Security
Headlines

Headline

CVE-2022-43071: Bug Report: pdftotext in Xpdf 4.04

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

yjgo

Posts: 1

Joined: Mon Oct 03, 2022 7:11 am

Bug Report: pdftotext in Xpdf 4.04

Hello.
I am a security researcher and I tried to explore fuzzing.
During fuzzing, I found several crashes in the pdftotext in Xpdf 4.04.
The crashes were caused by Catalog::countPageTree() and Catalog::readPageLabelTree2(Object*) functions.

I used the following command to reproduce the crashes.

The following is backtrace log by ASAN.
Crash 1 in binary pdtotext (using Poc1)

Code: Select all

Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (314): Dictionary key must be a name object
Syntax Error (316): Dictionary key must be a name object
Syntax Error (318): Dictionary key must be a name object
Syntax Error (321): Dictionary key must be a name object
Syntax Error (330): Dictionary key must be a name object
Syntax Error (332): Dictionary key must be a name object
Syntax Error (336): Dictionary key must be a name object
Syntax Error (339): Dictionary key must be a name object
Syntax Error (345): Dictionary key must be a name object
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25385==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe1258df68 (pc 0x0000004dfa32 bp 0x7ffe1258e7d0 sp 0x7ffe1258df70 T0)
    #0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x743036 in Object::copy(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.cc:81:8
    #2 0x7d2479 in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1199:18
    #3 0x5b11f0 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
    #4 0x5b11f0 in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:566:12
    #5 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #6 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #7 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #8 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #9 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #10 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #11 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    ---------------- repeat Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12 ---------------
    SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==25385==ABORTING

Crash 2 in binary pdftotext (using Poc2)

Code: Select all

Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (6264): Illegal character ')'
Syntax Error (6282): Illegal character '>'
Syntax Error (8723): Missing 'endstream'
Syntax Error (582): Dictionary key must be a name object
Syntax Error (584): Dictionary key must be a name object
Syntax Error (592): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5011): Dictionary key must be a name object
Syntax Error (5013): Dictionary key must be a name object
Syntax Error (5017): Dictionary key must be a name object
Syntax Error (5020): Dictionary key must be a name object
Syntax Error (5026): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5117): Illegal character ')'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23564==ERROR: AddressSanitizer: stack-overflow on address 0x7fffde075f08 (pc 0x0000004dfa32 bp 0x7fffde076770 sp 0x7fffde075f10 T0)
    #0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x7d25ed in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1207:11
    #2 0x5b5474 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
    #3 0x5b5474 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:949:12
    #4 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #5 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #6 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #7 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #8 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #9 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #10 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #11 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #12 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #13 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #14 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #15 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    ------------- repeat Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7 -------------------------
    SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==23564==ABORTING

Please check it out.
Thank you

Sincerely,
yjgo.

Attachments

Poc.zip

(14.04 KiB) Downloaded 12 times

Related news

Gentoo Linux Security Advisory 202409-25

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

We use cookies to provide necessary website functionality, and improve your user experience. By using the website, you agree to Privacy Policy and cookies usage.