Bug#779699: poppler: segmentation fault in XRef::getEntry at XRef.cc:1317

Wed, 04 Mar 2015 00:06:30 -0800 

Package: poppler
Version: 0.18.4-6
Severity: important
Tags: security

Following attached sample file crashes poppler library as demonstrated with
pdfinfo utility and also tested with xpdf version 3.03. Sample file is fuzzed
with AFL <http://lcamtuf.coredump.cx/afl/>.

47c3a99686e97e882db1f873a6b70bc12bb58ec9  afl-poppler-sample-001.pdf

Starting program: pdfinfo afl-poppler-sample-001.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (892): Dictionary key must be a name object
Error (900): Dictionary key must be a name object
Error (958): Illegal character ')'
Error: Unterminated string
Error: End of file inside array
Error: End of file inside dictionary
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (892): Dictionary key must be a name object
Error (900): Dictionary key must be a name object
Error (958): Illegal character ')'
Error: Unterminated string
Error: End of file inside array
Error: End of file inside dictionary

Program received signal SIGSEGV, Segmentation fault.
0x00000000005fa1f0 in XRef::getEntry (this=this@entry=0xa699d0, i=<optimized 
out>) at XRef.cc:1317
1317                errCode = errDamaged;
(gdb) bt
#0  0x00000000005fa1f0 in XRef::getEntry (this=this@entry=0xa699d0, 
i=<optimized out>) at XRef.cc:1317
#1  0x00000000005fccd0 in XRef::fetch (this=0xa699d0, num=1, gen=0, 
obj=0x7fffffffe680, fetchOriginatorNums=0x0) at XRef.cc:982
#2  0x000000000040b035 in getCatalog (obj=0x7fffffffe680, this=<optimized out>) 
at XRef.h:101
#3  Catalog::Catalog (this=0xa69d30, xrefA=<optimized out>) at Catalog.cc:88
#4  0x000000000059ec69 in PDFDoc::setup (this=this@entry=0xa69590, 
ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at 
PDFDoc.cc:260
#5  0x000000000059f39d in PDFDoc::PDFDoc (this=0xa69590, fileNameA=<optimized 
out>, ownerPassword=0x0, userPassword=0x0, guiDataA=<optimized out>) at 
PDFDoc.cc:154
#6  0x00000000007e99b5 in LocalPDFDocBuilder::buildPDFDoc (this=<optimized 
out>, uri=..., ownerPassword=0x0, userPassword=0x0, guiDataA=0x0) at 
LocalPDFDocBuilder.cc:31
#7  0x0000000000404102 in main (argc=2, argv=0x7fffffffeaf8) at pdfinfo.cc:172
#8  0x00007ffff62deead in __libc_start_main (main=<optimized out>, 
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, 
fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffeae8) at libc-start.c:244
#9  0x0000000000405cd5 in _start ()
(gdb) list
1312              }
1313            }
1314            if (followed) {
1315              error(-1, "Circular XRef");
1316              if (!(ok = constructXRef(NULL))) {
1317                errCode = errDamaged;
1318              }
1319              break;
1320            }
1321    

-- 
Henri Salo

Attachment: afl-poppler-sample-001.pdf
Description: Adobe PDF document

Attachment: signature.asc
Description: Digital signature

Reply via email to