Ubuntu
poppler package

  1. Bug #1505858
  2. Comment #2

Comment 2 for bug 1505858

Revision history for this message
In , Saintlinu (saintlinu) wrote :

Created attachment 118861
Use of this file could lead to crash the products using poppler library

Hello,

I've found some vulnerabilities in pdf viewers using famous library named poppler such as evince, xpdf, okular and so on.

This is my short report and I used latest version of poppler (poppler-0.37.0).
Plus I've attached some findings.

Thanks
-Alex

in details:

alex@vm64:$ LD_LIBRARY_PATH=/usr/local/lib gdb --args ./evince ~/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./evince...done.
gdb$ r
Starting program: /home/alex/hack/project/evince/evince-3.18.0/shell/.libs/evince /home/alex/hack/project/fuzzer/testcases/pdf/JPXDecode/fuzz_id_27683_OliviaOil_24.pdf.tc_bf1_pos_3460_size_1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffece5e700 (LWP 17556)]
[New Thread 0x7fffec65d700 (LWP 17557)]
[New Thread 0x7fffebe5c700 (LWP 17558)]
[New Thread 0x7fffeb038700 (LWP 17563)]
[New Thread 0x7fffe9a4e700 (LWP 17564)]
[New Thread 0x7fffda2ab700 (LWP 17565)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe9a4e700 (LWP 17564)]
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x0000000000000000 RBX: 0x0000000000000000 RBP: 0x00007FFFD005DA40 RSP: 0x00007FFFE9A4CF50 o d I t s z A p c
  RDI: 0x00007FFFD0042BA0 RSI: 0x0000000000000000 RDX: 0x0000000000000018 RCX: 0x0000000000000001 RIP: 0x00007FFFE8A04C49
  R8 : 0x0000000000000000 R9 : 0x0000000000000006 R10: 0x00000000000000A8 R11: 0x00007FFFD005DAB0 R12: 0x00007FFFD0042850
  R13: 0x00007FFFD005A0E0 R14: 0x00007FFFD005DAB0 R15: 0x0000000000001923
  CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
[0x002B:0x00007FFFE9A4CF50]-------------------------------------------------------------------------------------------[stack]
0x00007FFFE9A4CFA0 : 01 00 00 00 FF 7F 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF90 : 00 00 00 00 03 00 00 00 - 01 00 00 00 FF 7F 00 00 ................
0x00007FFFE9A4CF80 : 50 A1 05 D0 FF 7F 00 00 - 90 BA 06 D0 FF 7F 00 00 P...............
0x00007FFFE9A4CF70 : B4 CF A4 E9 FF 7F 00 00 - 03 00 00 00 00 00 00 00 ................
0x00007FFFE9A4CF60 : 50 28 04 D0 FF 7F 00 00 - 80 C2 05 D0 FF 7F 00 00 P(..............
0x00007FFFE9A4CF50 : 40 2D 04 D0 FF 7F 00 00 - 00 00 00 00 00 00 00 00 @-..............
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffe8a04c49 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+265>: mov rbp,QWORD PTR [rax+0x10]
   0x7fffe8a04c4d <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+269>: lea r11,[rbp+rbx*1+0x0]
   0x7fffe8a04c52 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+274>: mov r9d,DWORD PTR [r11+0x14]
   0x7fffe8a04c56 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+278>: test r9d,r9d
   0x7fffe8a04c59 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+281>: je 0x7fffe8a04ca3 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+355>
   0x7fffe8a04c5b <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+283>: mov r8d,DWORD PTR [r11+0x10]
   0x7fffe8a04c5f <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+287>: xor eax,eax
   0x7fffe8a04c61 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+289>: xor edi,edi
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
2142 if (!bits) {

gdb$ bt
#0 0x00007fffe8a04c49 in JPXStream::readTilePartData (this=this@entry=0x7fffd0042d40, tileIdx=<optimized out>, tilePartLen=0x1923, tilePartToEOC=tilePartToEOC@entry=0x0) at JPXStream.cc:2142
#1 0x00007fffe8a05f89 in JPXStream::readTilePart (this=this@entry=0x7fffd0042d40) at JPXStream.cc:2100
#2 0x00007fffe8a06f17 in JPXStream::readCodestream (this=this@entry=0x7fffd0042d40, len=<optimized out>) at JPXStream.cc:1488
#3 0x00007fffe8a08df1 in JPXStream::readBoxes (this=this@entry=0x7fffd0042d40) at JPXStream.cc:780
#4 0x00007fffe8a09036 in JPXStream::reset (this=0x7fffd0042d40) at JPXStream.cc:275
#5 0x00007fffe8e1c812 in RescaleDrawImage::getSourceImage (this=this@entry=0x7fffe9a4d310, str=str@entry=0x7fffd0042d40, widthA=widthA@entry=0x66, height=height@entry=0xf1, scaledWidth=0x2f9, scaledHeight=0x6fd, printing=0x0, colorMapA=0x7fffd0042f30, maskColorsA=0x0) at CairoOutputDev.cc:2881
#6 0x00007fffe8e1ae21 in CairoOutputDev::drawImage (this=0x7fffd003e030, state=0x7fffd00421c0, ref=0x7fffe9a4d640, str=0x7fffd0042d40, widthA=0x66, heightA=0xf1, colorMap=0x7fffd0042f30, interpolate=0x0, maskColors=0x0, inlineImg=0x0) at CairoOutputDev.cc:3028
#7 0x00007fffe8a4ba9e in Gfx::doImage (this=this@entry=0x7fffd0041f60, ref=ref@entry=0x7fffe9a4d640, str=0x7fffd0042d40, inlineImg=inlineImg@entry=0x0) at Gfx.cc:4663
#8 0x00007fffe8a4c6af in Gfx::opXObject (this=0x7fffd0041f60, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:4189
#9 0x00007fffe8a46f26 in Gfx::go (this=this@entry=0x7fffd0041f60, topLevel=topLevel@entry=0x1) at Gfx.cc:763
#10 0x00007fffe8a47409 in Gfx::display (this=this@entry=0x7fffd0041f60, obj=obj@entry=0x7fffe9a4da40, topLevel=topLevel@entry=0x1) at Gfx.cc:729
#11 0x00007fffe8a85c28 in Page::displaySlice (this=0x7fffd00407e0, out=out@entry=0x7fffd003e030, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, rotate=rotate@entry=0x0, useMediaBox=useMediaBox@entry=0x0, crop=crop@entry=0x1, sliceX=sliceX@entry=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=0x0) at Page.cc:599
#12 0x00007fffe8e03ace in _poppler_page_render (page=0xa8c6c0, cairo=0xa30510, printing=<optimized out>, print_flags=<optimized out>) at poppler-page.cc:362
#13 0x00007fffe90450b3 in pdf_page_render (page=page@entry=0xa8c6c0, width=0x2f9, height=0x6fd, rc=rc@entry=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:415
#14 0x00007fffe90452f1 in pdf_document_render (document=<optimized out>, rc=0xa8c700) at /build/buildd/evince-3.16.1/./backend/pdf/ev-poppler.cc:442
#15 0x00007ffff7968832 in ev_job_render_run (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-jobs.c:638
#16 0x00007ffff796a68a in ev_job_thread (job=0xb49bc0) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:184
#17 ev_job_thread_proxy (data=<optimized out>) at /build/buildd/evince-3.16.1/./libview/ev-job-scheduler.c:217
#18 0x00007ffff5714965 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007ffff51856aa in start_thread (arg=0x7fffe9a4e700) at pthread_create.c:333
#20 0x00007ffff4ebaeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109