Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45587: Bug Report:two stack-overflow bugs in pdftotext,Xpdf 4.04

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04, allows local attackers to cause a denial of service.

CVE
#vulnerability#linux#dos#pdf

Hello,I use fuzzer to test binary pdftotext in xpdf-4.04, and found several crashes in pdftotext.

Crash 1 in binary pdtotext (using Poc1),in Dict::find(char const*) xpdf-4.04/xpdf/Dict.cc:98

Code: Select all

./pdftotext ../../../Outs/out_xpdf/collection/out_xpdf:id:000080,sig:11,src:001396,op:havoc,rep:64
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (1612): Dictionary key must be a name object
Syntax Error (1619): Dictionary key must be a name object
Syntax Error (1639): Dictionary key must be a name object
Syntax Error (1643): Dictionary key must be a name object
Syntax Error (61): Dictionary key must be a name object
Syntax Error (100): Dictionary key must be a name object
Syntax Error (120): Dictionary key must be a name object
Syntax Error (122): Dictionary key must be a name object
Syntax Error (202): Dictionary key must be a name object
Syntax Error (206): Dictionary key must be a name object
Syntax Error (208): Dictionary key must be a name object
Syntax Error (217): Dictionary key must be a name object
Syntax Error (412): Dictionary key must be a name object
Syntax Error (492): Dictionary key must be a name object
Syntax Error (495): Dictionary key must be a name object
Syntax Error (578): Dictionary key must be a name object
Syntax Error (707): Command token too long
Syntax Error (707): Dictionary key must be a name object
Syntax Error (835): Command token too long
Syntax Error (835): Dictionary key must be a name object
Syntax Error (963): Command token too long
Syntax Error (963): Dictionary key must be a name object
Syntax Error (1091): Command token too long
Syntax Error (1091): Dictionary key must be a name object
Syntax Error (1204): Dictionary key must be a name object
Syntax Error (1212): Dictionary key must be a name object
Syntax Error (1224): Illegal character '>'
Syntax Error (1332): Dictionary key must be a name object
Syntax Error (1341): Dictionary key must be a name object
Syntax Error (1356): Dictionary key must be a name object
Syntax Error (1375): Dictionary key must be a name object
Syntax Error (1379): Dictionary key must be a name object
Syntax Error (1612): Dictionary key must be a name object
Syntax Error (1619): Dictionary key must be a name object
Syntax Error (1639): Dictionary key must be a name object
Syntax Error (1643): Dictionary key must be a name object
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (412): Dictionary key must be a name object
Syntax Error (492): Dictionary key must be a name object
Syntax Error (495): Dictionary key must be a name object
Syntax Error (578): Dictionary key must be a name object
Syntax Error (707): Command token too long
Syntax Error (707): Dictionary key must be a name object
Syntax Error (835): Command token too long
Syntax Error (835): Dictionary key must be a name object
Syntax Error (963): Command token too long
Syntax Error (963): Dictionary key must be a name object
Syntax Error (1091): Command token too long
Syntax Error (1091): Dictionary key must be a name object
Syntax Error (1204): Dictionary key must be a name object
Syntax Error (1212): Dictionary key must be a name object
Syntax Error (1224): Illegal character '>'
Syntax Error (1332): Dictionary key must be a name object
Syntax Error (1341): Dictionary key must be a name object
Syntax Error (1356): Dictionary key must be a name object
Syntax Error (1375): Dictionary key must be a name object
Syntax Error (1379): Dictionary key must be a name object
AddressSanitizer:DEADLYSIGNAL
=================================================================
==888328==ERROR: AddressSanitizer: stack-overflow on address 0x7fff52afef48 (pc 0x7fafa875da29 bp 0x7fff52aff7f0 sp 0x7fff52afef50 T0)
    #0 0x7fafa875da28 in __interceptor_strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:433
    #1 0x5573b0891e2c in Dict::find(char const*) /home/lsy/xpdf-4.04/xpdf/Dict.cc:98
    #2 0x5573b0891e2c in Dict::lookup(char const*, Object*, int) /home/lsy/xpdf-4.04/xpdf/Dict.cc:125
    #3 0x5573b086d1c2 in Object::dictLookup(char const*, Object*, int) /home/lsy/xpdf-4.04/xpdf/Object.h:267
    #4 0x5573b086d1c2 in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:563
    #5 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #6 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #7 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #8 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #9 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #10 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #11 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #12 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #13 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #14 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #15 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #16 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #17 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #18 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #19 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #20 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #21 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #22 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #23 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #24 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #25 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #26 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #27 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #28 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #29 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #30 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #31 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #32 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #33 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #34 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #35 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #36 0x5573b086d25e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    ......

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:433 in __interceptor_strcmp
==888328==ABORTING

Crash 2 in binary pdtotext (using Poc2),in gmalloc(int) xpdf-4.04/goo/gmem.cc:148

Code: Select all

./pdftotext ../../../Outs/out_xpdf/collection/out_xpdf:id:000012,sig:11,src:001031,op:havoc,rep:2
Syntax Error (497): Illegal character <2f> in hex string
Syntax Error (498): Illegal character <54> in hex string
Syntax Error (499): Illegal character <79> in hex string
Syntax Error (500): Illegal character <70> in hex string
Syntax Error (503): Illegal character <2f> in hex string
Syntax Error (504): Illegal character <50> in hex string
Syntax Error (506): Illegal character <67> in hex string
Syntax Error (511): Illegal character <2f> in hex string
Syntax Error (512): Illegal character <50> in hex string
Syntax Error (514): Illegal character <72> in hex string
Syntax Error (516): Illegal character <6e> in hex string
Syntax Error (517): Illegal character <74> in hex string
Syntax Error (523): Illegal character <52> in hex string
Syntax Error (527): Illegal character <2f> in hex string
Syntax Error (528): Illegal character <52> in hex string
Syntax Error (530): Illegal character <73> in hex string
Syntax Error (531): Illegal character <6f> in hex string
Syntax Error (532): Illegal character <75> in hex string
Syntax Error (533): Illegal character <72> in hex string
Syntax Error (536): Illegal character <73> in hex string
Syntax Error (538): Illegal character <3c> in hex string
Syntax Error (539): Illegal character <3c> in hex string
Syntax Error (545): Illegal character <2f> in hex string
Syntax Error (547): Illegal character <6f> in hex string
Syntax Error (548): Illegal character <6e> in hex string
Syntax Error (549): Illegal character <74> in hex string
Syntax Error (551): Illegal character <3c> in hex string
Syntax Error (552): Illegal character <3c> in hex string
Syntax Error (560): Illegal character <2f> in hex string
Syntax Error (568): Illegal character <52> in hex string
Syntax Error (576): Illegal character '>'
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (38): Dictionary key must be a name object
Syntax Error (44): Dictionary key must be a name object
Syntax Error (46): Dictionary key must be a name object
Syntax Error (53): Dictionary key must be a name object
Syntax Error (312): Illegal character '>'
Syntax Error (361): Dictionary key must be a name object
Syntax Error (471): Illegal character '>'
Syntax Error (668): Dictionary key must be a name object
Syntax Error (670): Dictionary key must be a name object
Syntax Error (675): Dictionary key must be a name object
Syntax Error (693): Dictionary key must be a name object
Syntax Error (703): Dictionary key must be a name object
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1696640==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe77b3afb8 (pc 0x7f259771ae7f bp 0x7ffe77b3b8c0 sp 0x7ffe77b3afb0 T0)
    #0 0x7f259771ae7e in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ../../../../src/libsanitizer/asan/asan_allocator.cc:399
    #1 0x7f259771754a in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:874
    #2 0x7f25977fc8ce in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:145
    #3 0x5646a9eb9ffd in gmalloc(int) /home/lsy/xpdf-4.04/goo/gmem.cc:148
    #4 0x5646a9eba234 in copyString(char const*) /home/lsy/xpdf-4.04/goo/gmem.cc:393
    #5 0x5646a9e4a540 in Object::copy(Object*) /home/lsy/xpdf-4.04/xpdf/Object.cc:99
    #6 0x5646a9d43251 in Object::arrayGet(int, Object*, int) /home/lsy/xpdf-4.04/xpdf/Object.h:243
    #7 0x5646a9d43251 in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:566
    #8 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #9 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #10 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #11 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #12 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #13 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #14 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #15 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #16 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #17 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #18 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #19 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #20 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #21 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #22 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #23 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #24 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #25 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #26 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #27 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #28 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #29 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #30 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #31 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #32 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #33 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #34 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #35 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #36 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #37 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #38 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #39 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #40 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #41 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #42 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #43 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #44 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #45 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #46 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #47 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    #48 0x5646a9d4325e in Catalog::countPageTree(Object*) /home/lsy/xpdf-4.04/xpdf/Catalog.cc:567
    ......

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_allocator.cc:399 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
==1696640==ABORTING

DiliLearnegnt,Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale

Related news

Gentoo Linux Security Advisory 202409-25

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907