扫码分享
验证:
体验盒子Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745
We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
(gdb) where
#00x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
#10x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#20x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#30x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#40x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
#50x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
#60x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
#70x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
#80x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
#90x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
at ../../Readerlite/ReaderLite/src/preview.cpp:3204
x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1443
#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
at ../../Readerlite/ReaderLite/src/preview.cpp:2386
#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>:cmpq $0x0,0x0(%r13)
0xab4684 <_ZN14CFX_WideStringaSERKS_+56>:js 0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
0xab4686 <_ZN14CFX_WideStringaSERKS_+58>:test %rbp,%rbp
0xab4689 <_ZN14CFX_WideStringaSERKS_+61>:je 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab468b <_ZN14CFX_WideStringaSERKS_+63>:cmpq $0x0,0x0(%rbp)
0xab4690 <_ZN14CFX_WideStringaSERKS_+68>:jns0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab4692 <_ZN14CFX_WideStringaSERKS_+70>:mov0x8(%rbp),%esi
0xab4695 <_ZN14CFX_WideStringaSERKS_+73>:lea0x10(%rbp),%rdx
0xab4699 <_ZN14CFX_WideStringaSERKS_+77>:mov%rbx,%rdi
0xab469c <_ZN14CFX_WideStringaSERKS_+80>:callq0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
(gdb) info reg $r13
r130x740000006e 498216206446
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39942.zip
体验盒子
