Skip to content

Instantly share code, notes, and snippets.

@RootUp RootUp/poc.sh
Created Aug 31, 2019

Embed
What would you like to do?
null pointer dereference - xpdf 2.x
xpdf v2.0
PoC: https://gofile.io/?c=grUzbG
$ gdb ./pdfinfo
(gdb) run out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
Starting program: /home/input0/Downloads/xpdf-2.00/xpdf/pdfinfo out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
Error (2978): Dictionary key must be a name object
Error (2980): Dictionary key must be a name object
Error (2982): Dictionary key must be a name object
Error (2989): Dictionary key must be a name object
Error (0): PDF file is damaged - attempting to reconstruct xref table...
Program received signal SIGSEGV, Segmentation fault.
0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
421 if (!entries[num].used || gen >= entries[num].gen) {
(gdb) bt
#0 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
#1 0x00000000004bd13f in XRef::XRef (this=0x741ea0, strA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at XRef.cc:72
#2 0x000000000049d0fb in PDFDoc::setup (this=0x740cd0, ownerPassword=0x3, userPassword=0x3) at PDFDoc.cc:120
#3 0x000000000049cf3d in PDFDoc::PDFDoc (this=0x740cd0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at PDFDoc.cc:96
#4 0x00000000004c0fc3 in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:119
(gdb) i r
rax 0x0 0
rbx 0x741ed0 7610064
rcx 0x3 3
rdx 0x3 3
rsi 0x4d9f24 5087012
rdi 0x7fffffffd764 140737488344932
rbp 0x1 0x1
rsp 0x7fffffffd710 0x7fffffffd710
r8 0x7fffffffd763 140737488344931
r9 0x0 0
r10 0x7ffff7243cc0 140737339735232
r11 0x0 0
r12 0x7fffffffd760 140737488344928
r13 0xfffffffffffffffc -4
r14 0x741ea0 7610016
r15 0x741ed0 7610064
rip 0x4be249 0x4be249 <XRef::constructXRef()+857>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
@RootUp

This comment has been minimized.

Copy link
Owner Author

commented Sep 3, 2019

NOTE: This was fuzzed only to collect corpous which can be used while fuzzing the latest version of xpdf.

@carnil

This comment has been minimized.

Copy link

commented Sep 3, 2019

It looks that related to this there was assigned CVE-2019-15860. But this was fuzzed again a very ancient version. Is there information with which version this issue was fixed?

@RootUp

This comment has been minimized.

Copy link
Owner Author

commented Sep 3, 2019

Hi, apprently I have no such details for now. In which version this was fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.