Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
pocs/pdfalto/
pocs/pdfalto/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

Description

pdfalto is a command line executable for parsing PDF files and producing structured XML representations of the PDF content in ALTO format.

version

0.2 release

others

@_@

this bug is reported by fish@360TeamSeri0us, please send email to teamSeri0us360@gmail.com if you have some quetion.

Detail

vuln/TextPage::restoreState@XmlAltoOutputDev.cc-6211___out-of-bounds-read

target

pdfalto TextPage::restoreState@XmlAltoOutputDev.cc-6211___out-of-bounds-read /tmp/out.xml

gdb info


backtrace:
#0  0x00005555555c2e06 in TextPage::restoreState (this=0x5555573a3540, 
    state=0x5555573a7ea0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:6211
#1  0x00005555555c884e in XmlAltoOutputDev::restoreState (this=0x55555739f930, 
    state=0x5555573a7ea0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:7862
#2  0x000055555567d6d3 in Gfx::restoreState (this=0x555557396320)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:5131
#3  0x00005555556671f5 in Gfx::opRestore (this=0x555557396320, 
    args=0x7fffffffd5e0, numArgs=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:881
#4  0x0000555555666f90 in Gfx::execOp (this=0x555557396320, 
    cmd=0x7fffffffd5d0, args=0x7fffffffd5e0, numArgs=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:826
#5  0x0000555555666a08 in Gfx::go (this=0x555557396320, topLevel=0x1)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:719
#6  0x00005555556664da in Gfx::display (this=0x555557396320, 
    objRef=0x55555739ee30, topLevel=0x1)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:641
#7  0x0000555555616e66 in Page::displaySlice (this=0x55555739ee00, 
    out=0x55555739f930, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x1, 
    crop=0x1, sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, 
    sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:373
#8  0x0000555555616a2f in Page::display (this=0x55555739ee00, 
    out=0x55555739f930, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x1, 
    crop=0x1, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:321
#9  0x0000555555618c26 in PDFDoc::displayPage (this=0x555557395c98, 
    out=0x55555739f930, page=0x1, hDPI=72, vDPI=72, rotate=0x0, 
    useMediaBox=0x1, crop=0x1, printing=0x0, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:386
#10 0x0000555555618cab in PDFDoc::displayPages (this=0x555557395c98, 
    out=0x55555739f930, firstPage=0x1, lastPage=0x1, hDPI=72, vDPI=72, 
    rotate=0x0, useMediaBox=0x1, crop=0x1, printing=0x0, abortCheckCbk=0x0, 
    abortCheckCbkData=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:399
#11 0x00005555555ac6d2 in PDFDocXrce::displayPages (this=0x555557395c90, 
    out=0x55555739f930, docrootA=0x0, firstPage=0x1, lastPage=0x1, hDPI=72, 
    vDPI=72, rotate=0x0, useMediaBox=0x1, crop=0x1, doLinks=0x0, 
    abortCheckCbk=0x0, abortCheckCbkData=0x0)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/PDFDocXrce.cc:22
#12 0x00005555555ad74f in main (argc=0x3, argv=0x7fffffffddf8)
    at /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/pdfalto.cc:415
#13 0x00007ffff6b01b97 in __libc_start_main (
    main=0x5555555ac994 <main(int, char**)>, argc=0x3, argv=0x7fffffffddf8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffdde8) at ../csu/libc-start.c:310
#14 0x00005555555a9bda in _start ()

src info:
6206	    idStack.push(idCur);
6207	}
6208	
6209	void TextPage::restoreState(GfxState *state) {
6210	
6211	    idCur = idStack.top();
6212	    idStack.pop();
6213	}
6214	
6215	void TextPage::doPathForClip(GfxPath *path, GfxState *state,

register info:
rax            0x2d38313000000200	0x2d38313000000200
rbx            0x7fffffffd800	0x7fffffffd800
rcx            0x0	0x0
rdx            0x2d38313000000200	0x2d38313000000200
rsi            0x55555739f1b0	0x55555739f1b0
rdi            0x7fffffffd460	0x7fffffffd460
rbp            0x7fffffffd4d0	0x7fffffffd4d0
rsp            0x7fffffffd4c0	0x7fffffffd4c0
r8             0x0	0x0
r9             0x0	0x0
r10            0x7ffff6c4a8b0	0x7ffff6c4a8b0
r11            0x246	0x246
r12            0x7fffffffd7f0	0x7fffffffd7f0
r13            0x55555739f3a0	0x55555739f3a0
r14            0x0	0x0
r15            0x0	0x0
rip            0x5555555c2e06	0x5555555c2e06 <TextPage::restoreState(GfxState*)+34>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

asan report

Syntax Error (816): Missing 'endstream'
Syntax Error (810): Unknown operator ']'
Syntax Error (815): Too few (0) args to 'TJ' operator
Syntax Error (821): Unknown operator 'qre.1ro'
Syntax Error (821): Unknown operator 'ETe1dg2'
Syntax Error (822): Unknown operator 'p'
Syntax Error (827): Unknown operator 'pT'
Syntax Error (828): Too few (0) args to 'w' operator
Syntax Error (830): Unknown operator 'pT'
Syntax Error (831): Too few (0) args to 'w' operator
Syntax Error (833): Unknown operator 'pT'
Syntax Error (835): Too few (0) args to 'w' operator
Syntax Error (836): Unknown operator 'pT'
Syntax Error (837): Unknown operator 'w4'
Syntax Error (840): Unknown operator 'e'
Syntax Error (846): Unknown operator 'iP0p'
Syntax Error (850): Unknown operator 'T'
Syntax Error (851): Too few (0) args to 'w' operator
Syntax Error (852): Unknown operator 'pT'
Syntax Error (855): Unknown operator 'H'
Syntax Error (857): Unknown operator 'pT'
Syntax Error (858): Too few (0) args to 'w' operator
Syntax Error (865): Unknown operator 'pT'
Syntax Error (868): Unknown operator 'H6eweib1J'
Syntax Error (871): Unknown operator 'ws.'
Syntax Error (872): Too few (0) args to 'w' operator
Syntax Error (873): Unknown operator 'd7'
Syntax Error (876): Unknown operator 'e'
ASAN:DEADLYSIGNAL
=================================================================
==50732==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x562c45781be2 bp 0x7ffc3509a850 sp 0x7ffc3509a840 T0)
==50732==The signal is caused by a READ memory access.
==50732==Hint: address points to the zero page.
    #0 0x562c45781be1 in TextPage::restoreState(GfxState*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:6211
    #1 0x562c4578dfd8 in XmlAltoOutputDev::restoreState(GfxState*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:7862
    #2 0x562c459171b1 in Gfx::restoreState() /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:5131
    #3 0x562c458e753a in Gfx::opRestore(Object*, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:881
    #4 0x562c458e72ad in Gfx::execOp(Object*, Object*, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:826
    #5 0x562c458e68af in Gfx::go(int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:719
    #6 0x562c458e5ed5 in Gfx::display(Object*, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:641
    #7 0x562c4583d4b3 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:373
    #8 0x562c4583ccf4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:321
    #9 0x562c45841630 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:386
    #10 0x562c458416b8 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:399
    #11 0x562c457510d5 in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/PDFDocXrce.cc:22
    #12 0x562c457528f0 in main /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/pdfalto.cc:415
    #13 0x7fe662c5db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x562c4574c909 in _start (/home/fish/Desktop/2018-09-25/pdfalto-0.2/asan/pdfalto+0x101909)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:6211 in TextPage::restoreState(GfxState*)
==50732==ABORTING

target

./pdfalto poc_heap_buffer_overflow /tmp/out.xml

asan report


=================================================================
==51791==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024fda at pc 0x7fcedb7d28f9 bp 0x7ffd7155e5b0 sp 0x7ffd7155dd40
WRITE of size 13 at 0x602000024fda thread T0
    #0 0x7fcedb7d28f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
    #1 0x7fcedb7d2c86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
    #2 0x55ca8343f6e4 in TextPage::addAttributsNode(_xmlNode*, IWord*, double&, double&, double&, double&, double&, double&, TextFontStyleInfo*, UnicodeMap*, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:3107
    #3 0x55ca8344e085 in TextPage::dump(int, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:5198
    #4 0x55ca834615a8 in XmlAltoOutputDev::endPage() /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:7664
    #5 0x55ca835ba892 in Gfx::~Gfx() /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:590
    #6 0x55ca83512844 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:406
    #7 0x55ca83511cf4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:321
    #8 0x55ca83516630 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:386
    #9 0x55ca835166b8 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:399
    #10 0x55ca834260d5 in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/PDFDocXrce.cc:22
    #11 0x55ca834278f0 in main /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/pdfalto.cc:415
    #12 0x7fceda460b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #13 0x55ca83421909 in _start (/home/fish/Desktop/2018-09-25/pdfalto-0.2/asan/pdfalto+0x101909)

0x602000024fda is located 0 bytes to the right of 10-byte region [0x602000024fd0,0x602000024fda)
allocated by thread T0 here:
    #0 0x7fcedb812b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55ca8343ed4a in TextPage::addAttributsNode(_xmlNode*, IWord*, double&, double&, double&, double&, double&, double&, TextFontStyleInfo*, UnicodeMap*, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:2998
    #2 0x55ca8344e085 in TextPage::dump(int, int) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:5198
    #3 0x55ca834615a8 in XmlAltoOutputDev::endPage() /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/XmlAltoOutputDev.cc:7664
    #4 0x55ca835ba892 in Gfx::~Gfx() /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Gfx.cc:590
    #5 0x55ca83512844 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:406
    #6 0x55ca83511cf4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/Page.cc:321
    #7 0x55ca83516630 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:386
    #8 0x55ca835166b8 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/xpdf-4.00/xpdf/PDFDoc.cc:399
    #9 0x55ca834260d5 in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/PDFDocXrce.cc:22
    #10 0x55ca834278f0 in main /home/fish/Desktop/2018-09-25/pdfalto-0.2/src/pdfalto.cc:415
    #11 0x7fceda460b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c047fffc9a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffc9b0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffc9c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffc9d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffc9e0: fa fa fd fd fa fa fd fa fa fa 00 03 fa fa 00 01
=>0x0c047fffc9f0: fa fa 00 02 fa fa 07 fa fa fa 00[02]fa fa fd fd
  0x0c047fffca00: fa fa fd fa fa fa fd fd fa fa 04 fa fa fa 06 fa
  0x0c047fffca10: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 03 fa
  0x0c047fffca20: fa fa 06 fa fa fa fd fd fa fa fd fa fa fa 00 00
  0x0c047fffca30: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 02 fa
  0x0c047fffca40: fa fa 00 00 fa fa 00 fa fa fa 06 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==51791==ABORTING

Thanks for your watching

This autogeneration markdown is made by pySpider

Data : 2018-10-11 23:54:43

Author: pwd

Team : 360TeamSeri0us