 (LWP 6180)):
#0 pthread_
#1 0x00007f6408703286 in QWaitCondition:
#2 0x00007f64087028ae in QThread:
#3 0x00007f64087ed0ad in ?? () from /usr/lib/
#4 0x00007f6407cf2d32 in __run_exit_handlers (status=1, listp=0x7f64080
#5 0x00007f6407cf2d85 in __GI_exit (status=<optimized out>) at exit.c:104
#6 0x00007f640928e6a8 in ?? () from /usr/lib/
#7 0x00007f6409f83370 in KApplication:
#8 0x00007f64071cbcee in _XIOError () from /usr/lib/
#9 0x00007f64071c957d in _XEventsQueued () from /usr/lib/
#10 0x00007f64071a5832 in XCheckIfEvent () from /usr/lib/
#11 0x00007f64092923e9 in ?? () from /usr/lib/
#12 0x00007f64092a26eb in QApplication:
#13 0x00007f64092ccb52 in ?? () from /usr/lib/
#14 0x00007f6404e96ff7 in g_main_
#15 0x00007f6404e97250 in ?? () from /lib/x86_
#16 0x00007f6404e972fc in g_main_
#17 0x00007f64088431ee in QEventDispatche
#18 0x00007f64092ccc26 in ?? () from /usr/lib/
#19 0x00007f64088110d1 in QEventLoop:
#20 0x00007f6408811445 in QEventLoop:
#21 0x00007f6408817429 in QCoreApplicatio
#22 0x0000000000409878 in ?? ()
#23 0x00007f6407cd9a40 in __libc_start_main (main=0x409430, argc=2, argv=0x7ffd3a61
#24 0x000000000040b4a9 in _start ()
evince 3.16.1 / xpdf version 3.03
*******
Segmentation fault
*******
crashed file: fuzz_id_
Register dump:
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000000 R8 : 0000000000000000 R9 : 0000000000000006
R10: 0000000000000070 R11: 0000000000000000 R12: 00000000014af420
R13: 00000000000018d2 R14: 00000000014af420 R15: 00000000014d7600
RSP: 00007ffdede2b6b0
RIP: 00007f28d94be0df EFLAGS: 00010246
CS: 0033 FS: 0000 GS: 0000
Trap: 0000000e Error: 00000004 OldMask: 00000000 CR2: 00000010
stack trace:
0x00007ffdede2b6b0: 10 fa 4a 01 00 00 00 00 00 00 00 00 00 00 00 00 ..J.............
0x00007ffdede2b6c0: 20 f4 4a 01 00 00 00 00 50 dc 4b 01 00 00 00 00 .J.....P.K.....
0x00007ffdede2b6d0: 14 b7 e2 ed fd 7f 00 00 03 00 00 00 01 00 00 00 ................
0x00007ffdede2b6e0: 90 d2 4b 01 00 00 00 00 00 00 00 00 01 00 00 00 ..K.............
0x00007ffdede2b6f0: 01 00 00 00 00 00 00 00 20 f4 4a 01 00 00 00 00 ........ .J.....
0x00007ffdede2b700: a0 41 54 01 00 00 00 00 01 00 00 00 00 00 00 00 .AT.............
0x00007ffdede2b710: d0 52 54 01 01 00 00 00 00 48 38 da c1 7a d9 ac .RT......H8..z..
0x00007ffdede2b720: 90 96 54 01 00 00 00 00 10 fa 4a 01 00 00 00 00 ..T.......J.....
Backtrace:
0x00007f28e4d22cc0: [catch_
0x00007f28e3512d10: [__restore_rt():0]
0x00007f28d94be0df: [_ZN9JPXStream1
0x00007f28d94bf688: [_ZN9JPXStream1
0x00007f28d94c1278: [_ZN9JPXStream1
0x00007f28d94c3ff1: [_ZN9JPXStream9
0x00007f28d94c4766: [_ZN9JPXStream5
0x00007f28d9c8d753: [_ZN14CairoOutp
0x00007f28d950ce45: [_ZN3Gfx7doImag
0x00007f28d950e143: [_ZN3Gfx9opXObj
0x00007f28d9508058: [_ZN3Gfx2goEb(
0x00007f28d9508558: [_ZN3Gfx7displa
0x00007f28d9550dc5: [_ZN4Page12disp
0x00007f28d9c76522: [poppler_
0x00007f28d9eb5ad3: [_init():13019]
0x00007f28d9eb616e: [_init():14710]
0x0000000000401a90: [_init():2368]
0x000000000040172d: [_init():1501]
0x00007f28e3158a40: [__libc_
0x00000000004018a9: [_init():1881]
Disassemble:
0x00007f28d94be0df: add rax, qword ptr [rdi + 0x10]
0x00007f28d94be0e3: mov r11d, dword ptr [rax + 0x14]
0x00007f28d94be0e7: test r11d, r11d
0x00007f28d94be0ea: je 0x7f28d94be25d
0x00007f28d94be0f0: mov r8d, dword ptr [rax + 0x10]
0x00007f28d94be0f4: mov r13, qword ptr [rsp]
0x00007f28d94be0f8: mov r15, r14
HASHTAG: 8DBAE794E10FF8F
Thanks
-Alex
information type: | Private Security → Public Security |
Changed in poppler (Ubuntu): | |
status: | New → Confirmed |
Changed in poppler: | |
importance: | Unknown → High |
status: | Unknown → Confirmed |
Changed in poppler: | |
status: | Confirmed → Unknown |
Created attachment 118861
Use of this file could lead to crash the products using poppler library
Hello,
I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.
This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached some findings.
Thanks
-Alex
in details:
alex@vm64:$ LD_LIBRARY_ PATH=/usr/ local/lib gdb --args ./evince ~/hack/ project/ fuzzer/ testcases/ pdf/JPXDecode/ fuzz_id_ 27683_OliviaOil _24.pdf. tc_bf1_ pos_3460_ size_1 gnu.org/ licenses/ gpl.html> www.gnu. org/software/ gdb/bugs/>. www.gnu. org/software/ gdb/documentati on/>. hack/project/ evince/ evince- 3.18.0/ shell/. libs/evince /home/alex/ hack/project/ fuzzer/ testcases/ pdf/JPXDecode/ fuzz_id_ 27683_OliviaOil _24.pdf. tc_bf1_ pos_3460_ size_1 64-linux- gnu/libthread_ db.so.1" .
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://
Find the GDB manual and other documentation resources online at:
<http://
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./evince...done.
gdb$ r
Starting program: /home/alex/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_
[New Thread 0x7fffece5e700 (LWP 17556)]
[New Thread 0x7fffec65d700 (LWP 17557)]
[New Thread 0x7fffebe5c700 (LWP 17558)]
[New Thread 0x7fffeb038700 (LWP 17563)]
[New Thread 0x7fffe9a4e700 (LWP 17564)]
[New Thread 0x7fffda2ab700 (LWP 17565)]
Program received signal SIGSEGV, Segmentation fault. ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- [regs] 0x00007FFFE9A4C F50]--- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ----[stack]
[Switching to Thread 0x7fffe9a4e700 (LWP 17564)]
-------
RAX: 0x0000000000000000 RBX: 0x0000000000000000 RBP: 0x00007FFFD005DA40 RSP: 0x00007FFFE9A4CF50 o d I t s z A p c
RDI: 0x00007FFFD0042BA0 RSI: 0x0000000000000000 RDX: 0x0000000000000018 RCX: 0x0000000000000001 RIP: 0x00007FFFE8A04C49
R8 : 0x0000000000000000 R9 : 0x0000000000000006 R10: 0x00000000000000A8 R11: 0x00007FFFD005DAB0 R12: 0x00007FFFD0042850
R13: 0x00007FFFD005A0E0 R14: 0x00007FFFD005DAB0 R15: 0x0000000000001923
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
[0x002B:
0x00007FFFE9A4CFA0 : 01 00 00 00 FF 7F 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF90 : 00 00 00 00 03 00 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF80 : 50 A1 05 D0 FF 7F 00 00 - 90 BA 06 D0 FF 7F 00 00 P...............
0x00007FFFE9A4CF70 : B4 CF A4 E9 FF 7F 00 00 - 03 00 00 00 00 00 00 00 ................
0x00007FFFE9A4CF60 : 50 28 04 D0 FF 7F 00 00 - 80 C2 05 D0 FF 7F 00 00 P(..............
0x00007FFFE9A4CF50 : 4...