Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QPDF v6.0 Stack Corruption #146

Closed
9emin1 opened this issue Aug 22, 2017 · 10 comments

Comments

Projects
None yet
2 participants
@9emin1
Copy link

commented Aug 22, 2017

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: file is damaged
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: can't find startxref
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: Attempting to reconstruct cross-reference table

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b55761 in QPDFObjectHandle::parseInternal(PointerHolder, std::__cxx11::basic_string<char,
std::char_traits, std::allocator > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool,
bool, bool) ()
from /usr/lib/x86_64-linux-gnu/libqpdf.so.17
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: b5da70c1923e3824f45ebafcfe77a71b.018fde94be00aea515ed79b00d59768a
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped
in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region.
These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: DestAv (8/22), AccessViolation (21/22)

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2017

Can you supply a sample file? I am trying to get a 7.0.0 alpha release out today. Version 7 has many fixes that should eliminate very many of this kind of error. I would like to test this against the alpha release. If you are in a position to do this, you can grab master from github and test against that. Thanks.

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2017

I released 7.0.b1 on sourceforge. You can grab it from https://sourceforge.net/projects/qpdf/files/qpdf/7.0.b1/ if you'd like to give it a spin and see if it handles these files better. Alternatively, you can still supply sample files.

@9emin1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2017

@9emin1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2017

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 23, 2017

@9emin1 I can't find the sample file. Where is it attached?

@9emin1

This comment has been minimized.

Copy link
Author

commented Aug 24, 2017

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 24, 2017

Thanks. github must have filtered out the attachment in your email, but I got the file from google drive.

This is interesting. It's not a logic error per se. There's a stack overflow because qpdf's tokenizer is recursive for dictionaries and arrays, and this pdf tries to make an array that is 20,476 levels deep. Fixing this would require changing the parsing algorithm to be iterative for arrays and dictionaries. I guess I should do that.

A simple qpdf --check on this file is sufficient to reproduce the problem.

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 24, 2017

Note to self: saved file is misc/bugs/146.pdf

@9emin1

This comment has been minimized.

Copy link
Author

commented Aug 25, 2017

@jberkenbilt

This comment has been minimized.

Copy link
Contributor

commented Aug 26, 2017

Rewriting parsing iteratively wasn't that hard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.