Headline
CVE-2022-43071: Bug Report: pdftotext in Xpdf 4.04
A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
yjgo
Posts: 1
Joined: Mon Oct 03, 2022 7:11 am
Bug Report: pdftotext in Xpdf 4.04
Hello.
I am a security researcher and I tried to explore fuzzing.
During fuzzing, I found several crashes in the pdftotext in Xpdf 4.04.
The crashes were caused by Catalog::countPageTree() and Catalog::readPageLabelTree2(Object*) functions.
I used the following command to reproduce the crashes.
The following is backtrace log by ASAN.
Crash 1 in binary pdtotext (using Poc1)
Code: Select all
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (314): Dictionary key must be a name object
Syntax Error (316): Dictionary key must be a name object
Syntax Error (318): Dictionary key must be a name object
Syntax Error (321): Dictionary key must be a name object
Syntax Error (330): Dictionary key must be a name object
Syntax Error (332): Dictionary key must be a name object
Syntax Error (336): Dictionary key must be a name object
Syntax Error (339): Dictionary key must be a name object
Syntax Error (345): Dictionary key must be a name object
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25385==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe1258df68 (pc 0x0000004dfa32 bp 0x7ffe1258e7d0 sp 0x7ffe1258df70 T0)
#0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#1 0x743036 in Object::copy(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.cc:81:8
#2 0x7d2479 in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1199:18
#3 0x5b11f0 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
#4 0x5b11f0 in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:566:12
#5 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#6 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#7 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#8 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#9 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#10 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
#11 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
---------------- repeat Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12 ---------------
SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==25385==ABORTING
Crash 2 in binary pdftotext (using Poc2)
Code: Select all
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (6264): Illegal character ')'
Syntax Error (6282): Illegal character '>'
Syntax Error (8723): Missing 'endstream'
Syntax Error (582): Dictionary key must be a name object
Syntax Error (584): Dictionary key must be a name object
Syntax Error (592): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5011): Dictionary key must be a name object
Syntax Error (5013): Dictionary key must be a name object
Syntax Error (5017): Dictionary key must be a name object
Syntax Error (5020): Dictionary key must be a name object
Syntax Error (5026): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5117): Illegal character ')'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23564==ERROR: AddressSanitizer: stack-overflow on address 0x7fffde075f08 (pc 0x0000004dfa32 bp 0x7fffde076770 sp 0x7fffde075f10 T0)
#0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#1 0x7d25ed in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1207:11
#2 0x5b5474 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
#3 0x5b5474 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:949:12
#4 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#5 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#6 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#7 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#8 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#9 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#10 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#11 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#12 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#13 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#14 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
#15 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
------------- repeat Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7 -------------------------
SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==23564==ABORTING
Please check it out.
Thank you
Sincerely,
yjgo.
Attachments
Poc.zip
(14.04 KiB) Downloaded 12 times
Related news
Gentoo Linux Security Advisory 202409-25
Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.