Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a heap-use-after-free found in poppler #168

Closed
flyfish101 opened this issue Mar 29, 2024 · 1 comment
Closed

a heap-use-after-free found in poppler #168

flyfish101 opened this issue Mar 29, 2024 · 1 comment

Comments

@flyfish101
Copy link

flyfish101 commented Mar 29, 2024
edited
Loading

It is detected by my custom fuzzer. Maybe it should be fixed in magma.

poc.zip


./pdftoppm -mono -cropbox ./poc
Syntax Warning: Illegal entry in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
Syntax Warning: Illegal entry in bfrange block in ToUnicode CMap
=================================================================
==2238967==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001960 at pc 0x000000b70768 bp 0x7fffffffabc0 sp 0x7fffffffabb8
READ of size 4 at 0x604000001960 thread T0
    #0 0xb70767 in Splash::pipeSetXY(SplashPipe*, int, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:1193:21
    #1 0xb6bdac in Splash::pipeInit(SplashPipe*, int, int, SplashPattern*, unsigned char*, unsigned char, bool, bool, bool, unsigned char) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:207:5
    #2 0xb7ddda in Splash::fillWithPattern(SplashPath*, bool, SplashPattern*, double) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:2394:9
    #3 0xb84d7e in Splash::fill(SplashPath*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:2278:12
    #4 0xae196c in SplashOutputDev::fill(GfxState*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:2110:13
    #5 0x7fcba4 in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3304:14
    #6 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #7 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #8 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #9 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #10 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #11 0x7fd36f in Gfx::gouraudFillTriangle(double, double, GfxColor*, double, double, GfxColor*, double, double, GfxColor*, int, int, GfxState::ReusablePathIterator*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3318:9
    #12 0x7f41d9 in Gfx::doGouraudTriangleShFill(GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3261:13
    #13 0x80af95 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:2318:9
    #14 0x82334a in Gfx::doPatternFill(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1898:9
    #15 0x7d1ba9 in Gfx::opFill(Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1758:17
    #16 0x812b91 in Gfx::execOp(Object*, Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:804:5
    #17 0x810ce5 in Gfx::go(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:681:13
    #18 0x80f32c in Gfx::display(Object*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:642:5
    #19 0x70b87e in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:576:14
    #20 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #21 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #22 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #23 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #24 0x47ccbd in _start (/home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/out_PDF006_pure/pdftoppm+0x47ccbd)

0x604000001960 is located 16 bytes inside of 48-byte region [0x604000001950,0x604000001980)
freed by thread T0 here:
    #0 0x572437 in operator delete(void*) /home/fuzz/Desktop/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:152:3
    #1 0xbbd409 in Splash::gouraudTriangleShadedFill(SplashGouraudColor*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:5470:17
    #2 0xae9e2a in SplashOutputDev::gouraudTriangleShadedFill(GfxState*, GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:4418:33
    #3 0x7f38d2 in Gfx::doGouraudTriangleShFill(GfxGouraudTriangleShading*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:3229:18
    #4 0x80af95 in Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:2318:9
    #5 0x82334a in Gfx::doPatternFill(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1898:9
    #6 0x7d1ba9 in Gfx::opFill(Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:1758:17
    #7 0x812b91 in Gfx::execOp(Object*, Object*, int) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:804:5
    #8 0x810ce5 in Gfx::go(bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:681:13
    #9 0x80f32c in Gfx::display(Object*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:642:5
    #10 0x70b87e in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:576:14
    #11 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #12 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #13 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #14 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x571a37 in operator new(unsigned long) /home/fuzz/Desktop/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
    #1 0xada3ce in SplashOutputDev::startPage(int, GfxState*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/SplashOutputDev.cc:1350:18
    #2 0x838d76 in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle const*, PDFRectangle const*, int, bool (*)(void*), void*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Gfx.cc:480:10
    #3 0x70cb0e in Page::createGfx(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, XRef*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:550:15
    #4 0x70b803 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/Page.cc:571:11
    #5 0x6ce84b in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/poppler/PDFDoc.cc:662:24
    #6 0x5f368f in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:288:10
    #7 0x5f10d9 in main /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/utils/pdftoppm.cc:684:9
    #8 0x7ffff7793082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/Desktop/DDGF_Project/magma/targets/poppler/repo/splash/Splash.cc:1193:21 in Splash::pipeSetXY(SplashPipe*, int, int)
Shadow bytes around the buggy address:
  0x0c087fff82d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff82e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff82f0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8300: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8310: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fff8320: fa fa fd fd fd fd fd fa fa fa fd fd[fd]fd fd fd
  0x0c087fff8330: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8340: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
  0x0c087fff8350: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c087fff8360: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8370: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2238967==ABORTING
@flyfish101
Copy link
Author

CVE-2024-31635 has been assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flyfish101