Headline

CVE-2022-43071: Bug Report: pdftotext in Xpdf 4.04

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

2 years ago

CVE

Open in Source

#dos #pdf

yjgo

Posts: 1

Joined: Mon Oct 03, 2022 7:11 am

Bug Report: pdftotext in Xpdf 4.04

Hello.
I am a security researcher and I tried to explore fuzzing.
During fuzzing, I found several crashes in the pdftotext in Xpdf 4.04.
The crashes were caused by Catalog::countPageTree() and Catalog::readPageLabelTree2(Object*) functions.

I used the following command to reproduce the crashes.

The following is backtrace log by ASAN.
Crash 1 in binary pdtotext (using Poc1)

Code: Select all

Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (314): Dictionary key must be a name object
Syntax Error (316): Dictionary key must be a name object
Syntax Error (318): Dictionary key must be a name object
Syntax Error (321): Dictionary key must be a name object
Syntax Error (330): Dictionary key must be a name object
Syntax Error (332): Dictionary key must be a name object
Syntax Error (336): Dictionary key must be a name object
Syntax Error (339): Dictionary key must be a name object
Syntax Error (345): Dictionary key must be a name object
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25385==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe1258df68 (pc 0x0000004dfa32 bp 0x7ffe1258e7d0 sp 0x7ffe1258df70 T0)
    #0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x743036 in Object::copy(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.cc:81:8
    #2 0x7d2479 in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1199:18
    #3 0x5b11f0 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
    #4 0x5b11f0 in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:566:12
    #5 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #6 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #7 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #8 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #9 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #10 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    #11 0x5b11fc in Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12
    ---------------- repeat Catalog::countPageTree(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:567:12 ---------------
    SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==25385==ABORTING

Crash 2 in binary pdftotext (using Poc2)

Code: Select all

Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (6264): Illegal character ')'
Syntax Error (6282): Illegal character '>'
Syntax Error (8723): Missing 'endstream'
Syntax Error (582): Dictionary key must be a name object
Syntax Error (584): Dictionary key must be a name object
Syntax Error (592): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5011): Dictionary key must be a name object
Syntax Error (5013): Dictionary key must be a name object
Syntax Error (5017): Dictionary key must be a name object
Syntax Error (5020): Dictionary key must be a name object
Syntax Error (5026): Dictionary key must be a name object
Syntax Error (5117): Illegal character ')'
Syntax Error (5797): Dictionary key must be a name object
Syntax Error (5804): Dictionary key must be a name object
Syntax Error (8723): Missing 'endstream'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error (5117): Illegal character ')'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23564==ERROR: AddressSanitizer: stack-overflow on address 0x7fffde075f08 (pc 0x0000004dfa32 bp 0x7fffde076770 sp 0x7fffde075f10 T0)
    #0 0x4dfa32 in __asan_memcpy /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x7d25ed in XRef::fetch(int, int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/XRef.cc:1207:11
    #2 0x5b5474 in Object::arrayGet(int, Object*, int) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Object.h:243:19
    #3 0x5b5474 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:949:12
    #4 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #5 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #6 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #7 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #8 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #9 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #10 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #11 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #12 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #13 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #14 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    #15 0x5b5480 in Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7
    ------------- repeat Catalog::readPageLabelTree2(Object*) /home/yjgo/server_fuzz/benchmark/xpdf-4.04/xpdf/Catalog.cc:950:7 -------------------------
    SUMMARY: AddressSanitizer: stack-overflow /home/yjgo/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
==23564==ABORTING

Please check it out.
Thank you

Sincerely,
yjgo.

Attachments

Poc.zip

(14.04 KiB) Downloaded 12 times

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

5 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #dos #pdf