Skip to content

Instantly share code, notes, and snippets.

@RootUp RootUp/poc.sh
Created Aug 31, 2019

Embed
What would you like to do?
null pointer dereference - xpdf 2.x
xpdf v2.0
PoC: https://gofile.io/?c=grUzbG
$ gdb ./pdfinfo
(gdb) run out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
Starting program: /home/input0/Downloads/xpdf-2.00/xpdf/pdfinfo out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
Error (2978): Dictionary key must be a name object
Error (2980): Dictionary key must be a name object
Error (2982): Dictionary key must be a name object
Error (2989): Dictionary key must be a name object
Error (0): PDF file is damaged - attempting to reconstruct xref table...
Program received signal SIGSEGV, Segmentation fault.
0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
421 if (!entries[num].used || gen >= entries[num].gen) {
(gdb) bt
#0 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
#1 0x00000000004bd13f in XRef::XRef (this=0x741ea0, strA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at XRef.cc:72
#2 0x000000000049d0fb in PDFDoc::setup (this=0x740cd0, ownerPassword=0x3, userPassword=0x3) at PDFDoc.cc:120
#3 0x000000000049cf3d in PDFDoc::PDFDoc (this=0x740cd0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at PDFDoc.cc:96
#4 0x00000000004c0fc3 in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:119
(gdb) i r
rax 0x0 0
rbx 0x741ed0 7610064
rcx 0x3 3
rdx 0x3 3
rsi 0x4d9f24 5087012
rdi 0x7fffffffd764 140737488344932
rbp 0x1 0x1
rsp 0x7fffffffd710 0x7fffffffd710
r8 0x7fffffffd763 140737488344931
r9 0x0 0
r10 0x7ffff7243cc0 140737339735232
r11 0x0 0
r12 0x7fffffffd760 140737488344928
r13 0xfffffffffffffffc -4
r14 0x741ea0 7610016
r15 0x741ed0 7610064
rip 0x4be249 0x4be249 <XRef::constructXRef()+857>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
@RootUp

This comment has been minimized.

Copy link
Owner Author

RootUp commented Sep 3, 2019

NOTE: This was fuzzed only to collect corpous which can be used while fuzzing the latest version of xpdf.

@carnil

This comment has been minimized.

Copy link

carnil commented Sep 3, 2019

It looks that related to this there was assigned CVE-2019-15860. But this was fuzzed again a very ancient version. Is there information with which version this issue was fixed?

@RootUp

This comment has been minimized.

Copy link
Owner Author

RootUp commented Sep 3, 2019

Hi, apprently I have no such details for now. In which version this was fixed.

@msmeissn

This comment has been minimized.

Copy link

msmeissn commented Mar 11, 2020

It is not clear what the issue is here, but likely that num*sizeof/(XPDref) overflows?

I think this is in this 2004 advisory listed:

https://security.appspot.com/security/CESA-2004-007.txt

@msmeissn

This comment has been minimized.

Copy link

msmeissn commented Mar 11, 2020

this would make it CVE-2004-0888 I think ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.