New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QPDF v6.0 Stack Corruption #146
Comments
|
Can you supply a sample file? I am trying to get a 7.0.0 alpha release out today. Version 7 has many fixes that should eliminate very many of this kind of error. I would like to test this against the alpha release. If you are in a position to do this, you can grab master from github and test against that. Thanks. |
|
I released 7.0.b1 on sourceforge. You can grab it from https://sourceforge.net/projects/qpdf/files/qpdf/7.0.b1/ if you'd like to give it a spin and see if it handles these files better. Alternatively, you can still supply sample files. |
|
Hi,
Unfortunately I lost the sample file for the crash reproduction. I will
fuzz the v6.0 and get the sample file generated.
I will also take 7.0.b1 for a spin after, I will get back to you if there
are any interesting findings :)
Cheers!
Regards,
…On Wed, Aug 23, 2017 at 7:05 AM, Jay Berkenbilt ***@***.***> wrote:
I released 7.0.b1 on sourceforge. You can grab it from
https://sourceforge.net/projects/qpdf/files/qpdf/7.0.b1/ if you'd like to
give it a spin and see if it handles these files better. Alternatively, you
can still supply sample files.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AdQY2hPBHQKQOejMcBMlpcjBj2r40myLks5sa17WgaJpZM4O-fFm>
.
|
|
Hi,
I am able to reproduce the crash on QPDF v7. I have attached the sample
file.
Please use the following command flags to reproduce the crash:
/usr/local/bin/qpdf --stream-data=compress --object-streams=generate
--encrypt test123 test123 40 -- qpdf_poc_crash out.pdf
Regards,
…On Wed, Aug 23, 2017 at 9:51 AM, Gemini P ***@***.***> wrote:
Hi,
Unfortunately I lost the sample file for the crash reproduction. I will
fuzz the v6.0 and get the sample file generated.
I will also take 7.0.b1 for a spin after, I will get back to you if there
are any interesting findings :)
Cheers!
Regards,
On Wed, Aug 23, 2017 at 7:05 AM, Jay Berkenbilt ***@***.***>
wrote:
> I released 7.0.b1 on sourceforge. You can grab it from
> https://sourceforge.net/projects/qpdf/files/qpdf/7.0.b1/ if you'd like
> to give it a spin and see if it handles these files better. Alternatively,
> you can still supply sample files.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#146 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/AdQY2hPBHQKQOejMcBMlpcjBj2r40myLks5sa17WgaJpZM4O-fFm>
> .
>
|
|
@9emin1 I can't find the sample file. Where is it attached? |
|
Hi,
I have sent it as an attachment in my previous email.
I have also uploaded it to my Google Drive:
https://drive.google.com/open?id=0B9DojFnTUSNGYTBrZFplV3o1R28
Regards,
…On Wed, Aug 23, 2017 at 11:27 PM, Jay Berkenbilt ***@***.***> wrote:
@9emin1 <https://github.com/9emin1> I can't find the sample file. Where
is it attached?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AdQY2qVTufDanKcxZMWatwBLFON5yZ4iks5sbETKgaJpZM4O-fFm>
.
|
|
Thanks. github must have filtered out the attachment in your email, but I got the file from google drive. This is interesting. It's not a logic error per se. There's a stack overflow because qpdf's tokenizer is recursive for dictionaries and arrays, and this pdf tries to make an array that is 20,476 levels deep. Fixing this would require changing the parsing algorithm to be iterative for arrays and dictionaries. I guess I should do that. A simple qpdf --check on this file is sufficient to reproduce the problem. |
|
Note to self: saved file is misc/bugs/146.pdf |
|
Hi Jay,
Sure no worries. I am currently fuzzing v7. Will let you know if there are
any interesting crashes.
Regards,
…On Fri, Aug 25, 2017 at 12:11 AM, Jay Berkenbilt ***@***.***> wrote:
Note to self: saved file is misc/bugs/146.pdf
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AdQY2qGBa46fm2sPFtpj0AymFIE0Xh4iks5sbaCjgaJpZM4O-fFm>
.
|
|
Rewriting parsing iteratively wasn't that hard. |
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: file is damaged
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: can't find startxref
WARNING: id:000000,sig:11,src:000010+000007,op:splice,rep:16: Attempting to reconstruct cross-reference table
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b55761 in QPDFObjectHandle::parseInternal(PointerHolder, std::__cxx11::basic_string<char,
std::char_traits, std::allocator > const&, QPDFTokenizer&, bool&, QPDFObjectHandle::StringDecrypter*, QPDF*, bool,
bool, bool) ()
from /usr/lib/x86_64-linux-gnu/libqpdf.so.17
(gdb) exploitable
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: b5da70c1923e3824f45ebafcfe77a71b.018fde94be00aea515ed79b00d59768a
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped
in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region.
These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: DestAv (8/22), AccessViolation (21/22)
The text was updated successfully, but these errors were encountered: