Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability
21 Dec. 2004
Summary
Xpdf is "an open-source viewer for Portable Document Format (PDF) files". Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file.
The offending code can be found in the Gfx::doImage() function in the source file xpdf/Gfx.cc.
void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
Dict *dict;
int width, height;
int bits;
GBool mask;
GBool invert;
GfxColorSpace *colorSpace;
GfxImageColorMap *colorMap;
Object maskObj;
GBool haveMask;
int maskColors[2*gfxColorMaxComps];
Object obj1, obj2;
int i;
...
// get the mask
haveMask = gFalse;
dict->lookup("Mask", &maskObj);
if (maskObj.isArray()) {
for (i = 0; i < maskObj.arrayGetLength(); ++i) {
maskObj.arrayGet(i, &obj1);
[!] maskColors[i] = obj1.getInt();
obj1.free();
}
haveMask = gTrue;
}
...
}
Due to the fact that the loop boundaries are not less than the storage area, the maskColors array is eventually filled up. After that, local variables and other stack memory is overwritten. This ultimately leads to control of program flow and arbitrary code execution.
Analysis:
The severity of this issue is mitigated by the fact that several of the local overwritten variables in doImage() are referenced prior to EIP being restored; therefore, before the attack gains control of the target process. However, an attacker with knowledge of the remote operating system can construct and validate a malicious payload before attempting exploitation, thus increasing the chances of success. An attacker must convince a target user to open the malicious file to exploit this vulnerability.
