Hi, I was recently fuzzing libpoppler and found lots of crashes in it. Some of them are of lesser importance, some look more serious. The archive is here:
http://alt.swiecki.net/j/poppler_2010.10.20.tgz I tested it with Ubuntu's pdftoppm from poppler-utils_0.12.4-0ubuntu5 package on a 64bit system. There's so many of those crashes that I didn't bother with investigating, hopping that you guys might have better familiarity with the library internals and you'd be much faster in analyzing and fixing those problems. Here's proof that some of those problems might be quite easily exploitable. $ gdb /usr/bin/pdftoppm (gdb) r SIGSEGV.PC.0x100000001.CODE.1.ADDR.0x100000001.INSTR.[NOT_MMAPED].pdf >/dev/null 2>/dev/null Program received signal SIGSEGV, Segmentation fault. 0x0000000100000001 in ?? () <-- looks kinda controllable to me (gdb) bt #0 0x0000000100000001 in ?? () #1 0x00007ffff660fcff in ?? () from /usr/lib/libjpeg.so.62 #2 0x00007ffff660f8af in jinit_master_decompress () from /usr/lib/libjpeg.so.62 #3 0x00007ffff660eb95 in jpeg_start_decompress () from /usr/lib/libjpeg.so.62 #4 0x00007ffff7a66f68 in DCTStream::reset() () from /usr/lib/libpoppler.so.5 #5 0x00007ffff7a62212 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, int, int*, int) () from /usr/lib/libpoppler.so.5 #6 0x00007ffff7aabcc9 in Gfx::doImage(Object*, Stream*, int) () from /usr/lib/libpoppler.so.5 #7 0x00007ffff7ab1e69 in Gfx::opXObject(Object*, int) () from /usr/lib/libpoppler.so.5 #8 0x00007ffff7a9ffaf in Gfx::go(int) () from /usr/lib/libpoppler.so.5 #9 0x00007ffff7aa3244 in Gfx::display(Object*, int) () from /usr/lib/libpoppler.so.5 #10 0x00007ffff7aa4e75 in Gfx::doForm1(Object*, Dict*, double*, double*, int, int, GfxColorSpace*, int, int, int, Function*, GfxColor*) () from /usr/lib/libpoppler.so.5 #11 0x00007ffff7ab1843 in Gfx::doForm(Object*) () from /usr/lib/libpoppler.so.5 #12 0x00007ffff7ab1ee3 in Gfx::opXObject(Object*, int) () from /usr/lib/libpoppler.so.5 #13 0x00007ffff7a9ffaf in Gfx::go(int) () from /usr/lib/libpoppler.so.5 #14 0x00007ffff7aa3244 in Gfx::display(Object*, int) () from /usr/lib/libpoppler.so.5 Another one $ gdb /usr/bin/pdftoppm (gdb) r SIGSEGV.PC.0x7ffff7a8b34c.CODE.1.ADDR.0x3fffffc7c.INSTR.mov_[rax+r12*4],_r14d.pdf >/dev/null 2>/dev/null Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a8b34c in CharCodeToUnicode::addMapping(unsigned int, char*, int, int) () from /usr/lib/libpoppler.so.5 (gdb) x/i $pc => 0x7ffff7a8b34c <_ZN17CharCodeToUnicode10addMappingEjPcii+540>: mov DWORD PTR [rax+r12*4],r14d (gdb) p/x $rax+$r12*4 $1 = 0x3fffffc7c <-- bogus, looks like user-controllable memory-write List of files, the names should help with initial analysis: SIGSEGV.PC.(nil).CODE.1.ADDR.(nil).INSTR.[NOT_MMAPED].pdf SIGSEGV.PC.0x100000001.CODE.1.ADDR.0x100000001.INSTR.[NOT_MMAPED].pdf SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf SIGSEGV.PC.0x7fff00000001.CODE.1.ADDR.0x7fff00000001.INSTR.[NOT_MMAPED].pdf SIGSEGV.PC.0x7ffff5e35f4d.CODE.1.ADDR.0x230000006f.INSTR.mov_rsi,_[rax+0x40].pdf SIGSEGV.PC.0x7ffff5e63f68.CODE.1.ADDR.(nil).INSTR.add_word_[rbx],_0x1.pdf SIGSEGV.PC.0x7ffff660e777.CODE.1.ADDR.(nil).INSTR.call_qword_near_[rax].pdf SIGSEGV.PC.0x7ffff660fcf1.CODE.1.ADDR.(nil).INSTR.call_qword_near_[rax].pdf SIGSEGV.PC.0x7ffff660fcfd.CODE.1.ADDR.0x200000002.INSTR.call_qword_near_[rax].pdf SIGSEGV.PC.0x7ffff660fd87.CODE.1.ADDR.(nil).INSTR.rep_movsq_.pdf SIGSEGV.PC.0x7ffff661186d.CODE.1.ADDR.0x1.INSTR.mov_[rax],_rcx.pdf SIGSEGV.PC.0x7ffff66119ad.CODE.1.ADDR.0x112.INSTR.mov_[rdi],_dx.pdf SIGSEGV.PC.0x7ffff6612fde.CODE.1.ADDR.0x10000000208.INSTR.mov_[r12+0x118],_rbx.pdf SIGSEGV.PC.0x7ffff6612ffb.CODE.1.ADDR.0x1.INSTR.movzx_ebx,_byte_[rax+0x1].pdf SIGSEGV.PC.0x7ffff661324e.CODE.1.ADDR.0x20000002a.INSTR.mov_dword_[rax+0x28],_0x9.pdf SIGSEGV.PC.0x7ffff661bddd.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x50].pdf SIGSEGV.PC.0x7ffff661c930.CODE.128.ADDR.(nil).INSTR.mov_rbp,_[rsi+0x8].pdf SIGSEGV.PC.0x7ffff661c989.CODE.1.ADDR.0x6730402c.INSTR.mov_ecx,_[rbp+0x2c].pdf SIGSEGV.PC.0x7ffff661c9a0.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rbp+0x48].pdf SIGSEGV.PC.0x7ffff661c9e6.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rbp+0x48].pdf SIGSEGV.PC.0x7ffff6aa043a.CODE.1.ADDR.0x7fffff5fef38.INSTR.call_0x7ffff6ae3250.pdf SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf SIGSEGV.PC.0x7ffff6ad0c61.CODE.1.ADDR.0x7fffff5feff8.INSTR.push_rbp.pdf SIGSEGV.PC.0x7ffff6ad2258.CODE.1.ADDR.0x146fffffff8.INSTR.mov_rbp,_[rdi-0x8].pdf SIGSEGV.PC.0x7ffff6ad26bd.CODE.128.ADDR.(nil).INSTR.cmp_r12,_[r13+0x18].pdf SIGSEGV.PC.0x7ffff6ad4828.CODE.128.ADDR.(nil).INSTR.mov_rax,_[r13+0x8].pdf SIGSEGV.PC.0x7ffff6ad5f0f.CODE.128.ADDR.(nil).INSTR.mov_rax,_[r15+0x18].pdf SIGSEGV.PC.0x7ffff6ad5f13.CODE.128.ADDR.(nil).INSTR.cmp_r15,_[rax+0x10].pdf SIGSEGV.PC.0x7ffff6ad7520.CODE.1.ADDR.0x7fffff5feff8.INSTR.mov_[rsp-0x10],_r12.pdf SIGSEGV.PC.0x7ffff7a630ba.CODE.1.ADDR.0x8.INSTR.mov_rbp,_[rax+0x8].pdf SIGSEGV.PC.0x7ffff7a635f1.CODE.1.ADDR.0x10.INSTR.cmp_qword_[rax+0x10],_0x0.pdf SIGSEGV.PC.0x7ffff7a672d9.CODE.1.ADDR.0x6a9e68c8.INSTR.add_rcx,_[r9+rax+0x30].pdf SIGSEGV.PC.0x7ffff7a67576.CODE.1.ADDR.0x400c970fc.INSTR.mov_r10d,_[rax+r10*4].pdf SIGSEGV.PC.0x7ffff7a67971.CODE.2.ADDR.0x7ffff4f5c008.INSTR.mov_[r14+r10*4],_eax.pdf SIGSEGV.PC.0x7ffff7a67d06.CODE.1.ADDR.0x10.INSTR.mov_r13,_[rax+0x10].pdf SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7a69bf0.CODE.1.ADDR.0x196071c778.INSTR.mov_rcx,_[rcx+0x68].pdf SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf SIGSEGV.PC.0x7ffff7a69c72.CODE.1.ADDR.0x10.INSTR.add_rbp,_[rbx+0x10].pdf SIGSEGV.PC.0x7ffff7a69c76.CODE.1.ADDR.0x3006c1f95.INSTR.cmp_dword_[rbp+0x14],_0x0.pdf SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf SIGSEGV.PC.0x7ffff7a8b34c.CODE.1.ADDR.0x3fffffc7c.INSTR.mov_[rax+r12*4],_r14d.pdf SIGSEGV.PC.0x7ffff7a973e6.CODE.1.ADDR.0xfffffffc00652a10.INSTR.mov_rcx,_[r15+r9*8].pdf SIGSEGV.PC.0x7ffff7a9f6e0.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rax+0x8].pdf SIGSEGV.PC.0x7ffff7aa60bd.CODE.1.ADDR.(nil).INSTR.mov_rax,_[rbp+0x0].pdf SIGSEGV.PC.0x7ffff7ab0f59.CODE.1.ADDR.0x8.INSTR.cmp_dword_[rax+0x8],_0x1.pdf SIGSEGV.PC.0x7ffff7abe497.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x28].pdf SIGSEGV.PC.0x7ffff7abe4c0.CODE.128.ADDR.(nil).INSTR.movzx_r9d,_byte_[rax].pdf SIGSEGV.PC.0x7ffff7abe4e4.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7abfa60.CODE.128.ADDR.(nil).INSTR.call_qword_near_[rax+0x8].pdf SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf SIGSEGV.PC.0x7ffff7ae07c0.CODE.1.ADDR.0x7fffff5feff8.INSTR.call_qword_near_[rax+0x28].pdf SIGSEGV.PC.0x7ffff7af22c7.CODE.128.ADDR.(nil).INSTR.mov_rax,_[rax+0x20].pdf SIGSEGV.PC.0x7ffff7af23a6.CODE.1.ADDR.0x6feb3828.INSTR.call_qword_near_[rax+0x28].pdf SIGSEGV.PC.0x7ffff7af2936.CODE.1.ADDR.(nil).INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7b24be5.CODE.1.ADDR.0x18.INSTR.mov_edx,_[rsi+0x18].pdf SIGSEGV.PC.0x7ffff7b356c8.CODE.1.ADDR.(nil).INSTR.movzx_ebx,_byte_[rsi].pdf SIGSEGV.PC.0x7ffff7b408a9.CODE.1.ADDR.0x7ffff4fb5ad1.INSTR.movzx_r12d,_byte_[rax].pdf SIGSEGV.PC.0x7ffff7b40fbf.CODE.128.ADDR.(nil).INSTR.mov_[rax],_dl.pdf SIGSEGV.PC.0xf7e7d7.CODE.1.ADDR.0xf7e7d7.INSTR.[NOT_MMAPED].pdf -- Robert Święcki _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
