Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global-buffer-overflow on binary pdfimages #19

Open
JOCKkkkk opened this issue Sep 19, 2022 · 0 comments
Open

global-buffer-overflow on binary pdfimages #19

JOCKkkkk opened this issue Sep 19, 2022 · 0 comments

Comments

@JOCKkkkk
Copy link

SUMMARY

Hi there, I use my fuzzer for fuzzing the binary pdfIamges, and this binary crashes with the following:

Syntax Error (2227): Unexpected end of file in flate stream
=================================================================
==2226711==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55e91fe296ef at pc 0x55e91fa2428c bp 0x7ffdd3190680 sp 0x7ffdd3190670
READ of size 1 at 0x55e91fe296ef thread T0
    #0 0x55e91fa2428b in PSTokenizer::getToken(char*, int, int*) /xpdf-master/xpdf/PSTokenizer.cc:72
    #1 0x55e91f8fecec in CharCodeToUnicode::parseCMap1(int (*)(void*), void*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:264
    #2 0x55e91f8fe97a in CharCodeToUnicode::parseCMap(GString*, int) /xpdf-master/xpdf/CharCodeToUnicode.cc:241
    #3 0x55e91f95a1be in GfxFont::readToUnicodeCMap(Dict*, int, CharCodeToUnicode*) /xpdf-master/xpdf/GfxFont.cc:512
    #4 0x55e91f9635f8 in GfxCIDFont::GfxCIDFont(XRef*, char*, Ref, GString*, GfxFontType, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:1618
    #5 0x55e91f95846f in GfxFont::makeFont(XRef*, char*, Ref, Dict*) /xpdf-master/xpdf/GfxFont.cc:194
    #6 0x55e91f9674cd in GfxFontDict::GfxFontDict(XRef*, Ref*, Dict*) /xpdf-master/xpdf/GfxFont.cc:2001
    #7 0x55e91f925d5c in GfxResources::GfxResources(XRef*, Dict*, GfxResources*) /xpdf-master/xpdf/Gfx.cc:291
    #8 0x55e91f926dcc in Gfx::Gfx(PDFDoc*, OutputDev*, int, Dict*, double, double, PDFRectangle*, PDFRectangle*, int, int (*)(void*), void*) /xpdf-master/xpdf/Gfx.cc:508
    #9 0x55e91fa1cc4f in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:356
    #10 0x55e91fa1c53c in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/Page.cc:308
    #11 0x55e91fa225fb in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:384
    #12 0x55e91fa22684 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /xpdf-master/xpdf/PDFDoc.cc:397
    #13 0x55e91fa70d19 in main /xpdf-master/xpdf/pdfimages.cc:138
    #14 0x7f48c0353c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #15 0x55e91f8e1739 in _start (/xpdf-master/xpdf/pdfimages+0xe1739)

0x55e91fe296ef is located 15 bytes to the right of global variable 'pdfDocEncoding' defined in 'PDFDocEncoding.cc:11:9' (0x55e91fe292e0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /xpdf-master/xpdf/PSTokenizer.cc:72 in PSTokenizer::getToken(char*, int, int*)
Shadow bytes around the buggy address:
  0x0abda3fbd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abda3fbd2d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
  0x0abda3fbd2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0abda3fbd310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abda3fbd320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2226711==ABORTING

poc

poc_pdfimages.zip

Environment

Ubuntu 18.04(docker)
clang/clang++ 12.0.1
version:commit ffaf11c

COMPILE

export CC = gcc
export CXX=g++
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
./configure --disable-shared
make

Credit

Zhao Jiayu (NCNIPC)
Han Zheng (NCNIPC, Hexhive)
Yin Li, Xiaotong Jiao (NCNIPC of China)

Thanks for your time!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JOCKkkkk