Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read

2016-06-13T00:00:00
ID EDB-ID:39941
Type exploitdb
Reporter Google Security Research
Modified 2016-06-13T00:00:00

Description

Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read. Dos exploit for linux platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744

We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:

$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf

The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.

An example excerpt from the crash log is as follows:

--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const ()
(gdb) where
#0  0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const
    ()
#1  0x00000000007fbd6c in CPDF_DIBSource::GetScanline(int) const ()
#2  0x000000000084b849 in CFX_DIBSource::Clone(FX_RECT const*) const ()
#3  0x00000000007f2e71 in CPDF_ImageCache::ContinueGetCachedBitmap() ()
#4  0x00000000007f2f9e in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#5  0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#6  0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#7  0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#8  0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
#9  0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
#10 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
#11 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
#12 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
#13 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
#14 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#15 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#16 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#17 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#18 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191fca0)
    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#19 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#23 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---     
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#45 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#46 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#47 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#48 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#49 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#50 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#51 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#53 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#54 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#55 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0x7fb462 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+188>:   mov    0x2(%rbp),%dl
   0x7fb465 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+191>:   add    $0x3,%r13
   0x7fb469 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+195>:   add    $0x3,%rbp
   0x7fb46d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+199>:   inc    %eax
   0x7fb46f <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+201>:   mov    %dl,-0x3(%r13)
   0x7fb473 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+205>:   mov    -0x2(%rbp),%dl
   0x7fb476 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+208>:   mov    %dl,-0x2(%r13)
   0x7fb47a <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+212>:   mov    -0x3(%rbp),%dl
   0x7fb47d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+215>:   mov    %dl,-0x1(%r13)
   0x7fb481 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+219>:
    jmp    0x7fb459 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+179>
(gdb) info reg $rbp
rbp            0x1a30fff        0x1a30fff
--- cut ---

Attached is a proof of concept PDF file.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39941.zip