Headline
CVE-2022-38334: stack-overflow by Xpdf4.04 - forum.xpdfreader.com
XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.
hi,i use AFL++ fuzz xpdf4.04,and found the Catalog::countPageTree() function in Catalog.cc may cause recursion issues via a crafted file.
Code: Select all
gdb --args pdftopng crashfile output/
Code: Select all
Syntax Error (1262): Dictionary key must be a name object
Syntax Error (1265): Dictionary key must be a name object
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x5f8fd980549df300
RBX: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>: mov r15,rax)
RCX: 0x7fffff7ff000 --> 0x0
RDX: 0x7fffff7ff8a0 --> 0xffffffffffffff90
RSI: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>: mov r15,rax)
RDI: 0x7
RBP: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>: mov r15,rax)
RSP: 0x7fffff7fefc0
RIP: 0x7ffff6e3fced (mov QWORD PTR [rsp+0x38],rax)
R8 : 0x1
R9 : 0x1e
R10: 0x7ffff7fc3000 --> 0x7ffff7fef000 --> 0x7ffff7168698 --> 0x7ffff6f07080 (repz ret)
R11: 0x555555b47069 (<gmalloc(int)+233>: test rax,rax)
R12: 0x7
R13: 0x1
R14: 0x7
R15: 0x7ffff6ef6b41 (<malloc+193>: mov r15,rax)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6e3fcdd: mov rbp,rsi
0x7ffff6e3fce0: sub rsp,0x48
0x7ffff6e3fce4: mov rax,QWORD PTR fs:0x28
=> 0x7ffff6e3fced: mov QWORD PTR [rsp+0x38],rax
0x7ffff6e3fcf2: xor eax,eax
0x7ffff6e3fcf4: lea rax,[rip+0x540f21] # 0x7ffff7380c1c
0x7ffff6e3fcfb: mov ecx,DWORD PTR [rax]
0x7ffff6e3fcfd: test ecx,ecx
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefc0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6e3fced in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
bt
Code: Select all
#29095 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcdd0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29096 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcef0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29097 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd010) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29098 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd130) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29099 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd250) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29100 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd370) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29101 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd490) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29102 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd5b0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29103 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd6d0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29104 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd820) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29105 0x000055555577d9a8 in Catalog::readPageTree (this=this@entry=0x612000000040, catDict=catDict@entry=0x7fffffffd980) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:529
#29106 0x0000555555789d11 in Catalog::Catalog (this=0x612000000040, docA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:175
#29107 0x0000555555a6141e in PDFDoc::setup2 (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0, repairXRef=repairXRef@entry=0x1) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:318
#29108 0x0000555555a61d9a in PDFDoc::setup (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:276
#29109 0x0000555555a630d7 in PDFDoc::PDFDoc (this=0x607000000090, fileNameA=<optimized out>, ownerPassword=<optimized out>, userPassword=<optimized out>, coreA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:218
#29110 0x000055555568410a in main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffde38) at /home/hekun/xpdf-4.04/xpdf/pdftopng.cc:180
#29111 0x00007ffff5c23c87 in __libc_start_main (main=0x555555683210 <main(int, char**)>, argc=0x3, argv=0x7fffffffde38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde28) at ../csu/libc-start.c:310
#29112 0x0000555555688dda in _start ()
please check it out,thanks
Related news
Gentoo Linux Security Advisory 202409-25
Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.