A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.

We are currently migrating away from gitlab hosting cloud for the registry. There will be a final maintenance down time on Sunday 27th August, from approx 8-12am UTC. See the tracker issue for more informations. Note that the registry will see a brief outage, and potentially lag between uploads and availability during that window.

CVE-2022-37052: pdfseparate: Account for XRef::add failing because we run out of memory (86775003) · Commits · poppler / poppler · GitLab

In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

Hi, we found a bug in the latest version of poppler (commit b9643712), the bug causes the program to crash with the following backtrace.

To reproduce it, run pdfseparate poc 1.pdf

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7bee76f in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  PDFDoc::savePageAs (this=0x466e10, name=..., pageNo=1)
        at /home/users/chluo/poppler/poppler/PDFDoc.cc:889
    #4  0x0000000000408659 in extractPages (srcFileName=<optimized out>,
        destFileName=0x7fffffffe6eb "./1.pdf")
        at /home/users/chluo/poppler/utils/pdfseparate.cc:123
    #5  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfseparate.cc:156

sep.zip

Seems that this bug is related to #706 (closed). 7b4e372d partially fixes #706 (closed) yet it is incomplete.

Edited Jul 27, 2022 by

CVE-2022-37050: SIGABRT at poppler/Object.h:435 (#1274) · Issues · poppler / poppler · GitLab

Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.

We are currently migrating away from gitlab hosting cloud for the registry. There will be a final maintenance down time on Sunday 27th August, from approx 8-12am UTC. See the tracker issue for more informations. Note that the registry will see a brief outage, and potentially lag between uploads and availability during that window.

*   poppler
*   poppler
*   Issues
*   #936

I find an overflow in XRef, which is caused by mutual recursive call.

./pdfinfo ./xref.pdf

xref.zip

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2020-23804: Overflow in Xref (#936) · Issues · poppler / poppler · GitLab

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

Hi, we found a bug in poppler/PDFDoc.cc:1755. When the bug is triggered, the program would crash with the following backtrace.

To reproduce, run pdfunite t.pdf poc 2.pdf

    (gdb) bt
    #0  0x00007ffff745f8c1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7449546 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff7a5eb18 in Object::getDict (this=0x7fffffffe0c8)
        at /home/users/chluo/pop/poppler/Object.h:435
    #3  PDFDoc::replacePageDict (this=0x5555555bb430, pageNo=<optimized out>,
        rotate=90, mediaBox=0x5555555e3b50, cropBox=0x5555555e3b70)
        at /home/users/chluo/pop/poppler/PDFDoc.cc:1755
    #4  0x000055555555c9fa in main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/pop/utils/pdfunite.cc:290

The bug is relevant to #706 (closed) and #1276 (closed).

poc.zip

CVE-2022-38349: SIGABRT at poppler/PDFDoc.cc:1755 (#1282) · Issues · poppler / poppler · GitLab

Buffer Overflow vulnerability in WEBP_Support.cpp in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted webp file.

**Commit acee2894** authored Jul 27, 2019 by  **Hubert Figuiere**

Browse files

**Bug #12 - Invalid WebP cause memory overflow.**

#12

parent 53379ec2

*   Changes 1

Hide whitespace changes

Inline Side-by-side

Supports Markdown

0% or .

You are about to add **0 people** to the discussion. Proceed with caution.

Finish editing this message first!

Please register or sign in to comment

CVE-2020-18652: Bug #12 - Invalid WebP cause memory overflow. (acee2894) · Commits · libopenraw / exempi · GitLab

A Use After Free vulnerability in function new_Token in asm/preproc.c in nasm 2.14.02 allows attackers to cause a denial of service via crafted nasm command.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

'3392634?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-18780: Invalid Bug ID

There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file.

'2848?cve=title' is not a valid bug number.

Please press **Back** and try again.

CVE-2020-18768: Invalid Bug ID

A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.

Hi, there.

A Heap-buffer-overflow problem was discovered in wasm::WasmBinaryBuilder::visitBlock(wasm::Block\*) function in simple\_ast.h in /src/wasm/wasm-binary.cpp, as distributed in Binaryen 1.38.26. A crafted wasm input can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./wasm-opt $POC" to reproduce the error.  
POC.zip

git log

    commit 153ba18ba99dc4dcef29a61e1e586af3df8d921d (HEAD -> master, tag: version_65, origin/master, origin/HEAD)
    Author: Alon Zakai <alonzakai@gmail.com>
    Date:   Mon Jan 28 11:32:19 2019 -0800
    
        Handle EM_ASM/EM_JS in LLVM wasm backend O0 output (#1888)
    
        See emscripten-core/emscripten#7928 - we have been optimizing all wasms until now, and noticed this when the wasm object file path did not do so. When not optimizing, our methods of handling EM_ASM and EM_JS fail since the patterns are different.
    
        Specifically, for EM_ASM we hunt for emscripten_asm_const(X, where X is a constant, but without opts it may be a get of a local. For EM_JS, the function body may not just contain a const, but a block with a set of the const and a return of a get later.
    
        This adds logic to track gets and sets in basic blocks, which is sufficient to handle this.
    

The ASAN dumps the stack trace as follows:

    =================================================================
    ==10623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000456 at pc 0x55961cae7862 bp 0x7ffd73795210 sp 0x7ffd73795200
    READ of size 1 at 0x60e000000456 thread T0
        #0 0x55961cae7861 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) /binaryen/src/wasm/wasm-binary.cpp:1805
        #1 0x55961cad63bc in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1687
        #2 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #3 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #4 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #5 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #6 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #7 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #8 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #9 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #10 0x55961caf83d2 in wasm::WasmBinaryBuilder::visitIf(wasm::If*) /binaryen/src/wasm/wasm-binary.cpp:1871
        #11 0x55961cad3bb0 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) /binaryen/src/wasm/wasm-binary.cpp:1688
        #12 0x55961cada7fa in wasm::WasmBinaryBuilder::skipUnreachableCode() /binaryen/src/wasm/wasm-binary.cpp:1417
        #13 0x55961cadba97 in wasm::WasmBinaryBuilder::processExpressions() /binaryen/src/wasm/wasm-binary.cpp:1392
        #14 0x55961cae7f6e in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) /binaryen/src/wasm/wasm-binary.cpp:1846
        #15 0x55961caed21f in wasm::WasmBinaryBuilder::readFunctions() /binaryen/src/wasm/wasm-binary.cpp:1129
        #16 0x55961caf597f in wasm::WasmBinaryBuilder::read() /binaryen/src/wasm/wasm-binary.cpp:678
        #17 0x55961cba18f7 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:52
        #18 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #19 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #20 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #21 0x55961c77ec39 in _start (/binaryen/build/bin/wasm-opt+0x1c5c39)
    
    0x60e000000456 is located 0 bytes to the right of 150-byte region [0x60e0000003c0,0x60e000000456)
    allocated by thread T0 here:
        #0 0x7fce2a302458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
        #1 0x55961df084ef in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x55961df084ef in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/include/c++/7/bits/stl_vector.h:172
        #4 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_M_create_storage(unsigned long) /usr/include/c++/7/bits/stl_vector.h:187
        #5 0x55961df084ef in std::_Vector_base<char, std::allocator<char> >::_Vector_base(unsigned long, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:138
        #6 0x55961df084ef in std::vector<char, std::allocator<char> >::vector(unsigned long, char const&, std::allocator<char> const&) /usr/include/c++/7/bits/stl_vector.h:297
        #7 0x55961df084ef in std::vector<char, std::allocator<char> > wasm::read_file<std::vector<char, std::allocator<char> > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, wasm::Flags::BinaryOption, wasm::Flags::DebugOption) /binaryen/src/support/file.cpp:42
        #8 0x55961cb9fbf2 in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:44
        #9 0x55961cba7d97 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /binaryen/src/wasm/wasm-io.cpp:71
        #10 0x55961c764faf in main /binaryen/src/tools/wasm-opt.cpp:144
        #11 0x7fce29513b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /binaryen/src/wasm/wasm-binary.cpp:1805 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*)
    Shadow bytes around the buggy address:
      0x0c1c7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c1c7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8050: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
    =>0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==10623==ABORTING

CVE-2020-18378: Heap-buffer-overflow in /src/wasm/wasm-binary.cpp in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26 · Issue #1900 · WebAssembly/binaryen

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Heap buffer overflow vulnerability in FilePOSIX::read in File.cpp in audiofile 0.3.6 may cause denial-of-service via a crafted wav file, this bug can be triggered by the executable sfconvert.

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.  
poc.zip

$uname -a  
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86\_64 GNU/Linux

**$./sfconvert poc.wav output format wave  
asan:**

\==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38  
WRITE of size 2 at 0x61a00001f708 thread T0  
#0 0x7f64fd42ee54 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x45e54)  
#1 0x7f64fd14b8cb in FilePOSIX::read(void\*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126  
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353  
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375  
#4 0x7f64fd14ee93 in \_AFfilehandle::readS16(short\*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397  
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289  
#6 0x7f64fd171751 in WAVEFile::readInit(\_AFfilesetup\*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733  
#7 0x7f64fd18067e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356  
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#10 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#11 0x401568 in \_start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region \[0x61a00001f280,0x61a00001f708)  
allocated by thread T0 here:  
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x7f64fd14c4f1 in \_AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80  
#2 0x7f64fd18042e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337  
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#5 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??  
Shadow bytes around the buggy address:  
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c347fffbee0: 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==90086==ABORTING

Tag

#dos