Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid memory access in GfxIndexedColorSpace::mapColorToBase( ) #46

Closed
Loginsoft-Research opened this issue Mar 13, 2019 · 4 comments
Closed
Assignees

Comments

@Loginsoft-Research
Copy link

Description - we observed a invalid memory access in function GfxIndexedColorSpace::mapColorToBase( ) located in GfxState.cc .The same be triggered by sending a crafted pdf file to the pdfalto binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - : ./pdfalto -f 1 -l 2 -noText -noImage -outline -annotation -cutPages -blocks -readingOrder -ocr -fullFontName $POC

POC - REPRODUCER

Degub -

Gdb: 

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0xfffffffffffffffd
$rbx   : 0x00000ffffffff9a6  →  0x0000000000000000
$rcx   : 0xfffffffffffffffd
$rdx   : 0x200000007fff7fff
$rsp   : 0x00007fffffffccf0  →  0x00007fffffffcd30  →  0x0000000041b58ab3
$rbp   : 0x00007fffffffcfd0  →  0x00007fffffffd100  →  0x00007fffffffd120  →  0x00007fffffffd2a0  →  0x00007fffffffd2d0  →  0x00007fffffffd330  →  0x00007fffffffd640  →  0x00007fffffffd750
$rsi   : 0x3               
$rdi   : 0x0               
$rip   : 0x00000000005cd542  →  <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> movzx edx, BYTE PTR [rdx]
$r8    : 0x00000000005cc2ea  →  <GfxICCBasedColorSpace::getDefaultRanges(double*,+0> push rbp
$r9    : 0x7a1a            
$r10   : 0x0000602000073650  →  0xbebebebebebebe00
$r11   : 0x00007ffff7eec448  →  0x0000000000000000
$r12   : 0x00007fffffffcd30  →  0x0000000041b58ab3
$r13   : 0x00007fffffffcfb0  →  0x00000ffffffffa00  →  0x0000000000000000
$r14   : 0x00007fffffffcd30  →  0x0000000041b58ab3
$r15   : 0x00007fffffffd170  →  0x0000000041b58ab3
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffccf0│+0x0000: 0x00007fffffffcd30  →  0x0000000041b58ab3     ← $rsp
0x00007fffffffccf8│+0x0008: 0x00007fffffffd020  →  0x0000003000000020  →  0x0000000000000000
0x00007fffffffcd00│+0x0010: 0x000061700000e108  →  0x00007fff00000000
0x00007fffffffcd08│+0x0018: 0x000060400000d050  →  0x00000000009688d0  →  0x00000000005cc590  →  <GfxIndexedColorSpace::~GfxIndexedColorSpace()+0> push rbp
0x00007fffffffcd10│+0x0020: 0x00000ffffffff9c4  →  0x0000000000000000
0x00007fffffffcd18│+0x0028: 0x0000000000000020
0x00007fffffffcd20│+0x0030: 0x00000003ffffffff  →  0x0000000000000000
0x00007fffffffcd28│+0x0038: 0xfffffffffffffffd
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x5cd533 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> enter  0x8948, 0xc2
     0x5cd537 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> shr    rdx, 0x3
     0x5cd53b <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> add    rdx, 0x7fff8000
→   0x5cd542 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> movzx  edx, BYTE PTR [rdx]
     0x5cd545 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> test   dl, dl
     0x5cd547 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> setne  sil
     0x5cd54b <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> mov    rdi, rax
     0x5cd54e <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> and    edi, 0x7
     0x5cd551 <GfxIndexedColorSpace::mapColorToBase(GfxColor*,+0> cmp    dil, dl
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/aceteam/Downloads/sources/pdfalto/xpdf-4.00/xpdf/GfxState.cc+1149 ────
   1144       } else if (k > indexHigh) {
   1145         k = indexHigh;
   1146       }
   1147       p = &lookup[k * n];
   1148       for (i = 0; i < n; ++i) {
        // baseColor=0x00007fffffffccf8  →  [...]  →  0x0000000000000000, p=0x00007fffffffcd28  →  0xfffffffffffffffd, low=0x00007fffffffcd50  →  0x0000000000000000, range=0x00007fffffffce70  →  0x3ff0000000000000, i=0x0
→ 1149         baseColor->c[i] = dblToCol(low[i] + (p[i] / 255.0) * range[i]);
   1150       }
   1151       return baseColor;
   1152     }
   1153     
   1154     void GfxIndexedColorSpace::getGray(GfxColor *color, GfxGray *gray,
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdfalto", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5cd542 → GfxIndexedColorSpace::mapColorToBase(this=0x60400000d050, color=0x61700000e108, baseColor=0x7fffffffd020)
[#1] 0x5cdaa4 → GfxIndexedColorSpace::getRGB(this=0x60400000d050, color=0x61700000e108, rgb=0x7fffffffd190, ri=gfxRenderingIntentRelativeColorimetric)
[#2] 0x5f6b4f → GfxState::getFillRGB(this=0x61700000e080, rgb=0x7fffffffd190)
[#3] 0x445f21 → XmlAltoOutputDev::fill(this=0x61500000f300, state=0x61700000e080)
[#4] 0x6c4f54 → Gfx::opFill(this=0x60f00000e140, args=0x7fffffffd3d0, numArgs=0x0)
[#5] 0x6bc95f → Gfx::execOp(this=0x60f00000e140, cmd=0x7fffffffd390, args=0x7fffffffd3d0, numArgs=0x0)
[#6] 0x6bbf7a → Gfx::go(this=0x60f00000e140, topLevel=0x1)
[#7] 0x6bb562 → Gfx::display(this=0x60f00000e140, objRef=0x60800000bed0, topLevel=0x1)
[#8] 0x61cf67 → Page::displaySlice(this=0x60800000bea0, out=0x61500000f300, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x0, sliceX=0xffffffff, sliceY=0xffffffff, sliceW=0xffffffff, sliceH=0xffffffff, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)
[#9] 0x61c7af → Page::display(this=0x60800000bea0, out=0x61500000f300, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1, printing=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)


gef➤  p/d  k * n
$24 = -3
gef➤  p &lookup[k * n]
$25 = (Guchar *) 0xfffffffffffffffd <error: Cannot access memory at address 0xfffffffffffffffd>
gef➤  p (p[i] / 255.0)
Cannot access memory at address 0xfffffffffffffffd


@diegomon
Copy link

@kermitt2 @lfoppiano There's this CVE https://nvd.nist.gov/vuln/detail/CVE-2019-9878?cpeVersion=2.2 I asked Derek of Xpdf and told me that it was fixed in version 4.0.1. The last version is 4.0.2 and pdf-alto uses 4.0.0 if I'm not wrong. Is it possible to rebuild pdf-alto with this fixes of the new version and include the binaries in Grobid to avoid this security issues?

@attritionorg
Copy link

@diegomon Can you point to where it shows that 4.01 fixes this issue? Looking at the changelog I see 7 different vulns, all with CVE-2018 assignments, but no mention of this issue. I think the solution was probably 4.01.01 instead, and suspect this may have been fixed based on wording and the fix coming a day after this bug report:

4.01.01 (2019-mar-14)

Fixed a missing array bounds check in PSOutputDev. [Thanks to
Loginsoft for the bug report.]
Fixed a problem parsing large real numbers. [Thanks to Loginsoft for
the bug report.]

If anyone could confirm that would be great!

@diegomon
Copy link

diegomon commented Apr 27, 2020

@attritionorg This is the answer of Derek of xpdf when I asked about the CVE

The relevant change was this (in two places):

  •     if (cs->indexHigh < 0) {
    
  •       goto err3;
    
  •     }
    
  • Derek

On Wed, 22 Apr 2020 06:47:17 +0000, Diego Moncayo
diego.moncayo@researchgate.net wrote:

Sorry, I see you included the version. The thing is I checked version
4.02 and the code mentioned in CVE-2019-9878 was still there.

On 22.04.20, 00:16, "Derek B. Noonburg" xpdf@xpdfreader.com wrote:

Hi Diego,

CVE-2019-9878 is a duplicate of CVE-2018-18455, which was fixed

in Xpdf 4.01.

- Derek


On Tue, 21 Apr 2020 14:08:13 +0000, Diego Moncayo
<diego.moncayo@researchgate.net> wrote:

> Hello.
>
> Any plans to solve this CVE?
> https://nvd.nist.gov/vuln/detail/CVE-2019-9878?cpeVersion=2.2
>
> Although it is pdf-alto but it points to xpdf as the source of
> the vulnerability.
>
> Best regards
> Diego Moncayo  

@kermitt2
Copy link
Owner

kermitt2 commented Apr 7, 2021

Updated to xpdf-4.03, which solves this issue.

@kermitt2 kermitt2 closed this as completed Apr 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants