Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read

🗓️ 13 Jun 2016 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Invalid read in Foxit PDF Reader 1.0.1.0925 for Linux 64-bi

Code
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745

We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:

$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf

The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.

An example excerpt from the crash log is as follows:

--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
(gdb) where
#0  0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
#1  0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#2  0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#3  0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#4  0x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
#5  0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
#6  0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
#7  0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
#8  0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
#9  0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
    at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
    at ../../Readerlite/ReaderLite/src/preview.cpp:3204
x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
    at ../../Readerlite/ReaderLite/src/preview.cpp:1443
#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
    at ../../Readerlite/ReaderLite/src/preview.cpp:2386
#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---   
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>:    cmpq   $0x0,0x0(%r13)
   0xab4684 <_ZN14CFX_WideStringaSERKS_+56>:    js     0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
   0xab4686 <_ZN14CFX_WideStringaSERKS_+58>:    test   %rbp,%rbp
   0xab4689 <_ZN14CFX_WideStringaSERKS_+61>:    je     0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
   0xab468b <_ZN14CFX_WideStringaSERKS_+63>:    cmpq   $0x0,0x0(%rbp)
   0xab4690 <_ZN14CFX_WideStringaSERKS_+68>:    jns    0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
   0xab4692 <_ZN14CFX_WideStringaSERKS_+70>:    mov    0x8(%rbp),%esi
   0xab4695 <_ZN14CFX_WideStringaSERKS_+73>:    lea    0x10(%rbp),%rdx
   0xab4699 <_ZN14CFX_WideStringaSERKS_+77>:    mov    %rbx,%rdi
   0xab469c <_ZN14CFX_WideStringaSERKS_+80>:    callq  0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
(gdb) info reg $r13
r13            0x740000006e     498216206446
--- cut ---

Attached is a proof of concept PDF file.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39942.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jun 2016 00:00Current
7High risk
Vulners AI Score7
foxit pdf readerinvalid readlinux 64-bitsegmentation faultcrashspecially crafted pdfcfx_widestringcmarkup_popupcreader_pageviewxvfbvirtual x serverdisplay settings
33