Skip to content

Instantly share code, notes, and snippets.

@RootUp RootUp/poc.sh
Created Sep 3, 2019

Embed
What would you like to do?
null pointer dereference - xpdf 3.04
xpdf v3.04
PoC: https://gofile.io/?c=QEDJrA
$ gdb ./pdfinfo
(gdb) run poc.pdf
Starting program: /home/input0/Downloads/xpdf-3.04/xpdf/pdfinfo poc.pdf
Syntax Error: Couldn't read xref table
Syntax Warning: PDF file is damaged - attempting to reconstruct xref table...
Syntax Error (895): Illegal character <2f> in hex string
Syntax Error (896): Illegal character <50> in hex string
Syntax Error (897): Illegal character <72> in hex string
Syntax Error (898): Illegal character <6f> in hex string
Syntax Error (900): Illegal character <75> in hex string
Syntax Error (903): Illegal character <72> in hex string
Syntax Error (904): Illegal character <78> in hex string
Syntax Error (905): Illegal character <72> in hex string
Syntax Error (913): Illegal character <25> in hex string
Syntax Error (914): Illegal character <25> in hex string
Syntax Error (916): Illegal character <4f> in hex string
Syntax Error: Unterminated hex string
Syntax Error (380): Dictionary key must be a name object
Syntax Error (276): Dictionary key must be a name object
Syntax Error (280): Dictionary key must be a name object
Syntax Error (300): Dictionary key must be a name object
Syntax Error (302): Dictionary key must be a name object
Syntax Error (304): Dictionary key must be a name object
Syntax Error (306): Dictionary key must be a name object
Syntax Error (312): Dictionary key must be a name object
Syntax Error (330): Dictionary key must be a name object
Syntax Error (332): Dictionary key must be a name object
Syntax Error (336): Dictionary key must be a name object
Syntax Error (339): Dictionary key must be a name object
Syntax Error (345): Dictionary key must be a name object
Syntax Error (380): Dictionary key must be a name object
Program received signal SIGSEGV, Segmentation fault.
0x000000000052102c in XRef::fetch (this=<optimized out>, num=6, gen=0, obj=0x7fffff7ff140, recursion=0) at XRef.cc:999
999 cache[0] = tmp;
(gdb) bt
#0 0x000000000052102c in XRef::fetch (this=<optimized out>, num=6, gen=0, obj=0x7fffff7ff140, recursion=0) at XRef.cc:999
#1 0x00000000004e20a3 in Object::fetch (this=<optimized out>, xref=<optimized out>, obj=0x2362, recursion=0) at Object.cc:106
#2 0x0000000000414fca in Array::get (this=<optimized out>, i=<optimized out>, obj=0x801550 <__afl_area_initial>) at Array.cc:61
#3 0x0000000000418c88 in Object::arrayGet (i=0, obj=0x7fffff7ff140, this=<optimized out>) at ./Object.h:231
#4 Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:441
#5 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#6 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#7 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#8 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#9 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#10 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#11 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#12 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#13 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#14 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#15 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#16 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#17 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#18 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#19 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#20 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#21 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#22 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#23 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#24 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#25 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#26 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#27 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#28 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#29 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#30 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#31 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#32 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#33 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#34 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#35 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
#36 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442
(gdb) i r
rax 0x2362 9058
rbx 0xfffffffffffffffc -4
rcx 0x801550 8394064
rdx 0x801550 8394064
rsi 0x7fffff7ff140 140737479962944
rdi 0x856cc8 8744136
rbp 0xfffffffffffffffc 0xfffffffffffffffc
rsp 0x7fffff7ff000 0x7fffff7ff000
r8 0x0 0
r9 0x856d08 8744200
r10 0x856d20 8744224
r11 0x246 582
r12 0x6 6
r13 0x856cc8 8744136
r14 0x7fffff7ff140 140737479962944
r15 0x0 0
rip 0x52102c 0x52102c <XRef::fetch(int, int, Object*, int)+2044>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.