Hi, On Sun, Nov 21, 2010 at 11:21 PM, Albert Astals Cid <[email protected]> wrote: > A Dijous, 21 d'octubre de 2010, Robert Święcki va escriure: >> Hi, >> >> I was recently fuzzing libpoppler and found lots of crashes in it. >> Some of them are of lesser importance, some look more serious. The >> archive is here: >> >> http://alt.swiecki.net/j/poppler_2010.10.20.tgz >> >> I tested it with Ubuntu's pdftoppm from poppler-utils_0.12.4-0ubuntu5 >> package on a 64bit system. >> > > The master branch should have all of these files fixed that were poppler > fault, there are still some jpeg2k crashes in openjpeg. > > There is one file that doesn't crash per se but exhausts the computer memory > (and then crashes :D) > > Hib it is doing mad allocations in your new code in Hints.cc, could you have a > look at it, it is > SIGSEGV.PC.0x7ffff7af2936.CODE.1.ADDR.(nil).INSTR.mov_rax,_[rdi].pdf > > Albert
Here is a patch for this. Cheers, Hib
From 64231418ac933124f820753ac6646e3581c54979 Mon Sep 17 00:00:00 2001 From: Hib Eris <[email protected]> Date: Mon, 22 Nov 2010 13:08:48 +0000 Subject: [PATCH] Use gmallocn_checkoverflow when parsing Hints table Prevents running out of memory with malicious documents. --- poppler/Hints.cc | 26 +++++++++++++------------- 1 files changed, 13 insertions(+), 13 deletions(-) diff --git a/poppler/Hints.cc b/poppler/Hints.cc index 7ea9c7b..a730e56 100644 --- a/poppler/Hints.cc +++ b/poppler/Hints.cc @@ -47,13 +47,13 @@ Hints::Hints(BaseStream *str, Linearization *linearization, XRef *xref, Security error(-1, "Invalid number of pages (%d) for hints table", nPages); nPages = 0; } - nObjects = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageObjectNum = (int *) gmallocn(nPages, sizeof(int)); - xRefOffset = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageLength = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageOffset = (Guint *) gmallocn(nPages, sizeof(Guint)); - numSharedObject = (Guint *) gmallocn(nPages, sizeof(Guint)); - sharedObjectId = (Guint **) gmallocn(nPages, sizeof(Guint*)); + nObjects = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageObjectNum = (int *) gmallocn_checkoverflow(nPages, sizeof(int)); + xRefOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageLength = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + numSharedObject = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + sharedObjectId = (Guint **) gmallocn_checkoverflow(nPages, sizeof(Guint*)); if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) { error(-1, "Failed to allocate memory for hints tabel"); @@ -230,7 +230,7 @@ void Hints::readPageOffsetTable(Stream *str) numSharedObject[i] = 0; return; } - sharedObjectId[i] = (Guint *) gmallocn(numSharedObject[i], sizeof(Guint)); + sharedObjectId[i] = (Guint *) gmallocn_checkoverflow(numSharedObject[i], sizeof(Guint)); if (numSharedObject[i] && !sharedObjectId[i]) { error(-1, "Failed to allocate memory for shared object IDs"); numSharedObject[i] = 0; @@ -282,11 +282,11 @@ void Hints::readSharedObjectsTable(Stream *str) nSharedGroupsFirst = nSharedGroups; } - groupLength = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupHasSignature = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupNumObjects = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupXRefOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); + groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupHasSignature = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupNumObjects = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupXRefOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); if (!groupLength || !groupOffset || !groupHasSignature || !groupNumObjects || !groupXRefOffset) { error(-1, "Failed to allocate memory for shared object groups"); -- 1.7.1
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
