Headline
CVE-2018-18897: memory leak at GfxState.cc:245 (#654) · Issues · poppler / poppler · GitLab
An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.
version
The latest stable release poppler-0.71.0.tar.xz, released on Oct 31, 2018
others
this bug is reported by pwd@360TeamSeri0us, please send email to [email protected] if you have any questions.
Test Target****debug info
In file: ~/poppler-0.71.0/poppler/GfxState.cc
242 INTENT_RELATIVE_COLORIMETRIC,LCMS_FLAGS)) == nullptr) {
243 error(errSyntaxWarning, -1, "Can't create Lab transform");
244 } else {
245 XYZ2DisplayTransform = new GfxColorTransform(transform, INTENT_RELATIVE_COLORIMETRIC, PT_XYZ, displayPixelType);
246 }
► 247 cmsCloseProfile(XYZProfile);
248 }
249 }
250
251 void GfxColorSpace::setDisplayProfileName(GooString *name) {
252 displayProfileName = name->copy();
───────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────
► f 0 7ffff6dd1937 GfxColorSpace::setDisplayProfile(void*)+2119
f 1 52838e main+16110
f 2 7ffff52d6b97 __libc_start_main+231
pwndbg> p XYZ2DisplayTransform
$6 = (GfxColorTransform *) 0x60300000e470
// ...
// ...
// Before binary exit,
In file: ~/poppler-0.71.0/utils/pdftocairo.cc
1281 cmsCloseProfile(profile);
1282 if (icc_data)
1283 gfree(icc_data);
1284 #endif
1285
► 1286 return 0;
1287 }
Breakpoint pdftocairo.cc:1286
pwndbg> p 0x60300000e470
$7 = 105759274755184
pwndbg> p XYZ2DisplayTransform
$8 = (GfxColorTransform *) 0x603000011740
ASAN report
=================================================================
==35865==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 2 object(s) allocated from:
#0 0x4e5690 in __interceptor_malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7f928fe128ed (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1d8ed)
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x51dc40 in operator new(unsigned long) /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
#1 0x7f9291dfb863 in GfxColorSpace::setDisplayProfile(void*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/GfxState.cc:245:30
#2 0x7f9290300b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Indirect leak of 25384 byte(s) in 21 object(s) allocated from:
#0 0x4e5690 in __interceptor_malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7f929164b177 (/usr/lib/x86_64-linux-gnu/liblcms2.so.2+0xc177)
Indirect leak of 408 byte(s) in 3 object(s) allocated from:
#0 0x4e5690 in __interceptor_malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7f929164b177 (/usr/lib/x86_64-linux-gnu/liblcms2.so.2+0xc177)
#2 0x100000000fff (<unknown module>)
Indirect leak of 264 byte(s) in 1 object(s) allocated from:
#0 0x4e5690 in __interceptor_malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7f929164b177 (/usr/lib/x86_64-linux-gnu/liblcms2.so.2+0xc177)
#2 0x40018 (<unknown module>)
Indirect leak of 224 byte(s) in 7 object(s) allocated from:
#0 0x4e58b8 in calloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
#1 0x7f928fe12fd8 (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1dfd8)
Indirect leak of 98 byte(s) in 6 object(s) allocated from:
#0 0x441eb0 in __interceptor_strdup /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:407
#1 0x7f928fe122f4 in FcValueSave (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x1d2f4)
Indirect leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x4e5690 in __interceptor_malloc /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x7f929164b139 (/usr/lib/x86_64-linux-gnu/liblcms2.so.2+0xc139)
SUMMARY: AddressSanitizer: 26986 byte(s) leaked in 42 allocation(s).
poc.tar.gz