An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

    An issue was discovered in poppler 0.74 and 0.78, There is a/an FPE in function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc:4625-28

    pdftoppm -cropbox -gray @@

    Program received signal SIGFPE
    pwndbg> p result_width
    $1 = 0
    pwndbg> p surface_width
    $2 = 0

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==29151==ERROR: AddressSanitizer: FPE on unknown address 0x7fea8ca05ae8 (pc 0x7fea8ca05ae8 bp 0x7ffc75bb6b00 sp 0x7ffc75bb6620 T0)
        #0 0x7fea8ca05ae7 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double const*, int, int, Dict*, double const*, double const*, int, int, int, int, double, double) /src/poppler-0.74/poppler/SplashOutputDev.cc:4625:28
        #1 0x7fea8c4e93be in Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) /src/poppler-0.74/poppler/Gfx.cc:2225:9
        #2 0x7fea8c4e6646 in Gfx::doPatternStroke() /src/poppler-0.74/poppler/Gfx.cc:1967:5
        #3 0x7fea8c4a3544 in Gfx::opStroke(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1774:2
        #4 0x7fea8c4df66f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
        #5 0x7fea8c4db707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
        #6 0x7fea8c4da5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
        #7 0x7fea8c4e52f5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
        #8 0x7fea8c5163ad in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
        #9 0x7fea8c49d0fd in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
        #10 0x7fea8c4df66f in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
        #11 0x7fea8c4db707 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
        #12 0x7fea8c4da5b3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
        #13 0x7fea8c71514c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
        #14 0x7fea8c7328b1 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
        #15 0x521264 in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /src/poppler-0.74/utils/pdftoppm.cc:287:8
        #16 0x521264 in main /src/poppler-0.74/utils/pdftoppm.cc:600
        #17 0x7fea8ad9882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x41b838 in _start (/src/aflbuild/installed/bin/pdftoppm+0x41b838)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /src/poppler-0.74/poppler/SplashOutputDev.cc:4625:28 in SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double const*, int, int, Dict*, double const*, double const*, int, int, int, int, double, double)
    ==29151==ABORTING
    

    from fuzz project pwd-poppler-pdftoppm-01
    crash name pwd-poppler-pdftoppm-01-00000088-20190427.pdf
    Auto-generated by pyspider at 2019-04-27 20:37:40

CVE-2019-14494: A FPE in function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc:4625-28 (#802) · Issues · poppler / poppler · GitLab

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.

%PDF-1.4 %���� 1 0 obj << /Type /Page /MediaBox \[ 0 0 595.28 841.88 \] /Resources << /Font << /F1 2 0 R /F2 3 0 R /F3 4 0 R >> /XObject << /img0 5 0 R /img2 6 0 R /img4 7 0 R >> >> /Contents 8 0 R /Parent 9 0 R /Rotate 360 >> endobj 2 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 3 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding >> endobj 4 0 obj << /Subtype /Type1 /Type /Font /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj 5 0 obj << /ColorSpace /DeviceRGB /Subtype /Image /Height 1186 /Filter /DCTDecode /Type /XObject /Width 1186 /BitsPerComponent 8 /Length 207591 >> stream ����ExifII\*��Ducky<���http://ns.adobe.com/xap/1.0/ Print ��HPhotoshop 3.08BIMZ%G8BIM%���ȷ�x/4b4Xw���Adobed����      �������   !1AQaq�"2��BRbr�#т��s��7�3CS��$Tt�U6��c�4�u�უD�%5���ĤFVdE!1AQaq���"2��3��BR���br#�C���?���wE����8K�������������������������������������������������������������������������������������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~��k��:�N�� ���\\?���p�w!w�Z��ο����'����y}���#{ȋ�s̅��0 p�Pw�ϱ�\]R���3�M�g�^ �fb�(븝; 6�D����6����U�e�g5�f4������D꫕���������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+}3�.\`d���ɠ�qG,v�a���sR'I�{����J��߆��s��X�Y�#����q��<\`V�T��%m�by��u&&u���>��B����s�\\b����!�T�M�/j�W.�:pw��g6q��5g�-���������S���K�A�(F𺹈;����u��%��@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@A�4��:Wm)��۹����7��X����k�Yiqi�y:˓���kS��xېm�F��\[��w��e�m�ۮ��k7�o\\�˳�������������������������������������������������������������������������-p��\_��\]܄~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~�s9�clP�\\G�J�����8�>��5��#������n#���ϥ\]%i�J�����k.�i���W�K��\]��> =�����P�M�i /j�N^>I����͛~���i\] '��G��� o�o9x6֧z�� ���\\?���p�w!����P~J��T��}�>��R���������(���������ƴ�Aw�Z��ο����&��:�V��V���Oo��Z�l=���wj������x��'��8�\_���e��o��K������68�v\\Gq�K���o�>�4�\[m���^:����e�p\_d\]�Kl�+gd���@�p5�����Dj�d����� uf/1�nj�:��ZYp֎� .�1��+��u�y��,��Nm���>hVkC�Y�;����u��%��@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Ag�K�Qꌓ��X��x���D\\ON!�h ��:J��\[ߵ^��S�Bn�m�:����<��h\\tQ�=����2"F4P9�W�� �J\]�������q\\Q��G9-�\]K�r��夌Al�mm��Bj��Y�H�;Ja�z|uq��-�gWo���5�t�9<<���^Eqc^�1��-xp���۰W&N�G w�mJk\_7/�<��ǉ�����BXOqpGC8�,�$נ�.���8���k�Þ�{�<,��㕶ε�Waa���۰Q�a�;Z79��z\]�;f�u�v�~N;��i�\_j�Wʡw�Z��ο����6o/��X ��1��EpGL�9O�q�,n�/��kzZ<�)��>Ei}C����Y7��;�������\`08��lT�=����WH��n96U��������>W�4T���.�u�X�E��x2�8{����+��{|�Q<�0m��\]5���\]���q��K<6홳��9��{$���=���m�\]5{͆2WIA��ߢ���C���,N�F�n�4�D\*t����b������o�شi�F��1>>�n�dio�� o�7�\*��:��8i,W�����<�%ğa��8�s��m �a��H��3Yi�i�'1uxwE����8K���������������������������������������������������������������������و��3�c�ϻ���8c=��:I���+H�Ӥ=R�i�8�ƇÏ0$��l|2R����/�U�9������������&�6�ҙ�1�e�z���'��Ad�i�Fծ��\*v,��\]i(�1Z����5��B�Ie�oᾷ��{Yk���/5��v��Y�brV-�XhsL�&c���oξl�O��$�=��mm\*�8Ѡ}OI+K=�o����K̳�\_�O���eƪ�6��& /���iV3�lm�\`���,�H��Lu��W4ֵ���c�G��LU�7l~�jc��>��{A飚����篽�����,������3��p�y��-\_FJ-m�7�<}O�i:7-�g��H�W��5F\]�jZk3�B�䮢Ԛ�Gɓ���\]̗���^�8���\`�5�����Tw4Ǔ���h���魼�W3�nl�,qvﺺ�ጎ�W�ų��R�vW�m�6�#E^�l����r���i$�����<�<�;+r3�w|1:q�c�v��>�Ѻ�K޶�5f�g� �J�G �c�V�Wh�:T��e�k:���jN��vswE����8K������������������������������������������������������������������S��^f5�UֶdAg{|�\\Ț�� �Ou66���� u�~�ol��r^v^46�e˯.��Δ2���h\*;w|�<4��v�qu@���Y0X��:zyo,-�}դ�3F����44=��5�O��O�=7�(���DuW�&��ͥ��9��o��H;�/1����c�����m��©\]�E:�e��"q��Q>\*,S�l,�u�������w�q�І����ؽ��3l}\]ZL�<��\[�M9���u����t�6�p���i�ݴ$5��\]�qP���Mg��N�d���oe�����S^El�/d�7��q�i!����-�o3^Z�u�OLD�TX���\[i���B�+���{�wQL$le�GiUo~��5��1��� ��bxD������U��?���Gr���0c^�!��ql�P�~⸲knZh���9)�sF�˽Q�%�\_���b���^O����4R�n��\*Os��.�^:x��v���o��k Ls�{H��ݽ�.%���:W͟q�t�L�7;9�mbV.�Ӷ�wN�am�vq9������Oq\*�>Y�y���b��V<�\]�+�K9��%���哽���e������®&�:Ԥ��Qz֕�k����f���Q�Y���n0�b�{me)���J�����xͤT�oRpv��8�Γ<�r���MtL5��4���5��cg#k^#�"{zEF��HP��-�,z�������(rZώ�y���:㇊I^6���A���\`�گ�����l��m''U\[�÷/����S���z���\_�U�k��X���T����GGF2Vs���i,.q�D�l �;+m������nv���q��V(b�����' wrX�K�z�PZ2�A.�Q�����i����M>u;v~���O�3���yC���۫mm�.:��"����;f��U��叼c����׈�1+c�b�O�K\[{�WZd�%�{؞����rcUOq�2���X䟳�4��8�yͭqq�o��J�ics$6��8��؜X�z�4�⪻��1F8�"faY�uy��:h��\]���F���dX=���3�7���Y��J�i��T;�1�,ּ��l�zD�4�P �DHV��Bh����5,�2�S=݄nh�Ix�x��hy��>J+,}�%)�Ç��4���K���0��5�\`V̦�H+q�f�Glf\*��\]�ߺY�s"����4��9��� t�>߱����L ��S��sGyY�<�\_PA��L�Om<��7�se�C^�xHu(o�'}�+Ju����k����o�ւ �R�'Ig��s�sn뇉/-as%K�-.o§��p�<���N���li{u,K{x-�ⷁ�8!cc�6�k(�<�\*����R�4����b�/Yy��q�7gcK��q�+�h�7�N�2���1��Te�k����?�xk�w>�)����V��~����ޡ�ד�\]&��8�f���ƶG@v�:��zX�l=af�~�^�o���>�>?� N�{��H{��"=�e�/��W��|�����2��������s�ϸ����C\*L�3>+\_�'z������:Z&��;}�5�\*�x&��H'��O�%���sM\\�AV�:� ���wE����8K�����������������������������������������������������������������^���:�K|�%�.?j|N����\\:�x��U��q8���n �,Q{����|ӵ��E���^:��1���HF�W\`b���<��ag��F(�E9w���y�|>~�W޿�����k�4cǹ��>�!��:�n�TR�jLΞh�}�U��s\] �d�jnJh}C�vZ�)��w�md�gt��-v��\[J��{�\\u�4Dɳ��YL���~'>��YZ�2���h������7���I�b��rF57�}�.��+������uz���i�� V-�k򮞾7x��U�\_���K���I �2�J#�c�?�Ն>�?�or%��xB#���+�}��؍�=�

CVE-2019-12797

The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.

*   poppler
*   **NEWS**

*   

To find the state of this project's repository at the time of any of these versions, check out the tags.

CVE-2019-9959: NEWS · master · poppler / poppler · GitLab

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).

Asterisk Project Security Advisory - AST-2019-003

 

**Product**

Asterisk

**Summary**

Remote Crash Vulnerability in chan\_sip channel driver

**Nature of Advisory**

Denial of Service

**Susceptibility**

Remote Unauthenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

June 28, 2019

**Reported By**

Francesco Castellano

**Posted On**

July 1, 2019

**Last Updated On**

July 2, 2019

**Advisory Contact**

Jcolp AT sangoma DOT com

**CVE Name**

CVE-2019-13161

 

**Description**

When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer.

This requires Asterisk to initiate a T.38 reinvite which is only done when executing the ReceiveFax dialplan application or performing T.38 passthrough where a remote endpoint has requested T.38.

For versions of Asterisk 13 before 13.21.0 and Asterisk 15 before 15.4.0 the “preferred\_codec\_only” option must also be set to “yes”. If set to “no” the crash will not occur.

 

**Resolution**

If T.38 faxing is not required this functionality can be disabled by ensuring the “t38pt\_udptl” is set to “no” so a T.38 reinvite is not possible.

If T.38 faxing is required then Asterisk should be upgraded to a fixed version. The problem can also be limited in scope by enabling T.38 faxing only for endpoints which actually participate in fax.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

13.x

All releases

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

Certified Asterisk

13.21

All releases

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

13.27.1

Asterisk Open Source

15.7.3

Asterisk Open Source

16.4.1

Certified Asterisk

13.21-cert4

 

**Patches**

**SVN URL**

**Revision**

http://downloads.asterisk.org/pub/security/AST-2019-003-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2019-003-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-003-16.diff

Asterisk 16

http://downloads.asterisk.org/pub/security/AST-2019-003-13.21.diff

Certified Asterisk 13.21

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-28465

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-003.pdf and http://downloads.digium.com/pub/security/AST-2019-003.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

July 1, 2019

Joshua Colp

Initial revision

Asterisk Project Security Advisory - AST-2019-003  
Copyright © 2019 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2019-13161: AST-2019-003

In Xpdf 4.01.01, there is a heap-based buffer over-read in the function JBIG2Stream::readTextRegionSeg() located at JBIG2Stream.cc. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It might allow an attacker to cause Information Disclosure.

CVE-2019-13286

In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in strncpy from FoFiType1::parse in fofi/FoFiType1.cc because it does not ensure the source string has a valid length before making a fixed-length copy. It can, for example, be triggered by sending a crafted PDF document to the pdftotext tool. It allows an attacker to use a crafted pdf file to cause Denial of Service or an information leak, or possibly have unspecified other impact.

Hi,  
I'm Mike Zhang of Pangu Lab, I found a heap buffer overflow bug in xpdf code.

4.01.01 xpdf under Ubuntu 16.04.3 LTS

strncpy in FoFiType1::parse fofi/FoFiType1.cc:207 has not ensure the source string valid length before use a fixed copy length, causes an read\_\_\_heap-buffer-overflow problem.

log from Ubuntu:

Code: Select all

    ==12947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x7f29e1f08806 bp 0x7ffed0886130 sp 0x7ffed08858d8
    READ of size 82 at 0x621000009d00 thread T0
        #0 0x7f29e1f08805 in strncpy (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x94805)
        #1 0xa03d0b in strncpy /usr/include/x86_64-linux-gnu/bits/string3.h:126
        #2 0xa03d0b in FoFiType1::parse() /home/panguandroid/Documents/git/xpdf/xpdf-src/fofi/FoFiType1.cc:207
        #3 0xa062da in FoFiType1::getName() /home/panguandroid/Documents/git/xpdf/xpdf-src/fofi/FoFiType1.cc:71
        #4 0x64b990 in Gfx8BitFont::Gfx8BitFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:1051
        #5 0x658eb2 in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:191
        #6 0x65ed1c in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:2087
        #7 0x5c950c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Gfx.cc:292
        #8 0x5cb765 in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Gfx.cc:509
        #9 0x83ca1c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Page.cc:369
        #10 0x83ca1c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Page.cc:321
        #11 0x85ce9d in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/PDFDoc.cc:423
        #12 0x85ce9d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/PDFDoc.cc:436
        #13 0x43e2d2 in main /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/pdftotext.cc:253
        #14 0x7f29e121d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #15 0x440068 in _start (/home/panguandroid/Documents/git/xpdf/afl-install/bin/pdftotext+0x440068)
    
    0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00)
    allocated by thread T0 here:
        #0 0x7f29e1f52b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
        #1 0x9a4c9f in grealloc /home/panguandroid/Documents/git/xpdf/xpdf-src/goo/gmem.cc:193
        #2 0x642386 in GfxFont::readEmbFontFile(XRef*, int*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:849
        #3 0x648b12 in Gfx8BitFont::Gfx8BitFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:1049
        #4 0x658eb2 in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:191
        #5 0x65ed1c in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/GfxFont.cc:2087
        #6 0x5c950c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Gfx.cc:292
        #7 0x5cb765 in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Gfx.cc:509
        #8 0x83ca1c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Page.cc:369
        #9 0x83ca1c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/Page.cc:321
        #10 0x85ce9d in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/PDFDoc.cc:423
        #11 0x85ce9d in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/PDFDoc.cc:436
        #12 0x43e2d2 in main /home/panguandroid/Documents/git/xpdf/xpdf-src/xpdf/pdftotext.cc:253
        #13 0x7f29e121d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x94805) in strncpy
    Shadow bytes around the buggy address:
      0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==12947==ABORTING
    

Code: Select all

    void FoFiType1::parse() {
      char *line, *line1, *p, *p2;
      char buf[256];
      char c;
      int n, code, base, i, j;
      GBool gotMatrix, startsWithDup, endsWithDup;
    
      gotMatrix = gFalse;
      for (i = 1, line = (char *)file;
           i <= 100 && line && (!name || !encoding || !gotMatrix);
           ++i) {
    
        // get font name
        if (!name && !strncmp(line, "/FontName", 9)) {
          strncpy(buf, line, 255);  // L207: read___heap-buffer-overflow
        //...
          line = getNextLine(line);
    

"line" variable is reference member "file" memory,

When set breakpoints on all the "file" member assignment code, the following line used:

Code: Select all

    FoFiBase::FoFiBase(char *fileA, int lenA, GBool freeFileDataA) {
      fileData = file = (Guchar *)fileA;  // L26
      len = lenA;
      freeFileData = freeFileDataA;
    }
    

The constructor called from

Code: Select all

    Gfx8BitFont::Gfx8BitFont(XRef *xref, char *tagA, Ref idA, GString *nameA,
    			 GfxFontType typeA, Ref embFontIDA, Dict *fontDict):
      GfxFont(tagA, idA, nameA, typeA, embFontIDA)
    {
      //...
      char *buf;
      int len;
      //...
      buf = NULL;
      if (type == fontType1 && embFontID.num >= 0) {
        if ((buf = readEmbFontFile(xref, &len))) {  // set buf and len
          if ((ffT1 = FoFiType1::make(buf, len))) {  // L1050
    

This code call into "FoFiBase::FoFiBase" method, "buf" is "fileA" and "len" is "lenA".

Code: Select all

    char *GfxFont::readEmbFontFile(XRef *xref, int *len) {
      char *buf;
      Object obj1, obj2;
      Stream *str;
      int size, n;
      //...
      do {
        //...
        buf = (char *)grealloc(buf, size + 4096); // L849: expand buf memory 4096 bytes everytime
        n = str->getBlock(buf + size, 4096);
        size += n;
      } while (n == 4096);  // read into buf until a non 4096 continue block with EOF byte in it
      *len = size;
      //...
      return buf;
    }
    

So, according to the above analysis, "len" is the "buf" memory length.

And with the dynamic debug analysis help, we found "line+255" is out of "file" memory block.

CVE-2019-13283: read___heap-buffer-overflow in FoFiType1::parse calls strncpy

Use-after-free in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2019-5805

Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2019-5820

CVE-2019-5821

In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD ../" and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

%PDF-1.6 %���� 298 0 obj <> endobj 316 0 obj <>/Filter/FlateDecode/ID\[<4F7B192D9D8B5E4B9D362B0EA2ED05FB><816ACA3D886DFB40B3545DF31C452F59>\]/Index\[298 29\]/Info 297 0 R/Length 87/Prev 115200/Root 299 0 R/Size 327/Type/XRef/W\[1 2 1\]>>stream h�bbd\`\`b\`Ӏ�;�\`�,oA�� ٵ �H01�Ĵ@\\+ ���6瀄���k�Tϸd2#1��?G�- endstream endobj startxref 0 %%EOF 326 0 obj <>stream h�b\`\`\`�6�� cb���\[�L�sL�d��0ݝR�l�č k}�M�j�v�XȚR!)QNW�d\[400u4p0H40�Ftt-��h\`�h@5 l�o0�f\`����|�!�K;o��C��5� � ���~|���U��r��V%���10Ι�X,��8る\`�qo���R��!����7t endstream endobj 299 0 obj <>/Metadata 25 0 R/Outlines 61 0 R/PageLayout/OneColumn/Pages 296 0 R/StructTreeRoot 104 0 R/Type/Catalog>> endobj 300 0 obj <>/Font<>>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 301 0 obj <>stream H�l�An7��>�\\\`�EQ�� @�.�,��.��M�qb���KR�4S���?)Q�7��{�=����ys}w�=|���i�p}��m��z������K!���<��6�tμ5(������\_������\]z|����\]ߛ���积����۷�?���}�K��R�\[����DT���¥3Q��tITJ��}���W���|����)K�K�}��MH�����sK�n�A�ǳ���Ќ�2���<��T�QDLS�=ĤQ��M�V�S�����\]�)�F������z1!W5\*��f�G�1��&Pd\* �WE���J.3-7��xIr�\]HI�b\]bg���pH1\\�DV���F1<�>�L�(U��hBJ�i$���(Z�q^C= 02���5��G���5�W:��bZ%#� ԹS�s���P�� vA�^V&������ZJѠ-ס�Lj��,Sl�EZm3~�8�Q�z��{\*�O؇i�mP8���l͉��<����=1G��p���$:mĨ>ᅛ��.ވ� ����;}PG��F�,�X�Iv��蛱�cI���a�Y\]�� v�5�H��E�H�Y��Ѓ>;v\_���^Á>{���䏬���g/H�س�}�:F�@�r�H^Sh:{Z��z�3v��>����tjЃ/��c���w� ȷ�\_sO�n7���i��\[}�I�\`#�^غ�\]݈�O��1l�;��A5��)Z�&������A-��Mq�Ʒ���n����ZӮ�\]s�;���D齪\]�e� ����\_��E� endstream endobj 302 0 obj <>stream H�l�Mre!��Y���Kɏ"��'��A�z;%�\*��h\*�w�>U�����gk��u���4���������E),Чt\`G�Ҟ�5�j�\`����Z�����t��pf�s�>v�o�)Lާ��:~����)�1a��!}o�h��cj�4Hb���D��}����86��2ϑ�����B\_��$I; 7'�f}����#q@uTW�Ϋόm14�\_�#6l��n�$+7�k�V$T#YC����"z��\]�ɤ���2��\\ˠ࠭>��'���juSb|�HUA��j)�1񉠡�F�SD Y9Y�#��� ��d�=&����t���K�&�(�dB��\[���u�1�d�;�^1T�xmN�n��o�N)kR���Ŧ�J/ �$�M\*5�� q����2�̛PF�豴a�ϴ>�m�}��x�����15�l���+���|���V�d-�2b�������F y\]����z��A�Q���֓�qQ,ڳ�&���,J��&I!��䝚�A^��8Sg� Sƕ\\�y�X�wc�;1�if���ό+Cq1R�~Ŵ6Z�޶b$����\_>��X\\��c�Y\\��W�ݷ���a,F"�IU��b�f'}�E:v5a,F8��bGي+8�py�і��1�e98����e1N��e��1�\`����0�Q�mfO��1^CfrL�h���2N��=�����f2���b���J�l溕�g���&�����1ʡ��f��P��5F'd,nM���r#K5RV�z�y������q5χ��{��{b�8�M��暕�p��Pb8�MP>q�\[R<�ۥ���,K������+l��\*ϱ�1�㘎�M�;��+�Z��d����0�����2��ˆ��t��E���6��h+|�>ndN2�ۑQobk���H�= endstream endobj 303 0 obj <>stream H�lVIr$7��+�����x��~���a�\`��N��\*�=�AL�bI �������$�A����-�yv%�c���;b���6xzY����>����LD�p�R,����1�:6�������K&^�?x\[���3~y|y�������E��L"���ސ���i9�s,�r3S�~{��9B5O��+����7��R�b��J��������u���g�y ֲ�%k^���®O�a�j�;�p����^O�>����}��Q��5|��FP�}�����s\`�@d\_�$Nf���fJl\`����H��c���|cz�\\F8ǃ@\*\]f������2�LL�w&6d��g��;�t���;��m� � l�E4�7F� ;�\*0-s6�a�w\`�;;3�\*��$�5�:4���ЎN���֦�е�#?�N�%ǝ �u���9O�� ر�D'��(�չ���M���pK��X������S99$����Ձ�}A���\_�.���\*�l-��(�r?���D��EE� I'b i��}ɔ�2t���i��.����D�e�it���L�Z�n�J1�\[ji��ϝ��i�����vP �ӂ��S}%ag�݂8��/x��\*�J��uB%��#~��7\[�4��Dt��2�J�������c�f�T��M�|�(��p\[C��'�� �%�}��\`�E�;Խ�� ΋��ֱ��:^��y�; @���g����<�g���l�:�C� @�E@R���ģ֜���&��$��y�T��N�����b�C�(!ex�g,�=J�nv$�"�����ڳ��1wN���<���s�O��X?��z��q��#M:GVB���ѪR�w�ϴ���Ox����x��m�PWߔۭ�i������G��C5=���2�HOYM�s�@�(.���ѭ��%^-��,ݪZe�e3fݺʘﷰ�i���V ���Vjm��W���+��QW\[���%=�j�y�������V�VW/�\]�b>��⏺z�u�����G\]��QW�}����\[\]��QW��/uu�q����VW��u�+���^���z�p�+��Ջo��z��RWw}��u��O�RWx���\[>� ���"�G\]A�G\]��Qם�K\]���\[\]��G\]wF/uuC2\[\]ǿ��<� endstream endobj 304 0 obj <>stream hޜUko�0�+�B�&5c$�c)��\`:�EdI�d��{��v\[E:�ɲ|s����8�\[�x��n��Y N8S� \\8A��j�ƓI��y��ޔ�g��H����.CM�f�=g��������i9#Cwiy�\_pm"\]\\�#=�3�\*�0D�9�\]�q��������w\`G�ώ�26�Jӣ�~���@�e�e-�1:�êG�t�6CQ��p+� Ǣ|�����pY��OfE񻭖�騬ꈃ�a1r�5��%\*=.?.�g\[߃Ӹ��C�ʡ���b�dR���)��!��r֬�H-�x��x1�\`rM�w�zh;�eӓf27\\�>&��ُ�e{^5+zV5���n��U�G���m����۰q�8���ǐ\*Z�si��SSa�H$����bd;.�oB1��a�U�O3�4��D�q�8z#Q�-�5"�������ޏ�in��"��"Vk� ��S�%���.� �֎8���ZD��h0ǰ���,��e;���$��%�Ώ2\*\`\_�:�V �ʳ�p�}Ҕ^"\]���'�h�hԯ����vp��M���8���z��}�\_V��wS�Ld��v�~�\]~}�ώO�/���?�{�����.�&s?�Z@�.�4��Z�~jMܾU��'scId��n�Kc39 h3�u���ҵm��\[��dX�)2a��f ?��H����\\�Q��Y@}�E�1F��:Af����ip�0�9���#�hܜqw�xn�-��B�.��e,o�� �.��4��c���Ж�~hs? ����l��l��l��a�xG%�7�v���%�M�\]l�ׇ��aJ endstream endobj 305 0 obj <>stream H�\\��j�@ཞb��"��ܹ�a�O^�}Y��Z����w�NH����hF��5�|<�vr����Oqr��k�x���:�s��\]�,\\���ǧ�}��,O�O��o���ge����}�i��������&�mwuO���g��އ�O��nr�ٸ&^ҍ�T���\]>o{96�z;=^Ҟ+~>���󒘺o�}��8V�5f�"�6�|K�M�����/��j�������g��ʬ�+��y��g�#�ȯ̯�o� Szvyt�%��\`.�i�0xa���i�yc6d:=��N��2o�w�;d�=̞N��&� m��&� m��&� m��&� m��&� =�p��y m�p��y �g�<��p:���g�3��p:���g�3��Ы��b>�^E��Wѫ�U�\*{��^E��Wѫ�U�\*{���N��)g���rV�Y)g���rV�Y)� �qV�Y���o����o����o����o����o�p����z9�%֯f�\_{f|��0�{my�-��hKox�?�d<��Dr��H�>����������v��d���\]��� 0S�)I endstream endobj 306 0 obj <>stream H�\\��j�0F���l/����L\`�����˦���d �(�E޾���.�!񱥙9#��f�݅a6��8v{?����/�5v��iYY�~�毧�;�S�����2��.ǬiL�+-^�x3w?�����=�>�d�~o��&�\_��?�0�¬צ�ǔ赝�ڳ7������0�R̿�ɛjy.)Ӎ��Lm�cN>k�t�M�u�C�ߺ��ݟ6fM��E�n�7�M��k��Kr ��\_ȩPc��b����&�\`K�\`��cɏ�yޒ��g�sbG77Ǻu�:�u��Pױ�C-�dM,�� c��XA��Y�,����)�)�)KN�"�E؋�y"?�y΂s�(�Qأ�G�� �Vٯ�\_���Y�pV:+��� g���Y�pV:+��� g���y�=UQ�e��&#�&�|�kw�1���y,3�������q2) ��S�,~�� endstream endobj 307 0 obj <>stream H��V�nG��+��9p�U��QRN�X��"��e;�W\]5)��\\�zӵ�Z(J�rH��R��7�\\H���:���u���C����ꊉ^8�b8g�\\ ��#l(�/����2��P��A-�qk�V ��R兓�Pצr�9(@<��BLM�W)B�hn1�L���� � P>gK'Wx����Pˑ-0��𒚷�'e����YW���k�5�&uP��h/U)hP�P���9$-�Iq�����FH���x�3i �:�Ya�S��!�Ƌ/E�gojA͆jl�@3�f6�:�du�s�M�D ���A��\\��t�L��C�^�7B�A 3 ��;(�8�~ �������O�ƥ��ִ#��x7ͺ�Qs�&���ن0�b��0%�F�ݨ9�l�.{���0m��q�N�v��^�W���z�)C�e�JY��!��̄��Y�����P�W��ቐ��i���r�t(����ت���J��Du9t�3�4����\[�^d��WFw%���¹l��kʪb���=�S�h25�O��E����ٻ�����i�~rI��ߋ�4a��v�G��M7n�G�휾�:�\`���\*�0������nW˓�h,n��EpÊ���l��峁�薧C/ΆW��/Q�ȣ�����a�I���²髣Q.p׹Z�Dd��Fr���-������3��-C��ȭ<ȥ����w�t髓��E�H��Ű��|� \_"��D³��(� ء��H/�a�0Ri��5�=8&�gN���ƈ�����=��a��\]�Lêy��X2��@ٷ{�q�̿H=I�sF�Y(��:��O�^}�f2Ӟ�$:�\*̽��+����m5��>�F��)ܷ�?j:�翜�>�'\_v�^��ܣG���������j���v�\[�j��l��+���(?�c�U��N�7� ��������\[�����|q멣���>|��}�~r�o�TR��C��߬�"����aP{��逘E� 3�>��������ד����К�/�Xkg�����{��ޑ�cl>��A�~3����+��di�HO�";�tX���ї i\\

Tag

#pdf