Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c in nasm before 2.15.05 allows attackers to cause a denial of service via crafted file.

NameLast modifiedSizeDescription

Parent Directory  -   doc/2020-08-28 09:05 - Online documentation dos/2020-08-28 09:08 - MS-DOS executables linux/2020-08-28 09:08 - Linux packages macosx/2020-08-28 09:08 - MacOS X packages win32/2020-08-28 09:08 - Windows packages (32 bit) win64/2020-08-28 09:08 - Windows packages (64 bit) git.id2020-08-28 09:08 41 Corresponding git revision ID nasm-2.15.05-xdoc.tar.bz22020-08-28 09:05 900KDownloadable documentation nasm-2.15.05-xdoc.tar.gz2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05-xdoc.tar.xz2020-08-28 09:05 804KDownloadable documentation nasm-2.15.05-xdoc.zip2020-08-28 09:05 1.0MDownloadable documentation nasm-2.15.05.tar.bz22020-08-28 09:04 1.2MSource code nasm-2.15.05.tar.gz2020-08-28 09:04 1.6MSource code nasm-2.15.05.tar.xz2020-08-28 09:04 972KSource code nasm-2.15.05.zip2020-08-28 09:05 1.8MSource code

CVE-2022-29654: Index of /pub/nasm/releasebuilds/2.15.05

p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-12-09

Created: 2022-12-09

Private: No

**Description**

Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)

**Verison**

$ ./7za   
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

**Replay**

./7za t poc.zip

**POC**

https://github.com/17ssDP/fuzzer\_crashes/raw/main/zip/poc.zip

**ASAN**

$./7zatpoc.zip

7-Zip(a)[64]16.02:Copyright(c)1999-2016IgorPavlov:2016-05-21
p7zipVersion16.02(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64bits,64CPUsx64)

Scanningthedriveforarchives:
1file,4340bytes(5KiB)

Testingarchive:poc.zip
=================================================================
==65213==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x6210000000ffatpc0x55b8f9dd0731bp0x7ffd13599890sp0x7ffd13599880
READofsize4at0x6210000000ffthreadT0
#00x55b8f9dd0730inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116
#10x55b8f9dd5f00inNArchive::NZip::CInArchive::ReadVols()../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1578
#20x55b8f9e01d9binNArchive::NZip::CInArchive::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*,CObjectVector<NArchive::NZip::CItemEx>&)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:2135
#30x55b8f9d4c294inNArchive::NZip::CHandler::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*)../../../../CPP/7zip/Archive/Zip/ZipHandler.cpp:474
#40x55b8fa46890binCArc::OpenStream2(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
#50x55b8fa47fb6ainCArc::OpenStream(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
#60x55b8fa481451inCArc::OpenStreamOrFile(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
#70x55b8fa48437ainCArchiveLink::Open(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
#80x55b8fa48ccf5inCArchiveLink::Open2(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
#90x55b8fa48f2a5inCArchiveLink::Open3(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
#100x55b8fa409e7einExtract(CCodecs*,CObjectVector<COpenType>const&,CRecordVector<int>const&,CObjectVector<UString>&,CObjectVector<UString>&,NWildcard::CCensorNodeconst&,CExtractOptionsconst&,IOpenCallbackUI*,IExtractCallbackUI*,IHashCalc*,UString&,CDecompressStat&)../../../../CPP/7zip/UI/Common/Extract.cpp:362
#110x55b8fa5cc0b6inMain2(int,char**)../../../../CPP/7zip/UI/Console/Main.cpp:923
#120x55b8f9819ef8inmain../../../../CPP/7zip/UI/Console/MainAr.cpp:66
#130x7fa675178c86in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#140x55b8f981c069in_start(/home/p7zip/7za+0x41069)

0x6210000000ffislocated1bytestotheleftof4340-byteregion[0x621000000100,0x6210000011f4)
allocated by thread T0 here:
    #0 0x7fa675e6c608 in operator new[](unsignedlong)(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
#10x55b8f9dce590inCObjArray<unsignedchar>::CObjArray(unsignedlong)../../../../CPP/7zip/Archive/Zip/../../../Common/MyBuffer.h:141
#20x55b8f9dce590inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1066

SUMMARY:AddressSanitizer:heap-buffer-overflow../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116inNArchive::NZip::CInArchive::FindCd(bool)
Shadowbytesaroundthebuggyaddress:
0x0c427fff7fc0:00000000000000000000000000000000
0x0c427fff7fd0:00000000000000000000000000000000
0x0c427fff7fe0:00000000000000000000000000000000
0x0c427fff7ff0:00000000000000000000000000000000
0x0c427fff8000:fafafafafafafafafafafafafafafafa
=>0x0c427fff8010:fafafafafafafafafafafafafafafa[fa]
0x0c427fff8020:00000000000000000000000000000000
0x0c427fff8030:00000000000000000000000000000000
0x0c427fff8040:00000000000000000000000000000000
0x0c427fff8050:00000000000000000000000000000000
0x0c427fff8060:00000000000000000000000000000000
Shadowbytelegend(oneshadowbyterepresents8applicationbytes):
Addressable:00
Partiallyaddressable:01020304050607
Heapleftredzone:fa
Freedheapregion:fd
Stackleftredzone:f1
Stackmidredzone:f2
Stackrightredzone:f3
Stackafterreturn:f5
Stackuseafterscope:f8
Globalredzone:f9
Globalinitorder:f6
Poisonedbyuser:f7
Containeroverflow:fc
Arraycookie:ac
Intraobjectredzone:bb
ASaninternal:fe
Leftallocaredzone:ca
Rightallocaredzone:cb
==65213==ABORTING

**Environment**

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2022-47069: p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

CVE-2020-21469: Buffer overflow when continuously send SIGHUP to postgres

Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).

****1\. Description****

A stack-overflow has occurred in Sass::ComplexSelector::has_placeholder() of src/ast_selectors.cpp:464 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

****2\. Software version info****

$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -\> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <doyouspam@ocbnet.ch\>
Date:   Fri Sep 9 20:41:03 2022 +0200

    Merge pull request #3176 from LilyWangLL/vcpkg-instructions
    
    Add vcpkg installation instructions

$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5

****3\. System version info****

Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic

****4\. Command********5\. Result****

WARNING on line 2, column 50 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

WARNING on line 2, column 51 of /libsass/pocs/poc4:
In Sass, "&&" means two copies of the parent selector. You probably want to use "and" instead.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3226316==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe6a56aff8 (pc 0x000000b98979 bp 0x000000000000 sp 0x7ffe6a56b000 T0)
    #0 0xb98978 in Sass::ComplexSelector::has\_placeholder() const src/ast\_selectors.cpp:464
    #1 0xa2f688 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:36
    #2 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #3 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22
    #4 0xa2ead2 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::CompoundSelector\*) src/remove\_placeholders.cpp:29
    #5 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #6 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    ...
    #325 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #326 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #327 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22
    #328 0xa2ead2 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::CompoundSelector\*) src/remove\_placeholders.cpp:29
    #329 0xa2fa01 in Sass::Remove\_Placeholders::remove\_placeholders(Sass::ComplexSelector\*) src/remove\_placeholders.cpp:42
    #330 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SelectorList\*) src/remove\_placeholders.cpp:52
    #331 0xa2ce1f in Sass::Remove\_Placeholders::remove\_placeholders(Sass::SimpleSelector\*) src/remove\_placeholders.cpp:22

SUMMARY: AddressSanitizer: stack-overflow src/ast\_selectors.cpp:464 in Sass::ComplexSelector::has\_placeholder() const
==3226316==ABORTING

****6\. Impact****

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

****7\. POC****

Download: poc3

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43358: AddressSanitizer:  stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const · Issue #3178 · sass/libsass

Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.

****1\. Description****

A stack-overflow has occurred in Sass::CompoundSelector::has_real_parent_ref() of src/ast_selectors.cpp:557 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

****2\. Software version info****

$ git log -1
commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -\> master, origin/master, origin/HEAD)
Merge: 006bbf5c f0605a31
Author: Marcel Greter <doyouspam@ocbnet.ch\>
Date:   Fri Sep 9 20:41:03 2022 +0200

    Merge pull request #3176 from LilyWangLL/vcpkg-instructions
    
    Add vcpkg installation instructions

$ ./sassc/bin/sassc --version
sassc: 3.6.2
libsass: 3.6.5-8-g210218
sass2scss: 1.1.1
sass: 3.5

****3\. System version info****

Ubuntu 20.04.2 LTS
Linux 5.4.0-65-generic

****4\. Command********5\. Result****

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3151197==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe016a7ff8 (pc 0x000000b9c0f5 bp 0x0c1a00000ab2 sp 0x7ffe016a8000 T0)
    #0 0xb9c0f4 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:557
    #1 0xb92ed5 in Sass::ComplexSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:474
    #2 0xb92ed5 in Sass::SelectorList::has\_real\_parent\_ref() const src/ast\_selectors.cpp:365
    #3 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337
    #4 0xb9c217 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:564
    #5 0xb92ed5 in Sass::ComplexSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:474
    #6 0xb92ed5 in Sass::SelectorList::has\_real\_parent\_ref() const src/ast\_selectors.cpp:365
    #7 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337
    #8 0xb9c217 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:564
    #9 0xb92ed5 in Sass::ComplexSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:474
    #10 0xb92ed5 in Sass::SelectorList::has\_real\_parent\_ref() const src/ast\_selectors.cpp:365
    #11 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337
    #12 0xb9c217 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:564
    ...
    #323 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337
    #324 0xb9c217 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:564
    #325 0xb92ed5 in Sass::ComplexSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:474
    #326 0xb92ed5 in Sass::SelectorList::has\_real\_parent\_ref() const src/ast\_selectors.cpp:365
    #327 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337
    #328 0xb9c217 in Sass::CompoundSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:564
    #329 0xb92ed5 in Sass::ComplexSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:474
    #330 0xb92ed5 in Sass::SelectorList::has\_real\_parent\_ref() const src/ast\_selectors.cpp:365
    #331 0xb929f8 in Sass::PseudoSelector::has\_real\_parent\_ref() const src/ast\_selectors.cpp:337

SUMMARY: AddressSanitizer: stack-overflow src/ast\_selectors.cpp:557 in Sass::CompoundSelector::has\_real\_parent\_ref() const
==3151197==ABORTING

****6\. Impact****

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

****7\. POC****

Download: poc2

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

CVE-2022-43357: A stack-overflow src/ast_selectors.cpp:557 in Sass::CompoundSelector::has_real_parent_ref() const · Issue #3177 · sass/libsass

An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

When testing #706 (closed), we found the bug is not completely patched in pdfunite. To reproduce the bug, run pdfunite t.pdf poc 2.pdf.

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x000000000040d7a1 in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfunite.cc:200

uni.zip

Edited Jul 28, 2022 by

CVE-2022-37051: SIGABRT at poppler/Object.h:435 (pdfunite) (#1276) · Issues · poppler / poppler · GitLab

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

Hi, we found a bug in poppler/PDFDoc.cc:1755. When the bug is triggered, the program would crash with the following backtrace.

To reproduce, run pdfunite t.pdf poc 2.pdf

    (gdb) bt
    #0  0x00007ffff745f8c1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7449546 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7a5eb18 in Object::getDict (this=0x7fffffffe0c8)
        at /home/users/chluo/pop/poppler/Object.h:435
    #3  PDFDoc::replacePageDict (this=0x5555555bb430, pageNo=<optimized out>,
        rotate=90, mediaBox=0x5555555e3b50, cropBox=0x5555555e3b70)
        at /home/users/chluo/pop/poppler/PDFDoc.cc:1755
    #4  0x000055555555c9fa in main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/pop/utils/pdfunite.cc:290

The bug is relevant to #706 (closed) and #1276 (closed).

poc.zip

CVE-2022-38349: SIGABRT at poppler/PDFDoc.cc:1755 (#1282) · Issues · poppler / poppler · GitLab

In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

Hi, we found a bug in the latest version of poppler (commit b9643712), the bug causes the program to crash with the following backtrace.

To reproduce it, run pdfseparate poc 1.pdf

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7bee76f in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  PDFDoc::savePageAs (this=0x466e10, name=..., pageNo=1)
        at /home/users/chluo/poppler/poppler/PDFDoc.cc:889
    #4  0x0000000000408659 in extractPages (srcFileName=<optimized out>,
        destFileName=0x7fffffffe6eb "./1.pdf")
        at /home/users/chluo/poppler/utils/pdfseparate.cc:123
    #5  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfseparate.cc:156

sep.zip

Seems that this bug is related to #706 (closed). 7b4e372d partially fixes #706 (closed) yet it is incomplete.

Edited Jul 27, 2022 by

CVE-2022-37050: SIGABRT at poppler/Object.h:435 (#1274) · Issues · poppler / poppler · GitLab

An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.).

ADDITIONAL SYSTEM INFORMATION :  
OS version:  
Distributor ID: Ubuntu  
Description: Ubuntu 20.04.2 LTS  
Release: 20.04  
Codename: focal

JDK version we used:

openjdk version "17.0.2" 2022-01-18  
OpenJDK Runtime Environment (build 17.0.2+8-86)  
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

openjdk version "18" 2022-03-22  
OpenJDK Runtime Environment (build 18+36-2087)  
OpenJDK 64-Bit Server VM (build 18+36-2087, mixed mode, sharing)

openjdk version "19-ea" 2022-09-20  
OpenJDK Runtime Environment (build 19-ea+13-808)  
OpenJDK 64-Bit Server VM (build 19-ea+13-808, mixed mode, sharing)

A DESCRIPTION OF THE PROBLEM :  
When we run the test in jdk17.0.2, jdk18 and jdk19-ea, all in compiled mode(with "-Xcomp"), it crashed with the following message. But when run the test in mixed mode or interpreted mode(with "-Xint), it passed successfully.

The error message in compiled mode:

jdk17.0.2:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f0b86b5a37b, pid=32365, tid=32379  
#  
\# JRE version: OpenJDK Runtime Environment (17.0.2+8) (build 17.0.2+8-86)  
\# Java VM: OpenJDK 64-Bit Server VM (17.0.2+8-86, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x52837b\] ciMethodBlocks::make\_block\_at(int)+0x3b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32365.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32365.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk18:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f9a003d800b, pid=32250, tid=32263  
#  
\# JRE version: OpenJDK Runtime Environment (18.0+36) (build 18+36-2087)  
\# Java VM: OpenJDK 64-Bit Server VM (18+36-2087, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x54b00b\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32250.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32250.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

jdk19-ea:  
\# A fatal error has been detected by the Java Runtime Environment:  
#  
\# SIGSEGV (0xb) at pc=0x00007f96f291b1fb, pid=32319, tid=32332  
#  
\# JRE version: OpenJDK Runtime Environment (19.0+13) (build 19-ea+13-808)  
\# Java VM: OpenJDK 64-Bit Server VM (19-ea+13-808, compiled mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-amd64)  
\# Problematic frame:  
\# V \[libjvm.so+0x5571fb\] ciTypeFlow::get\_block\_for(int, ciTypeFlow::JsrSet\*, ciTypeFlow::CreateOption)+0x2b  
#  
\# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again  
#  
\# An error report file with more information is saved as:  
\# /home/minghai/hs\_err\_pid32319.log  
#  
\# Compiler replay data is saved as:  
\# /home/minghai/replay\_pid32319.log  
#  
\# If you would like to submit a bug report, please visit:  
\# https://bugreport.java.com/bugreport/crash.jsp

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :  
1\. extract the bug.zip  
2\. in dictionary "bug", run command:  
java -cp ./bugFiles:./util:./junit.jar:./hamcrest.jar:./target/classes:./target/test-classes org.junit.runner.JUnitCore com.alibaba.fastjson.deserializer.issue1463.TestIssue1463

you may add "-Xcomp" or "-Xint" to get different results.

EXPECTED VERSUS ACTUAL BEHAVIOR :  
EXPECTED -  
The result should be the same since the program are the same, no matter in compiled mode, mixed mode or interpreted mode.  
ACTUAL -  
When run in compiled mode(with "-Xcomp"), it crashed. But when run in mixed mode or interpreted mode(with -Xint), it passed successfully.

\---------- BEGIN SOURCE ----------  
to be attached in bug.zip  
\---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :  
run the command without -Xcomp or with -Xint

FREQUENCY : always

Tag

#linux