Security
Headlines

Headline

CVE-2022-38334: stack-overflow by Xpdf4.04 - forum.xpdfreader.com

XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

hi,i use AFL++ fuzz xpdf4.04,and found the Catalog::countPageTree() function in Catalog.cc may cause recursion issues via a crafted file.

Code: Select all

gdb --args pdftopng crashfile output/

Code: Select all

Syntax Error (1262): Dictionary key must be a name object
Syntax Error (1265): Dictionary key must be a name object

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x5f8fd980549df300 
RBX: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RCX: 0x7fffff7ff000 --> 0x0 
RDX: 0x7fffff7ff8a0 --> 0xffffffffffffff90 
RSI: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RDI: 0x7 
RBP: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RSP: 0x7fffff7fefc0 
RIP: 0x7ffff6e3fced (mov    QWORD PTR [rsp+0x38],rax)
R8 : 0x1 
R9 : 0x1e 
R10: 0x7ffff7fc3000 --> 0x7ffff7fef000 --> 0x7ffff7168698 --> 0x7ffff6f07080 (repz ret)
R11: 0x555555b47069 (<gmalloc(int)+233>:    test   rax,rax)
R12: 0x7 
R13: 0x1 
R14: 0x7 
R15: 0x7ffff6ef6b41 (<malloc+193>:  mov    r15,rax)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6e3fcdd:  mov    rbp,rsi
   0x7ffff6e3fce0:  sub    rsp,0x48
   0x7ffff6e3fce4:  mov    rax,QWORD PTR fs:0x28
=> 0x7ffff6e3fced:  mov    QWORD PTR [rsp+0x38],rax
   0x7ffff6e3fcf2:  xor    eax,eax
   0x7ffff6e3fcf4:  lea    rax,[rip+0x540f21]        # 0x7ffff7380c1c
   0x7ffff6e3fcfb:  mov    ecx,DWORD PTR [rax]
   0x7ffff6e3fcfd:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefc0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6e3fced in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4

bt

Code: Select all

#29095 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcdd0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29096 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcef0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29097 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd010) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29098 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd130) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29099 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd250) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29100 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd370) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29101 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd490) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29102 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd5b0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29103 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd6d0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29104 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd820) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29105 0x000055555577d9a8 in Catalog::readPageTree (this=this@entry=0x612000000040, catDict=catDict@entry=0x7fffffffd980) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:529
#29106 0x0000555555789d11 in Catalog::Catalog (this=0x612000000040, docA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:175
#29107 0x0000555555a6141e in PDFDoc::setup2 (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0, repairXRef=repairXRef@entry=0x1) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:318
#29108 0x0000555555a61d9a in PDFDoc::setup (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:276
#29109 0x0000555555a630d7 in PDFDoc::PDFDoc (this=0x607000000090, fileNameA=<optimized out>, ownerPassword=<optimized out>, userPassword=<optimized out>, coreA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:218
#29110 0x000055555568410a in main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffde38) at /home/hekun/xpdf-4.04/xpdf/pdftopng.cc:180
#29111 0x00007ffff5c23c87 in __libc_start_main (main=0x555555683210 <main(int, char**)>, argc=0x3, argv=0x7fffffffde38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde28) at ../csu/libc-start.c:310
#29112 0x0000555555688dda in _start ()

please check it out,thanks

Related news

Gentoo Linux Security Advisory 202409-25

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

We use cookies to provide necessary website functionality, and improve your user experience. By using the website, you agree to Privacy Policy and cookies usage.