Out-of-bounds read during processing of a password-protected PDF file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
poppler (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Out-of-bounds read during processing of a password-protected PDF file
# Description
During processsing of the attached pdf file via
```
pdftotext -upw USERPASS -opw OWNERPASS $PWD/testcase /tmp/out.txt
```
a out-of-bounds read happens. Since I was unable to reproduce this bug
on the most recent upstream commit (b3f93644de4941
This bug allows an attacker to perform a denial of service and possibly opens up other attack vectors.
To reproduce the crash, we provide the following script alongside the crashing input:
- ./reproduce-
If you need further details, we are happy to answer all questions.
# apt show poppler-utils
Package: poppler-utils
Version: 0.86.1-0ubuntu1
Priority: optional
Section: utils
Source: poppler
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-
Bugs: https:/
Installed-Size: 754 kB
Provides: pdftohtml, xpdf-utils
Depends: libpoppler97 (= 0.86.1-0ubuntu1), libc6 (>= 2.14), libcairo2 (>= 1.12.0), libfreetype6 (>= 2.2.1), liblcms2-2 (>= 2.2+git20110628), libstdc++6 (>= 5.2)
Conflicts: pdftohtml
Breaks: xpdf-common, xpdf-utils (<< 1:0)
Replaces: pdftohtml, xpdf-reader, xpdf-utils (<< 3.02-2~)
Homepage: http://
Task: print-server, ubuntu-
Download-Size: 174 kB
APT-Manual-
APT-Sources: http://
Description: PDF utilities (based on Poppler)
# valgrind Ubuntu
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: pdftotext -upw USERPASS -opw OWNERPASS /testcase /tmp/out.txt
==1==
Syntax Error (409): Dictionary key must be a name object
Syntax Error (796): Illegal character <29> in hex string
Syntax Error (798): Illegal character <14> in hex string
Syntax Error (799): Illegal character <d3> in hex string
Syntax Error (800): Illegal character <d7> in hex string
Syntax Error (801): Illegal character <8a> in hex string
Syntax Error (860): Illegal character <58> in hex string
Unimplemented Feature: Unsupported version/revision (1/0) of Standard security handler
==1== Invalid read of size 8
==1== at 0x498F758: FilterStream:
==1== by 0x4A0B4A9: Parser:
==1== by 0x4A0BE3D: Parser:
==1== by 0x49EE0AE: Hints::
==1== by 0x4A0C949: PDFDoc:
==1== by 0x4A0E4A9: PDFDoc:
==1== by 0x4A0E88C: PDFDoc:
==1== by 0x4A0E9E1: PDFDoc:
==1== by 0x10C57F: main (pdftotext.cc:400)
==1== Address 0x600000005ad8fc0 is not stack'd, malloc'd or (recently) free'd
==1==
==1==
==1== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==1== General Protection Fault
==1== at 0x498F758: FilterStream:
==1== by 0x4A0B4A9: Parser:
==1== by 0x4A0BE3D: Parser:
==1== by 0x49EE0AE: Hints::
==1== by 0x4A0C949: PDFDoc:
==1== by 0x4A0E4A9: PDFDoc:
==1== by 0x4A0E88C: PDFDoc:
==1== by 0x4A0E9E1: PDFDoc:
==1== by 0x10C57F: main (pdftotext.cc:400)
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 389,676 bytes in 5,022 blocks
==1== total heap usage: 5,512 allocs, 490 frees, 904,123 bytes allocated
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 72 bytes in 1 blocks
==1== indirectly lost: 0 bytes in 0 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 389,604 bytes in 5,021 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1==
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
valgrind: the 'impossible' happened:
main(): signal was supposed to be fatal
host stacktrace:
==1== at 0x58046FFA: ??? (in /usr/lib/
==1== by 0x58047127: ??? (in /usr/lib/
==1== by 0x58047390: ??? (in /usr/lib/
==1== by 0x580473C0: ??? (in /usr/lib/
==1== by 0x580BA566: ??? (in /usr/lib/
==1== by 0x580F6117: ??? (in /usr/lib/
sched status:
running_tid=1
affects: | unzip (Ubuntu) → poppler (Ubuntu) |
description: | updated |
description: | updated |
Changed in poppler (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |