search

kermitt2 / pdfalto

PDF to XML ALTO file converter
GNU General Public License v2.0
209 stars 67 forks source link

UAF in XmlAltoOutputDev.cc:6457 #64

Open strongcourage opened 5 years ago

strongcourage commented 5 years ago

Hi,

I found a UAF bug in (the latest commit 8296a3d on master).

PoC: https://github.com/strongcourage/PoCs/blob/master/pdfalto_8296a3d/PoC_uaf_TextPage::createPath Command: pdfalto $PoC /dev/null

ASAN says:

==12326==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000036418 at pc 0x00000073e2f1 bp 0x7ffd2d16afa0 sp 0x7ffd2d16af90
READ of size 8 at 0x602000036418 thread T0
    #0 0x73e2f0 in GString::~GString() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/goo/GString.cc:209
    #1 0x439fec in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6457
    #2 0x43889d in TextPage::doPathForClip(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6256
    #3 0x43a51b in TextPage::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6489
    #4 0x446eac in XmlAltoOutputDev::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8609
    #5 0x6d90aa in Gfx::doEndPath() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:3436
    #6 0x6c558a in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1656
    #7 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
    #8 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
    #9 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
    #10 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
    #11 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
    #12 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
    #13 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
    #14 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
    #15 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
    #16 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x4062c8 in _start (/home/dungnguyen/PoCs/pdfalto_8296a3d/pdfalto-asan+0x4062c8)

0x602000036418 is located 8 bytes inside of 16-byte region [0x602000036410,0x602000036420)
freed by thread T0 here:
    #0 0x7f4e6611fb8a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b8a)
    #1 0x439ff4 in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6457
    #2 0x438c1a in TextPage::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6287
    #3 0x446fef in XmlAltoOutputDev::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8623
    #4 0x446793 in XmlAltoOutputDev::stroke(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8561
    #5 0x6c557e in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1652
    #6 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
    #7 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
    #8 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
    #9 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
    #10 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
    #11 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
    #12 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
    #13 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
    #14 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
    #15 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f4e6611f592 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99592)
    #1 0x438f47 in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6317
    #2 0x438c1a in TextPage::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6287
    #3 0x446fef in XmlAltoOutputDev::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8623
    #4 0x446793 in XmlAltoOutputDev::stroke(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8561
    #5 0x6c557e in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1652
    #6 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
    #7 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
    #8 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
    #9 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
    #10 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
    #11 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
    #12 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
    #13 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
    #14 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
    #15 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thanks, Manh Dung

kermitt2 commented 3 years ago

Same as #63, should be fixed as well