Headline

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.
1 year ago
#vulnerability #linux #dos #git #pdf #buffer_overflow
~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
Syntax Error (738): Dictionary key must be a name object
Syntax Error (751): Dictionary key must be a name object
Syntax Error (758): Illegal character '>'
Syntax Error (763): Dictionary key must be a name object
Syntax Error (769): Dictionary key must be a name object
Syntax Error (798): Illegal character ')'
Syntax Error (798): Dictionary key must be a name object
Syntax Error (820): Dictionary key must be a name object
Syntax Error (820): Illegal character '{'
Syntax Error (820): Dictionary key must be a name object
Syntax Error (846): Dictionary key must be a name object
Syntax Error (846): Dictionary key must be a name object
Syntax Error (849): Dictionary key must be a name object
Syntax Error (849): Illegal character '{'
Syntax Error (849): Dictionary key must be a name object
Syntax Error (899): Dictionary key must be a name object
Syntax Error (899): Illegal character ')'
Syntax Error (899): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (916): Dictionary key must be a name object
Syntax Error (926): Dictionary key must be a name object
Syntax Error (933): Dictionary key must be a name object
Syntax Error (935): Dictionary key must be a name object
Syntax Error (937): Dictionary key must be a name object
Syntax Error (941): Dictionary key must be a name object
Syntax Error (943): Dictionary key must be a name object
Syntax Error (950): Dictionary key must be a name object
I/O Error: Couldn't open html file '/dev/null.html'
I/O Error: Couldn't open html file '/dev/null_ind.html'
ASAN:SIGSEGV
=================================================================
==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
ffc717cbd00 T0)
    #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
    #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
==49519==ABORTING 

[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x10 
RCX: 0xbebebebebebebebe 
RDX: 0x10 
RSI: 0x1 
RDI: 0xacd440 ("</body>\n</html>\n")
RBP: 0x611000009950 --> 0xbebebebebebebebe 
RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
R8 : 0x0 
R9 : 0xc220000132a --> 0x0 
R10: 0x62c 
R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
R13: 0xc2200001329 --> 0x0 
R14: 0x611000009948 --> 0x0 
R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
   0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
   0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
=> 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
   0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
   0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
   0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
   0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
    at iofwrite.c:37
37      iofwrite.c: No such file or directory.
gdb-peda$ bt 10
#0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
    at iofwrite.c:37
#1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
    at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
#2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
    at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
#3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
    at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
#4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
    at ../csu/libc-start.c:291
#5  0x0000000000508819 in _start ()


[----------------------------------registers-----------------------------------]                           [23/9786]
RAX: 0x0 
RBX: 0xffffffffaa2 --> 0x0 
RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
RDX: 0xc2200001318 --> 0x0 
RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
RBP: 0x7fffffffd510 --> 0x41b58ab3 
RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
R8 : 0x1c77ea 
R9 : 0x1c80b 
R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
R11: 0x1c7856 
R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
R13: 0xef4140 --> 0x0 
R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
   0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
   0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
=> 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
   0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
   0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
   0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
   0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
[------------------------------------stack-------------------------------------]

  0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
   0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
   0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
=> 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
   0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
   0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
   0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
   0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
    at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
1201    HtmlOutputDev::~HtmlOutputDev() {
gdb-peda$ p page
$1 = (FILE *) 0xbebebebebebebebe
gdb-peda$ list
1196        delete htmlEncoding;
1197      }
1198      ok = true; 
1199    }
1200
1201    HtmlOutputDev::~HtmlOutputDev() {
1202        delete Docname;
1203        delete docTitle;
1204
1205        for (auto entry : *glMetaVars) {
CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
11 months ago
11 months ago
11 months ago
11 months ago
11 months ago