CVE-2019-9543: Recursive function call in function JBIG2Stream::readGenericBitmap() – poppler 0.74.0

Recursive function call in function JBIG2Stream::readGenericBitmap() – poppler 0.74.0

Loginsoft-2019-1099

28 February, 2019

CVE Number

CVE-2019-9543

CWE

CWE – 20 : Improper Input Validation

Product Details

Poppler is a free software utility library for rendering Portable Document Format documents.
URL: https://gitlab.freedesktop.org/poppler/poppler/

Vulnerable Versions

0.74.0

Vulnerability Details

During our research there is a recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc in poppler 0.74.0. The same be triggered by sending a crafted pdf file to the pdfseperate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

In Progress

vulnerable Source code
   JArithmeticDecoder::decodeByte(unsigned int context,JArithmeticDecoderStats *stats)
Analysis

DEBUG:
GDB :

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x7fff8cf5c800 → 0x0000000000000000
$rbx : 0x3be980 
$rcx : 0x7fff8cff5000 → 0x0000000000000000
$rdx : 0x7fff8d31b180 → 0x0000000000000000
$rsp : 0x7fffffffc158 → 0x00007ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38]
$rbp : 0x7fffffffc9e0 → 0x00007fffffffca00 → 0x00007fffffffcdb0 → 0x00007fffffffd3b0 → 0x00007fffffffd5f0 → 0x00007fffffffd620 → 0x00007fffffffd640 → 0x00007fffffffd740
$rsi : 0x0 
$rdi : 0x7fff8cf5c800 → 0x0000000000000000
$rip : 0x7ffff5b58963 →  movdqa XMMWORD PTR [rcx], xmm0
$r8 : 0x1000719e3900 → 0x0000000000000000
$r9 : 0x100071a5b630 → 0xfafafafafafafa01
$r10 : 0x4032 
$r11 : 0x202 
$r12 : 0x7fff8cf5c800 → 0x0000000000000000
$r13 : 0x7fff8d31b180 → 0x0000000000000000
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $gs: 0x0000 $ds: 0x0000 $cs: 0x0033 $es: 0x0000 $ss: 0x002b 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffc158│+0x00: 0x00007ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38] ← $rsp
0x00007fffffffc160│+0x08: 0x00007ffff6726e6f →  mov QWORD PTR [rbp-0x2d8], r14
0x00007fffffffc168│+0x10: 0x00007ffff6722a77 →  add rsp, 0xb0
0x00007fffffffc170│+0x18: 0x00007ffff671f5a2 →  xor eax, 0x1
0x00007fffffffc178│+0x20: 0x00007ffff671e351 →  mov rax, QWORD PTR [rbp-0x18]
0x00007fffffffc180│+0x28: 0x00007ffff6609541 →  nop 
0x00007fffffffc188│+0x30: 0x00007ffff673bee2 →  nop 
0x00007fffffffc190│+0x38: 0x00007ffff66354eb → 0x00000040bfe6894d → 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff5b5895a  and rdx, 0xffffffffffffffc0
0x7ffff5b5895e  cmp rcx, rdx
0x7ffff5b58961  je 0x7ffff5b58923 
→ 0x7ffff5b58963  movdqa XMMWORD PTR [rcx], xmm0
0x7ffff5b58967  movdqa XMMWORD PTR [rcx+0x10], xmm0
0x7ffff5b5896c  movdqa XMMWORD PTR [rcx+0x20], xmm0
0x7ffff5b58971  movdqa XMMWORD PTR [rcx+0x30], xmm0
0x7ffff5b58976  add rcx, 0x40
0x7ffff5b5897a  cmp rdx, rcx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "pdfimages", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff5b58963 → Name: __memset_sse2_unaligned_erms()
[#1] 0x7ffff6e78cdf → mov rcx, QWORD PTR [rbp-0x38]
[#2] 0x7ffff671b455 → Name: JBIG2Bitmap::clearToZero(this=0x60300001b400)
[#3] 0x7ffff6726f27 → Name: JBIG2Stream::readTextRegion(this=0x612000000f40, huff=0x0, refine=0x1, w=0x95e, h=0x3320, numInstances=0x5, logStrips=0x0, numSyms=0x3d0, symCodeTab=0x0, symCodeLen=0xe, syms=0x633000000800, defPixel=0x0, combOp=0x0, transposed=0x0, refCorner=0x1, sOffset=0x0, huffFSTable=0x7ffff6de4de0 , huffDSTable=0x7ffff6de5020 , huffDTTable=0x7ffff6de54c0 , huffRDWTable=0x7ffff6de5840 , huffRDHTable=0x7ffff6de5840 , huffRDXTable=0x7ffff6de5840 , huffRDYTable=0x7ffff6de5840 , huffRSizeTable=0x7ffff6de4aa0 , templ=0x0, atx=0x7fffffffd280, aty=0x7fffffffd2c0)
[#4] 0x7ffff6722a77 → Name: JBIG2Stream::readSymbolDictSeg(this=0x612000000f40, segNum=0x0, length=0x2e2e2e2e, refSegs=0x0, nRefSegs=0x0)
[#5] 0x7ffff671f5a2 → Name: JBIG2Stream::readSegments(this=0x612000000f40)
[#6] 0x7ffff671e351 → Name: JBIG2Stream::reset(this=0x612000000f40)
[#7] 0x7ffff6609541 → Name: Object::streamReset(this=0x610000001658)
[#8] 0x7ffff673bee2 → Name: Lexer::Lexer(this=0x610000001640, xrefA=0x6120000001c0, obj=0x7fffffffd910)
[#9] 0x7ffff66354eb → Name: Gfx::display(this=0x612000000ac0, obj=0x7fffffffd910, topLevel=0x1)
Proof of Concept

pdfseperate -f 1 -l 2 $POC res-%d.pdf
Vendor Disclosure: 2019-2-28
Public Disclosure: 2019-3-2

Credit

Discovered by ACE Team – Loginsoft