Created
August 31, 2019 14:34
-
-
Save RootUp/b5de893bb2e51a4c846c5a0caa13b666 to your computer and use it in GitHub Desktop.
null pointer dereference - xpdf 2.x
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| xpdf v2.0 | |
| PoC: https://gofile.io/?c=grUzbG | |
| $ gdb ./pdfinfo | |
| (gdb) run out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971 | |
| Starting program: /home/input0/Downloads/xpdf-2.00/xpdf/pdfinfo out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971 | |
| Error (2978): Dictionary key must be a name object | |
| Error (2980): Dictionary key must be a name object | |
| Error (2982): Dictionary key must be a name object | |
| Error (2989): Dictionary key must be a name object | |
| Error (0): PDF file is damaged - attempting to reconstruct xref table... | |
| Program received signal SIGSEGV, Segmentation fault. | |
| 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421 | |
| 421 if (!entries[num].used || gen >= entries[num].gen) { | |
| (gdb) bt | |
| #0 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421 | |
| #1 0x00000000004bd13f in XRef::XRef (this=0x741ea0, strA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at XRef.cc:72 | |
| #2 0x000000000049d0fb in PDFDoc::setup (this=0x740cd0, ownerPassword=0x3, userPassword=0x3) at PDFDoc.cc:120 | |
| #3 0x000000000049cf3d in PDFDoc::PDFDoc (this=0x740cd0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at PDFDoc.cc:96 | |
| #4 0x00000000004c0fc3 in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:119 | |
| (gdb) i r | |
| rax 0x0 0 | |
| rbx 0x741ed0 7610064 | |
| rcx 0x3 3 | |
| rdx 0x3 3 | |
| rsi 0x4d9f24 5087012 | |
| rdi 0x7fffffffd764 140737488344932 | |
| rbp 0x1 0x1 | |
| rsp 0x7fffffffd710 0x7fffffffd710 | |
| r8 0x7fffffffd763 140737488344931 | |
| r9 0x0 0 | |
| r10 0x7ffff7243cc0 140737339735232 | |
| r11 0x0 0 | |
| r12 0x7fffffffd760 140737488344928 | |
| r13 0xfffffffffffffffc -4 | |
| r14 0x741ea0 7610016 | |
| r15 0x741ed0 7610064 | |
| rip 0x4be249 0x4be249 <XRef::constructXRef()+857> | |
| eflags 0x10202 [ IF RF ] | |
| cs 0x33 51 | |
| ss 0x2b 43 | |
| ds 0x0 0 | |
| es 0x0 0 | |
| fs 0x0 0 | |
| gs 0x0 0 | |
| (gdb) |
It looks that related to this there was assigned CVE-2019-15860. But this was fuzzed again a very ancient version. Is there information with which version this issue was fixed?
Hi, apprently I have no such details for now. In which version this was fixed.
It is not clear what the issue is here, but likely that num*sizeof/(XPDref) overflows?
I think this is in this 2004 advisory listed:
this would make it CVE-2004-0888 I think ;)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NOTE: This was fuzzed only to collect corpous which can be used while fuzzing the latest version of xpdf.