Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38334: stack-overflow by Xpdf4.04 - forum.xpdfreader.com

XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

CVE
Open in Source
#linux#pdf

hi,i use AFL++ fuzz xpdf4.04,and found the Catalog::countPageTree() function in Catalog.cc may cause recursion issues via a crafted file.

Code: Select all

gdb --args pdftopng crashfile output/

Code: Select all

Syntax Error (1262): Dictionary key must be a name object
Syntax Error (1265): Dictionary key must be a name object

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x5f8fd980549df300 
RBX: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RCX: 0x7fffff7ff000 --> 0x0 
RDX: 0x7fffff7ff8a0 --> 0xffffffffffffff90 
RSI: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RDI: 0x7 
RBP: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:    mov    r15,rax)
RSP: 0x7fffff7fefc0 
RIP: 0x7ffff6e3fced (mov    QWORD PTR [rsp+0x38],rax)
R8 : 0x1 
R9 : 0x1e 
R10: 0x7ffff7fc3000 --> 0x7ffff7fef000 --> 0x7ffff7168698 --> 0x7ffff6f07080 (repz ret)
R11: 0x555555b47069 (<gmalloc(int)+233>:    test   rax,rax)
R12: 0x7 
R13: 0x1 
R14: 0x7 
R15: 0x7ffff6ef6b41 (<malloc+193>:  mov    r15,rax)
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6e3fcdd:  mov    rbp,rsi
   0x7ffff6e3fce0:  sub    rsp,0x48
   0x7ffff6e3fce4:  mov    rax,QWORD PTR fs:0x28
=> 0x7ffff6e3fced:  mov    QWORD PTR [rsp+0x38],rax
   0x7ffff6e3fcf2:  xor    eax,eax
   0x7ffff6e3fcf4:  lea    rax,[rip+0x540f21]        # 0x7ffff7380c1c
   0x7ffff6e3fcfb:  mov    ecx,DWORD PTR [rax]
   0x7ffff6e3fcfd:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefc0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6e3fced in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4

bt

Code: Select all

#29095 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcdd0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29096 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcef0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29097 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd010) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29098 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd130) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29099 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd250) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29100 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd370) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29101 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd490) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29102 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd5b0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29103 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd6d0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29104 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd820) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
#29105 0x000055555577d9a8 in Catalog::readPageTree (this=this@entry=0x612000000040, catDict=catDict@entry=0x7fffffffd980) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:529
#29106 0x0000555555789d11 in Catalog::Catalog (this=0x612000000040, docA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:175
#29107 0x0000555555a6141e in PDFDoc::setup2 (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0, repairXRef=repairXRef@entry=0x1) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:318
#29108 0x0000555555a61d9a in PDFDoc::setup (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:276
#29109 0x0000555555a630d7 in PDFDoc::PDFDoc (this=0x607000000090, fileNameA=<optimized out>, ownerPassword=<optimized out>, userPassword=<optimized out>, coreA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:218
#29110 0x000055555568410a in main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffde38) at /home/hekun/xpdf-4.04/xpdf/pdftopng.cc:180
#29111 0x00007ffff5c23c87 in __libc_start_main (main=0x555555683210 <main(int, char**)>, argc=0x3, argv=0x7fffffffde38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde28) at ../csu/libc-start.c:310
#29112 0x0000555555688dda in _start ()

please check it out,thanks

Related news

Gentoo Linux Security Advisory 202409-25

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE