pdfalto
pdfalto copied to clipboard
Published
20 hours ago •
kermitt2
kermitt2
UAF in XmlAltoOutputDev.cc:6457
Hi,
I found a UAF bug in (the latest commit 8296a3d on master).
PoC: https://github.com/strongcourage/PoCs/blob/master/pdfalto_8296a3d/PoC_uaf_TextPage::createPath Command: pdfalto $PoC /dev/null
ASAN says:
==12326==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000036418 at pc 0x00000073e2f1 bp 0x7ffd2d16afa0 sp 0x7ffd2d16af90
READ of size 8 at 0x602000036418 thread T0
#0 0x73e2f0 in GString::~GString() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/goo/GString.cc:209
#1 0x439fec in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6457
#2 0x43889d in TextPage::doPathForClip(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6256
#3 0x43a51b in TextPage::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6489
#4 0x446eac in XmlAltoOutputDev::clip(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8609
#5 0x6d90aa in Gfx::doEndPath() /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:3436
#6 0x6c558a in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1656
#7 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
#8 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
#9 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
#10 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
#11 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
#12 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
#13 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
#14 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
#15 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
#16 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x4062c8 in _start (/home/dungnguyen/PoCs/pdfalto_8296a3d/pdfalto-asan+0x4062c8)
0x602000036418 is located 8 bytes inside of 16-byte region [0x602000036410,0x602000036420)
freed by thread T0 here:
#0 0x7f4e6611fb8a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b8a)
#1 0x439ff4 in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6457
#2 0x438c1a in TextPage::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6287
#3 0x446fef in XmlAltoOutputDev::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8623
#4 0x446793 in XmlAltoOutputDev::stroke(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8561
#5 0x6c557e in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1652
#6 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
#7 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
#8 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
#9 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
#10 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
#11 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
#12 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
#13 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
#14 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
#15 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f4e6611f592 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99592)
#1 0x438f47 in TextPage::createPath(GfxPath*, GfxState*, _xmlNode*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6317
#2 0x438c1a in TextPage::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:6287
#3 0x446fef in XmlAltoOutputDev::doPath(GfxPath*, GfxState*, GString*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8623
#4 0x446793 in XmlAltoOutputDev::stroke(GfxState*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/XmlAltoOutputDev.cc:8561
#5 0x6c557e in Gfx::opStroke(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:1652
#6 0x6bd454 in Gfx::execOp(Object*, Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:826
#7 0x6bca6f in Gfx::go(int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:719
#8 0x6bc057 in Gfx::display(Object*, int) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Gfx.cc:641
#9 0x61da5c in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:373
#10 0x61d2a4 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/Page.cc:323
#11 0x621b51 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:388
#12 0x621bda in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/xpdf-4.00/xpdf/PDFDoc.cc:400
#13 0x40a6be in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/dungnguyen/gueb-testing/pdfalto-asan/src/PDFDocXrce.cc:22
#14 0x40be58 in main /home/dungnguyen/gueb-testing/pdfalto-asan/src/pdfalto.cc:390
#15 0x7f4e657cf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Thanks, Manh Dung
