Skip to content
Branch: master
Find file History
Latest commit 05f0b0b Jun 1, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md Update README.md Jun 1, 2019
poc.pdf Create poc.pdf Jun 1, 2019

README.md

What is XPDF?

Xpdf is a free PDF viewer and toolkit, including a text extractor, image converter, HTML converter, and more. Most of the tools are available as open source.

Version

xpdf-4.01.01

Others

reported by toOrto of Pangu Lab

Description

There is an out-of-bounds read vulnerability in the function FlateStream::getChar() located at Stream.cc in Xpdf 4.01.01.

Target

pdftoppm poc.pdf /dev/null

Debug Info

---------------------------------registers-----------------------------------]
RAX: 0x77a080 --> 0x4c81c0 (<_ZN11FlateStreamD2Ev>:    push   rbp)
RBX: 0x9c17a10 --> 0x77a080 --> 0x4c81c0 (<_ZN11FlateStreamD2Ev>:    push   rbp)
RCX: 0xf02410fa6454c8d7 
RDX: 0x6454c8d7 
RSI: 0x1 
RDI: 0x0 
RBP: 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd820 --> 0x7fffffffdac0 --> 0x7fffffffdb20 --> 0x7fffffffdbf0 (--> ...)
RSP: 0x7fffffffd780 --> 0x77a080 --> 0x4c81c0 (<_ZN11FlateStreamD2Ev>:    push   rbp)
RIP: 0x4c84d3 (<_ZN11FlateStream7getCharEv+83>:    movzx  eax,BYTE PTR [rbx+rdx*1+0x18])
R8 : 0x9c00ab0 --> 0x9c14ce0 --> 0x9be3180 --> 0x6c727563687a65 ('ezhcurl')
R9 : 0x7ffff7fca700 --> 0x0 
R10: 0x14 
R11: 0x246 
R12: 0x0 
R13: 0x0 
R14: 0x9bfe030 --> 0x9bf7350 --> 0x9bf73b0 --> 0x7fff00000094 
R15: 0x9bfe030 --> 0x9bf7350 --> 0x9bf73b0 --> 0x7fff00000094
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4c84c7 <_ZN11FlateStream7getCharEv+71>:    jmp    0x4c84f2 <_ZN11FlateStream7getCharEv+114>
   0x4c84c9 <_ZN11FlateStream7getCharEv+73>:    mov    rcx,QWORD PTR [rbx+0x8018]
   0x4c84d0 <_ZN11FlateStream7getCharEv+80>:    movsxd rdx,ecx
=> 0x4c84d3 <_ZN11FlateStream7getCharEv+83>:    movzx  eax,BYTE PTR [rbx+rdx*1+0x18]
   0x4c84d8 <_ZN11FlateStream7getCharEv+88>:    inc    edx
   0x4c84da <_ZN11FlateStream7getCharEv+90>:    and    edx,0x7fff
   0x4c84e0 <_ZN11FlateStream7getCharEv+96>:    mov    DWORD PTR [rbx+0x8018],edx
   0x4c84e6 <_ZN11FlateStream7getCharEv+102>:    shr    rcx,0x20
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd780 --> 0x77a080 --> 0x4c81c0 (<_ZN11FlateStreamD2Ev>:    push   rbp)
0008| 0x7fffffffd788 --> 0x9c17a10 --> 0x77a080 --> 0x4c81c0 (<_ZN11FlateStreamD2Ev>:    push   rbp)
0016| 0x7fffffffd790 --> 0x7fffffffd7d0 --> 0x7fffffffd820 --> 0x7fffffffdac0 --> 0x7fffffffdb20 --> 0x7fffffffdbf0 (--> ...)
0024| 0x7fffffffd798 --> 0x470d99 (<_ZN3Gfx12opBeginImageEP6Objecti+89>:    cmp    eax,0xffffffff)
0032| 0x7fffffffd7a0 --> 0x100470d40 
0040| 0x7fffffffd7a8 --> 0x9c13890 --> 0x9004942 --> 0x0 
0048| 0x7fffffffd7b0 --> 0x0 
0056| 0x7fffffffd7b8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004c84d3 in FlateStream::getChar() ()
#0  0x00000000004c84d3 in FlateStream::getChar() ()
#1  0x0000000000470d99 in Gfx::opBeginImage(Object*, int) ()
#2  0x0000000000476294 in Gfx::execOp(Object*, Object*, int) ()
#3  0x0000000000475f09 in Gfx::go(int) ()
#4  0x000000000047594e in Gfx::display(Object*, int) ()
#5  0x00000000004b983a in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) ()
#6  0x00000000004b95d1 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) ()
#7  0x00000000004bd1a2 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) ()
#8  0x0000000000452baf in main ()
#9  0x00007ffff6cc5830 in __libc_start_main (main=0x4527a0 <main>, argc=0x6, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#10 0x0000000000444419 in _start ()
You can’t perform that action at this time.