Bug#968354: xpdf crash with empty document

Thu, 13 Aug 2020 05:46:05 -0700 

Package: xpdf
Version: 3.04-13
Severity: normal
Tag: security

On Debian Bullseye this crashes xpdf with coredump:

touch x.pdf; xpdf x.pdf

Funny, after a 2-byte Virtualbox (and now qemu) crash, this is 
the shortest input for a DoS-bug I have seen so far :-)

For xpdf this bug itself is not really a security risk: an attacker
could also send a white page document or no document at all if
he wants the victim not to see a document. Still someone familiar
with the code should look at it, maybe some half-broken document
could turn the NULL-dereference into something more useful.

rax            0x0                 0

   0x000055555556e6d0 <+16>:    je     0x55555556e6e0 
<XPDFCore::loadFile(GooString const*, GooString*, GooString*)+32>
   0x000055555556e6d2 <+18>:    mov    %ebp,%eax
   0x000055555556e6d4 <+20>:    pop    %rbx
   0x000055555556e6d5 <+21>:    pop    %rbp
   0x000055555556e6d6 <+22>:    pop    %r12
   0x000055555556e6d8 <+24>:    retq   
   0x000055555556e6d9 <+25>:    nopl   0x0(%rax)
   0x000055555556e6e0 <+32>:    mov    0x8(%rbx),%rax
=> 0x000055555556e6e4 <+36>:    mov    (%rax),%rax   (doc is null)
   0x000055555556e6e7 <+39>:    mov    (%rax),%rdi 
   0x000055555556e6ea <+42>:    callq  0x55555557d730 <getModTime(char const*)>


Relevant source:

int XPDFCore::loadFile(const GString *fileName, GString *ownerPassword,
                       GString *userPassword) {
  int err;

  err = PDFCore::loadFile(fileName, ownerPassword, userPassword);
  if (err == errNone) {
    // save the modification time
    modTime = getModTime(doc->getFileName()->getCString());

    // update the parent window
    if (updateCbk) {
      (*updateCbk)(updateCbkData, doc->getFileName(), -1,
                   doc->getNumPages(), NULL);
    }
  }
  return err;
}

(gdb) print doc
$1 = (PDFDoc *) 0x0

If understand correctly, "PDFCore::loadFile" does not return
an error when processing an empty file, but also does not set
static variable "doc". This seems to be due to "xpdf/PDFCore.cc":

int PDFCore::loadFile2(PDFDoc *newDoc) {
  int err;
  double w, h, t;
  int i;

  // open the PDF file
  if (!newDoc->isOk()) {
    err = newDoc->getErrorCode();
    delete newDoc;
    return err;
  }

...

The PDFDoc seems to come from "libpoppler.so.82" already and
detects the problem:

Syntax Error: Document stream is empty

On a quick glance I could not see this may result in !isOk()
but also "err" not set correctly. If error should be in libpoppler,
then this is the relevant version:

ii  libpoppler82:amd64                   0.71.0-6                            
amd64        PDF rendering library

Reply via email to