Created
September 3, 2019 18:29
-
-
Save RootUp/3d9e90ea5ae0799305b4c7ec66e19387 to your computer and use it in GitHub Desktop.
null pointer dereference - xpdf 3.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| xpdf v3.04 | |
| PoC: https://gofile.io/?c=QEDJrA | |
| $ gdb ./pdfinfo | |
| (gdb) run poc.pdf | |
| Starting program: /home/input0/Downloads/xpdf-3.04/xpdf/pdfinfo poc.pdf | |
| Syntax Error: Couldn't read xref table | |
| Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... | |
| Syntax Error (895): Illegal character <2f> in hex string | |
| Syntax Error (896): Illegal character <50> in hex string | |
| Syntax Error (897): Illegal character <72> in hex string | |
| Syntax Error (898): Illegal character <6f> in hex string | |
| Syntax Error (900): Illegal character <75> in hex string | |
| Syntax Error (903): Illegal character <72> in hex string | |
| Syntax Error (904): Illegal character <78> in hex string | |
| Syntax Error (905): Illegal character <72> in hex string | |
| Syntax Error (913): Illegal character <25> in hex string | |
| Syntax Error (914): Illegal character <25> in hex string | |
| Syntax Error (916): Illegal character <4f> in hex string | |
| Syntax Error: Unterminated hex string | |
| Syntax Error (380): Dictionary key must be a name object | |
| Syntax Error (276): Dictionary key must be a name object | |
| Syntax Error (280): Dictionary key must be a name object | |
| Syntax Error (300): Dictionary key must be a name object | |
| Syntax Error (302): Dictionary key must be a name object | |
| Syntax Error (304): Dictionary key must be a name object | |
| Syntax Error (306): Dictionary key must be a name object | |
| Syntax Error (312): Dictionary key must be a name object | |
| Syntax Error (330): Dictionary key must be a name object | |
| Syntax Error (332): Dictionary key must be a name object | |
| Syntax Error (336): Dictionary key must be a name object | |
| Syntax Error (339): Dictionary key must be a name object | |
| Syntax Error (345): Dictionary key must be a name object | |
| Syntax Error (380): Dictionary key must be a name object | |
| Program received signal SIGSEGV, Segmentation fault. | |
| 0x000000000052102c in XRef::fetch (this=<optimized out>, num=6, gen=0, obj=0x7fffff7ff140, recursion=0) at XRef.cc:999 | |
| 999 cache[0] = tmp; | |
| (gdb) bt | |
| #0 0x000000000052102c in XRef::fetch (this=<optimized out>, num=6, gen=0, obj=0x7fffff7ff140, recursion=0) at XRef.cc:999 | |
| #1 0x00000000004e20a3 in Object::fetch (this=<optimized out>, xref=<optimized out>, obj=0x2362, recursion=0) at Object.cc:106 | |
| #2 0x0000000000414fca in Array::get (this=<optimized out>, i=<optimized out>, obj=0x801550 <__afl_area_initial>) at Array.cc:61 | |
| #3 0x0000000000418c88 in Object::arrayGet (i=0, obj=0x7fffff7ff140, this=<optimized out>) at ./Object.h:231 | |
| #4 Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:441 | |
| #5 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #6 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #7 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #8 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #9 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #10 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #11 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #12 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #13 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #14 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #15 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #16 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #17 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #18 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #19 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #20 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #21 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #22 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #23 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #24 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #25 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #26 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #27 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #28 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #29 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #30 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #31 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #32 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #33 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #34 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #35 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| #36 0x0000000000418c93 in Catalog::countPageTree (this=0x858340, pagesObj=<optimized out>) at Catalog.cc:442 | |
| (gdb) i r | |
| rax 0x2362 9058 | |
| rbx 0xfffffffffffffffc -4 | |
| rcx 0x801550 8394064 | |
| rdx 0x801550 8394064 | |
| rsi 0x7fffff7ff140 140737479962944 | |
| rdi 0x856cc8 8744136 | |
| rbp 0xfffffffffffffffc 0xfffffffffffffffc | |
| rsp 0x7fffff7ff000 0x7fffff7ff000 | |
| r8 0x0 0 | |
| r9 0x856d08 8744200 | |
| r10 0x856d20 8744224 | |
| r11 0x246 582 | |
| r12 0x6 6 | |
| r13 0x856cc8 8744136 | |
| r14 0x7fffff7ff140 140737479962944 | |
| r15 0x0 0 | |
| rip 0x52102c 0x52102c <XRef::fetch(int, int, Object*, int)+2044> | |
| eflags 0x10202 [ IF RF ] | |
| cs 0x33 51 | |
| ss 0x2b 43 | |
| ds 0x0 0 | |
| es 0x0 0 | |
| fs 0x0 0 | |
| gs 0x0 0 | |
| (gdb) |
Hi, I am not sure if I have that corpus but could you please try with the below one,
https://github.com/RootUp/PersonalStuff/raw/master/poc.pdf.zip
Thank you for the quick response! I accidently used XpdfReader 4.02 on Windows instead of XpdfReader 3.04 on Linux, but your PoC produces a crash nonetheless. The stack trace is considerably different, though. For my purposes, this is sufficient, so thank you very much!
In case you’re interested, here is my stack trace:
(3194.5294): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xpdf!Catalog::~Catalog+0x1a1:
00007ff7`bd3beb51 397e0c cmp dword ptr [rsi+0Ch],edi ds:baadf00d`baadf019=????????
0:000> k
# Child-SP RetAddr Call Site
00 0000005c`dd75a110 00007ff7`bd432b30 xpdf!Catalog::~Catalog+0x1a1 [c:\xpdf\xpdf-4.02\xpdf\catalog.cc @ 295]
01 0000005c`dd75a160 00007ff7`bd432c05 xpdf!PDFDoc::setup2+0x120 [c:\xpdf\xpdf-4.02\xpdf\pdfdoc.cc @ 312]
02 0000005c`dd75a1b0 00007ff7`bd431625 xpdf!PDFDoc::setup+0x45 [c:\xpdf\xpdf-4.02\xpdf\pdfdoc.cc @ 261]
03 0000005c`dd75a1f0 00007ff7`bd45a89c xpdf!PDFDoc::PDFDoc+0x185 [c:\xpdf\xpdf-4.02\xpdf\pdfdoc.cc @ 153]
04 0000005c`dd75a340 00007ff7`bd351c49 xpdf!PDFCore::loadFile+0x6c [c:\xpdf\xpdf-4.02\xpdf\pdfcore.cc @ 149]
05 0000005c`dd75a390 00007ff7`bd36ca66 xpdf!QtPDFCore::loadFile+0x29 [c:\xpdf\xpdf-4.02\xpdf-qt\qtpdfcore.cc @ 145]
06 0000005c`dd75a3f0 00007ff7`bd365d36 xpdf!XpdfWidget::loadFile+0xf6 [c:\xpdf\xpdf-4.02\xpdf-qt\xpdfwidget.cc @ 300]
07 0000005c`dd75a470 00007ff7`bd359668 xpdf!XpdfViewer::open+0x46 [c:\xpdf\xpdf-4.02\xpdf-qt\xpdfviewer.cc @ 868]
08 0000005c`dd75a4f0 00007ff7`bd3622b1 xpdf!XpdfViewer::cmdOpen+0x218 [c:\xpdf\xpdf-4.02\xpdf-qt\xpdfviewer.cc @ 1484]
09 0000005c`dd75a580 00007ffa`5de36d8d xpdf!XpdfViewer::execCmd+0x211 [c:\xpdf\xpdf-4.02\xpdf-qt\xpdfviewer.cc @ 1042]
0a 0000005c`dd75a650 00007ffa`6f596f9f Qt5Core!QObject::qt_static_metacall+0xcfd
0b 0000005c`dd75a790 00007ffa`6f6f7ea9 Qt5Widgets!QAction::activate+0x10f
0c 0000005c`dd75a7d0 00007ffa`6f6f7c67 Qt5Widgets!QMenu::actionGeometry+0x509
0d 0000005c`dd75a860 00007ffa`6f6fd3c9 Qt5Widgets!QMenu::actionGeometry+0x2c7
0e 0000005c`dd75a910 00007ffa`6f5ccdd4 Qt5Widgets!QMenu::mouseReleaseEvent+0xb9
0f 0000005c`dd75a940 00007ffa`6f6f959c Qt5Widgets!QWidget::event+0x144
10 0000005c`dd75ab20 00007ffa`6f5a7b4a Qt5Widgets!QMenu::event+0x17c
11 0000005c`dd75abb0 00007ffa`6f5a5789 Qt5Widgets!QApplicationPrivate::notify_helper+0x13a
12 0000005c`dd75abe0 00007ffa`5de17839 Qt5Widgets!QApplication::notify+0x8a9
13 0000005c`dd75b300 00007ffa`6f5a91f3 Qt5Core!QCoreApplication::notifyInternal2+0xb9
14 0000005c`dd75b380 00007ffa`6f5f69e1 Qt5Widgets!QApplicationPrivate::sendMouseEvent+0x3e3
15 0000005c`dd75b450 00007ffa`6f5f4e45 Qt5Widgets!QSizePolicy::QSizePolicy+0x2731
16 0000005c`dd75b840 00007ffa`6f5a7b4a Qt5Widgets!QSizePolicy::QSizePolicy+0xb95
17 0000005c`dd75b990 00007ffa`6f5a6aa7 Qt5Widgets!QApplicationPrivate::notify_helper+0x13a
18 0000005c`dd75b9c0 00007ffa`5de17839 Qt5Widgets!QApplication::notify+0x1bc7
19 0000005c`dd75c0e0 00007ffa`5e298de1 Qt5Core!QCoreApplication::notifyInternal2+0xb9
1a 0000005c`dd75c160 00007ffa`5e2839fb Qt5Gui!QGuiApplicationPrivate::processMouseEvent+0x911
1b 0000005c`dd75c650 00007ffa`5de618b0 Qt5Gui!QWindowSystemInterface::sendWindowSystemEvents+0x9b
1c 0000005c`dd75c680 00007ffa`6e0853e9 Qt5Core!QEventDispatcherWin32::processEvents+0x70
1d 0000005c`dd75f7e0 00007ffa`5de1384b qwindows!qt_plugin_query_metadata+0x1ea9
1e 0000005c`dd75f810 00007ffa`5de1687e Qt5Core!QEventLoop::exec+0x1eb
1f 0000005c`dd75f890 00007ff7`bd36e5af Qt5Core!QCoreApplication::exec+0x15e
20 0000005c`dd75f900 00007ff7`bd36e4a0 xpdf!main+0x4f [c:\xpdf\xpdf-4.02\xpdf-qt\xpdf.cc @ 22]
21 0000005c`dd75f9a0 00007ff7`bd49c392 xpdf!WinMain+0x110 [c:\xpdf\xpdf-4.02\xpdf-qt\xpdf.cc @ 52]
22 (Inline Function) --------`-------- xpdf!invoke_main+0x21 [d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 102]
23 0000005c`dd75fa10 00007ffa`d5257bd4 xpdf!__scrt_common_main_seh+0x106 [d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
24 0000005c`dd75fa50 00007ffa`d53ace51 KERNEL32!BaseThreadInitThunk+0x14
25 0000005c`dd75fa80 00000000`00000000 ntdll!RtlUserThreadStart+0x21
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The PoC is no longer reachable at the address https://gofile.io/?c=QEDJrA. Would you mind uploading it again? I would greatly appreciate it for my current research project.