Bug#968354: xpdf crash with empty document
Package: xpdf
Version: 3.04-13
Severity: normal
Tag: security
On Debian Bullseye this crashes xpdf with coredump:
touch x.pdf; xpdf x.pdf
Funny, after a 2-byte Virtualbox (and now qemu) crash, this is
the shortest input for a DoS-bug I have seen so far :-)
For xpdf this bug itself is not really a security risk: an attacker
could also send a white page document or no document at all if
he wants the victim not to see a document. Still someone familiar
with the code should look at it, maybe some half-broken document
could turn the NULL-dereference into something more useful.
rax 0x0 0
0x000055555556e6d0 <+16>: je 0x55555556e6e0 <XPDFCore::loadFile(GooString const*, GooString*, GooString*)+32>
0x000055555556e6d2 <+18>: mov %ebp,%eax
0x000055555556e6d4 <+20>: pop %rbx
0x000055555556e6d5 <+21>: pop %rbp
0x000055555556e6d6 <+22>: pop %r12
0x000055555556e6d8 <+24>: retq
0x000055555556e6d9 <+25>: nopl 0x0(%rax)
0x000055555556e6e0 <+32>: mov 0x8(%rbx),%rax
=> 0x000055555556e6e4 <+36>: mov (%rax),%rax (doc is null)
0x000055555556e6e7 <+39>: mov (%rax),%rdi
0x000055555556e6ea <+42>: callq 0x55555557d730 <getModTime(char const*)>
Relevant source:
int XPDFCore::loadFile(const GString *fileName, GString *ownerPassword,
GString *userPassword) {
int err;
err = PDFCore::loadFile(fileName, ownerPassword, userPassword);
if (err == errNone) {
// save the modification time
modTime = getModTime(doc->getFileName()->getCString());
// update the parent window
if (updateCbk) {
(*updateCbk)(updateCbkData, doc->getFileName(), -1,
doc->getNumPages(), NULL);
}
}
return err;
}
(gdb) print doc
$1 = (PDFDoc *) 0x0
If understand correctly, "PDFCore::loadFile" does not return
an error when processing an empty file, but also does not set
static variable "doc". This seems to be due to "xpdf/PDFCore.cc":
int PDFCore::loadFile2(PDFDoc *newDoc) {
int err;
double w, h, t;
int i;
// open the PDF file
if (!newDoc->isOk()) {
err = newDoc->getErrorCode();
delete newDoc;
return err;
}
...
The PDFDoc seems to come from "libpoppler.so.82" already and
detects the problem:
Syntax Error: Document stream is empty
On a quick glance I could not see this may result in !isOk()
but also "err" not set correctly. If error should be in libpoppler,
then this is the relevant version:
ii libpoppler82:amd64 0.71.0-6 amd64 PDF rendering library
Reply to: