Null pointer Deference in function AnnotsXrce::AnnotsXrce( )

Null pointer Deference in function AnnotsXrce::AnnotsXrce( ) - pdfalto-0.2

13 March, 2019

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

pdfalto is a command line executable for parsing PDF files and producing structured XML representations of the PDF content in ALTO format
URL: https://github.com/kermitt2/pdfalto

Vulnerable Versions

0.2

Vulnerability Details

During our research we discovered Null pointer Deference in function AnnotsXrce::AnnotsXrce( ) located in AnnotsXrce.cc in pdfalto-0.2. The same be triggered by sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

under progress

vulnerable Source code

if (ac->isOk()) {
                         xmlNodePtr nodeActionAction;
                                 xmlNodePtr nodeActionDEST;

Analysis

DEBUG:
GDB :

gdb: 
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x00007fffffffda40  →  0x000061700000f580  →  0x000061300000de80  →  0x00000000009c1828  →  0x000000000062bd46  →   push rbp
$rcx   : 0x300             
$rdx   : 0x0               
$rsp   : 0x00007fffffffd440  →  0x0000000041b58ab3
$rbp   : 0x00007fffffffda70  →  0x00007fffffffdbf0  →  0x00007fffffffdd10  →  0x000000000090c360  →   push r15
$rsi   : 0x1               
$rdi   : 0x000060400000c850  →  0xbebebebebebebebe
$rip   : 0x0000000000406adc  →   mov rax, QWORD PTR [rax]
$r8    : 0x0               
$r9    : 0x35ef            
$r10   : 0x50              
$r11   : 0x00007ffff7efb310  →  0x0000000000000000
$r12   : 0x00000ffffffffabc  →  0x0000000000000000
$r13   : 0x00007fffffffd5e0  →  0x0000000041b58ab3
$r14   : 0x000060400000c850  →  0xbebebebebebebebe
$r15   : 0x00007fffffffd5e0  →  0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd440│+0x0000: 0x0000000041b58ab3     ← $rsp
0x00007fffffffd448│+0x0008: 0x0000602000010330  →  0xbebebebe0000003a (":"?)
0x00007fffffffd450│+0x0010: 0x000000010000000d  →  0x0000000000000000
0x00007fffffffd458│+0x0018: 0x00007fffffffdb60  →  0x3ff0000000000000
0x00007fffffffd460│+0x0020: 0x0000611000009c80  →  0x000060800000bfa8  →  0x0000602000010ad0  →  0xbebebebe00000031 ("1"?)
0x00007fffffffd468│+0x0028: 0x000060c000007c00  →  0x0000000000000000
0x00007fffffffd470│+0x0030: 0x00007fffffffdb20  →  0xbebebebe00000006
0x00007fffffffd478│+0x0038: 0x0000602000106f50  →  0x0000000000000002
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x406acd  mov    rdi, rax
     0x406ad0  call   0x404a40 
     0x406ad5  mov    rax, QWORD PTR [rbp-0x548]
→   0x406adc  mov    rax, QWORD PTR [rax]
     0x406adf  add    rax, 0x10
     0x406ae3  mov    rdx, rax
     0x406ae6  mov    rcx, rdx
     0x406ae9  shr    rcx, 0x3
     0x406aed  add    rcx, 0x7fff8000
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/home/aceteam/Downloads/sources/pdfalto/src/AnnotsXrce.cc+85 ────
     80                     Link *link = new Link(dict, catalog->getBaseURI());
     81                     //printf("%d \n",link->isOk());
     82                     LinkAction *ac = link->getAction();
     83                     //printf("ac %d \n",ac->isOk());
     84                     // Get the Action information
        // ac=0x00007fffffffd528  →  0x0000000000000000
→   85                     if (ac->isOk()) {
     86                         xmlNodePtr nodeActionAction;
     87                         xmlNodePtr nodeActionDEST;
     88                         if (nodeAnnot) {
     89                             nodeActionAction = xmlNewNode(NULL, (const xmlChar *) TAG_ACTION);
     90                             nodeActionAction->type = XML_ELEMENT_NODE;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pdfalto", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x406adc → AnnotsXrce::AnnotsXrce(this=0x602000106f50, objA=@0x7fffffffdb20, docrootA=0x60c000007c00, catalog=0x611000009c80, ctmA=0x7fffffffdb60, pageNumA=0x1)
[#1] 0x40a94a → PDFDocXrce::displayPages(this=0x60800000bfa0, out=0x61500000c100, docrootA=0x60c000007c00, firstPage=0x1, lastPage=0x1, hDPI=72, vDPI=72, rotate=0x0, useMediaBox=0x0, crop=0x1, doLinks=0x0, abortCheckCbk=0x0, abortCheckCbkData=0x0)
[#2] 0x40bdf6 → main(argc=0x2, argv=0x7fffffffddf8)

gef➤  p ac
$9 = (LinkAction *) 0x0
gef➤  p ac->isOk()
Cannot access memory at address 0x0

Proof of Concept

./pdfalto -f 1 -l 2 -noText -noImage -outline -annotation -cutPages -blocks -readingOrder -ocr -fullFontName $POC

`‍`Timeline

‍Vendor Disclosure: 2019-3-13

Public Disclosure:

Credit

Discovered by ACE Team - Loginsoft