openjpeg
openjpeg copied to clipboard
Published
20 hours ago •
uclouvain
uclouvain
pdf2jp2 use NULL pointer cause crash
trafficstars
Crash:
➜ tests git:(master) ✗ gdb pdf2jp2
pwndbg: loaded 170 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from pdf2jp2...done.
pwndbg> r test.pdf
Starting program: /home/openjpeg/tests/pdf2jp2 test.pdf
Program received signal SIGSEGV, Segmentation fault.
rawmemchr () at ../sysdeps/x86_64/rawmemchr.S:37
37 ../sysdeps/x86_64/rawmemchr.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dd07a0 (_IO_str_jumps) ◂— 0x0
RBX 0x7fffffffcb40 ◂— 0xfbad8000
RCX 0x0
RDX 0x0
RDI 0x0
RSI 0x0
R8 0x0
R9 0x0
R10 0x361
R11 0x7ffff7ab7070 (__strstr_sse2_unaligned) ◂— movzx eax, byte ptr [rsi]
R12 0x0
R13 0x0
R14 0x0
R15 0x1
RBP 0x401c60 ◂— '/Length %d/'
RSP 0x7fffffffcb08 —▸ 0x7ffff7a89ff2 (_IO_str_init_static_internal+34) ◂— mov rbp, rax
RIP 0x7ffff7aa356f (rawmemchr+31) ◂— movdqu xmm0, xmmword ptr [rdi]
────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7aa356f <rawmemchr+31> movdqu xmm0, xmmword ptr [rdi]
0x7ffff7aa3573 <rawmemchr+35> pcmpeqb xmm0, xmm1
0x7ffff7aa3577 <rawmemchr+39> pmovmskb eax, xmm0
0x7ffff7aa357b <rawmemchr+43> test eax, eax
0x7ffff7aa357d <rawmemchr+45> jne rawmemchr+464 <0x7ffff7aa3720>
↓
0x7ffff7aa3720 <rawmemchr+464> bsf eax, eax
0x7ffff7aa3723 <rawmemchr+467> add rax, rdi
0x7ffff7aa3726 <rawmemchr+470> ret
0x7ffff7aa3727 <rawmemchr+471> nop word ptr [rax + rax]
0x7ffff7aa3730 <rawmemchr+480> bsf eax, eax
0x7ffff7aa3733 <rawmemchr+483> lea rax, [rax + rdi + 0x10]
────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcb08 —▸ 0x7ffff7a89ff2 (_IO_str_init_static_internal+34) ◂— mov rbp, rax
01:0008│ 0x7fffffffcb10 ◂— 0x0
02:0010│ 0x7fffffffcb18 ◂— 0x399
03:0018│ 0x7fffffffcb20 —▸ 0x401c60 ◂— '/Length %d/'
04:0020│ 0x7fffffffcb28 —▸ 0x7fffffffcc68 ◂— 0x3000000010
05:0028│ 0x7fffffffcb30 ◂— 0x0
06:0030│ 0x7fffffffcb38 —▸ 0x7ffff7a7d267 (vsscanf+87) ◂— mov rdx, r12
07:0038│ rbx 0x7fffffffcb40 ◂— 0xfbad8000
──────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────
► f 0 7ffff7aa356f rawmemchr+31
f 1 7ffff7a89ff2 _IO_str_init_static_internal+34
f 2 7ffff7a7d267 vsscanf+87
f 3 7ffff7a77917 sscanf+135
f 4 4010eb main+1531
f 5 7ffff7a2d830 __libc_start_main+240
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x0)
pwndbg> bt
#0 rawmemchr () at ../sysdeps/x86_64/rawmemchr.S:37
#1 0x00007ffff7a89ff2 in _IO_str_init_static_internal (sf=sf@entry=0x7fffffffcb40, ptr=ptr@entry=0x0, size=size@entry=0, pstart=pstart@entry=0x0) at strops.c:41
#2 0x00007ffff7a7d267 in _IO_vsscanf (string=0x0, format=0x401c60 "/Length %d/", args=args@entry=0x7fffffffcc68) at iovsscanf.c:40
#3 0x00007ffff7a77917 in __sscanf (s=<optimized out>, format=format@entry=0x401c60 "/Length %d/") at sscanf.c:32
#4 0x00000000004010eb in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe398) at pdf2jp2.c:114
#5 0x00007ffff7a2d830 in __libc_start_main (main=0x400af0 <main>, argc=2, argv=0x7fffffffe398, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe388) at ../csu/libc-start.c:291
#6 0x00000000004016e9 in _start ()
Check:
pwndbg> b pdf2jp2.c:114
Breakpoint 1 at 0x4010d7: file pdf2jp2.c, line 114.
pwndbg> r test.pdf
Starting program: /home/openjpeg/tests/pdf2jp2 test.pdf
Breakpoint 1, main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe398) at pdf2jp2.c:114
114 s = sscanf(s2, "/Length %d/", &len);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x399
RCX 0x6874676e654c2f
RDX 0x4c
RDI 0x7fffffffce70 ◂— 0x646f636544000a51 /* 'Q\n' */
RSI 0x7fffffffd070 ◂— 0x6874676e654c2f /* '/Length' */
R8 0x100004
R9 0x0
R10 0x361
R11 0x7ffff7ab7070 (__strstr_sse2_unaligned) ◂— movzx eax, byte ptr [rsi]
R12 0x0
R13 0x0
R14 0x0
R15 0x1
RBP 0x604010 ◂— 0xfbad2488
RSP 0x7fffffffcd40 —▸ 0x7fffffffd279 ◂— 0x2020202020202020 (' ')
RIP 0x4010d7 (main+1511) ◂— lea rdx, [rsp + 0x1c]
────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────
► 0x4010d7 <main+1511> lea rdx, [rsp + 0x1c]
0x4010dc <main+1516> mov rdi, rax
0x4010df <main+1519> mov esi, 0x401c60
0x4010e4 <main+1524> xor eax, eax
0x4010e6 <main+1526> call sscanf@plt <0x400a50>
0x4010eb <main+1531> cmp eax, 1
0x4010ee <main+1534> jne main+852 <0x400e44>
0x4010f4 <main+1540> lea rsp, [rsp - 0x98]
0x4010fc <main+1548> mov qword ptr [rsp], rdx
0x401100 <main+1552> mov qword ptr [rsp + 8], rcx
0x401105 <main+1557> mov qword ptr [rsp + 0x10], rax
────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────
In file: /home/openjpeg/tests/pdf2jp2.c
109 assert( ret == 0 );
110 r = fgets(buffer, sizeof(buffer), f);
111 assert( r );
112 const char needle2[] = "/Length";
113 char * s2 = strstr(buffer, needle2);
► 114 s = sscanf(s2, "/Length %d/", &len);
115 }
116 if( s == 1 )
117 {
118 FILE *jp2;
119 int j;
────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcd40 —▸ 0x7fffffffd279 ◂— 0x2020202020202020 (' ')
01:0008│ 0x7fffffffcd48 —▸ 0x7fffffffe669 ◂— 'test.pdf'
02:0010│ 0x7fffffffcd50 ◂— 0x0
... ↓
04:0020│ 0x7fffffffcd60 ◂— 0x399
05:0028│ 0x7fffffffcd68 ◂— 0x0
... ↓
──────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────
► f 0 4010d7 main+1511
f 1 7ffff7a2d830 __libc_start_main+240
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Breakpoint pdf2jp2.c:114
pwndbg> p s2
$1 = 0x0
pwndbg> p len
$2 = 0
pwndbg> p *s2
Cannot access memory at address 0x0
