PDF2JSON is a conversion library based on XPDF (3.02) which can be used for high performance PDF page by page conversion to JSON and XML format. It also supports compressing data to minimize size. PDF2JSON is available for Windows, OSX and Linux. Please see https://flowpaper.com for more information
305
stars
52
forks
source link
SEGV (invalid write) on JBIG2Stream::readSymbolDictSeg #38
valgrind pdf2json $PoC /dev/null
==549== Invalid write of size 8
==549== at 0x473170: JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x471EF0: JBIG2Stream::readSegments() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x4718BF: JBIG2Stream::reset() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x40941E: Object::streamReset() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x48788A: Lexer::Lexer(XRef*, Object*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x4542CE: Gfx::display(Object*, int) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42A59E: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, Links*, int, Catalog*, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42A14A: Page::display(OutputDev*, double, double, int, int, int, Links*, int, Catalog*, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42BCBD: PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42BD48: PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x40269A: main (pdf2json.cc:275)
==549== Address 0x5b550d8 is 0 bytes after a block of size 264 alloc'd
==549== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==549== by 0x48E521: gmalloc (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x48E667: gmallocn (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x472780: JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x471EF0: JBIG2Stream::readSegments() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x4718BF: JBIG2Stream::reset() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x40941E: Object::streamReset() (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x48788A: Lexer::Lexer(XRef*, Object*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x4542CE: Gfx::display(Object*, int) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42A59E: Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, Links*, int, Catalog*, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42A14A: Page::display(OutputDev*, double, double, int, int, int, Links*, int, Catalog*, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
==549== by 0x42BCBD: PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) (in /home/dungnguyen/PoCs/pdf2json_b671b64/pdf2json)
Hi,
Our fuzzer found a crash due to an invalid write on the function JBIG2Stream::readSymbolDictSeg (the latest commit b671b64 on master - version 0.70).
PoC: https://github.com/strongcourage/PoCs/blob/master/pdf2json_b671b64/PoC_segv_JBIG2Stream::readSymbolDictSeg
Valgrind says:
Thanks, Manh Dung