RootUp · August 31, 2019 14:34 · msmeissn · Mar 11, 2020 · msmeissn · Mar 11, 2020
diff --git a/poc.sh b/poc.sh
 xpdf v2.0
 PoC: https://gofile.io/?c=grUzbG

 $ gdb ./pdfinfo
 (gdb) run out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
 Starting program: /home/input0/Downloads/xpdf-2.00/xpdf/pdfinfo out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
 Error (2978): Dictionary key must be a name object
 Error (2980): Dictionary key must be a name object
 Error (2982): Dictionary key must be a name object
 Error (2989): Dictionary key must be a name object
 Error (0): PDF file is damaged - attempting to reconstruct xref table...

 Program received signal SIGSEGV, Segmentation fault.
 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
 421		      if (!entries[num].used || gen >= entries[num].gen) {
 (gdb) bt
 #0  0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
 #1  0x00000000004bd13f in XRef::XRef (this=0x741ea0, strA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at XRef.cc:72
 #2  0x000000000049d0fb in PDFDoc::setup (this=0x740cd0, ownerPassword=0x3, userPassword=0x3) at PDFDoc.cc:120
 #3  0x000000000049cf3d in PDFDoc::PDFDoc (this=0x740cd0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at PDFDoc.cc:96
 #4  0x00000000004c0fc3 in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:119
 (gdb) i r
 rax            0x0	0
 rbx            0x741ed0	7610064
 rcx            0x3	3
 rdx            0x3	3
 rsi            0x4d9f24	5087012
 rdi            0x7fffffffd764	140737488344932
 rbp            0x1	0x1
 rsp            0x7fffffffd710	0x7fffffffd710
 r8             0x7fffffffd763	140737488344931
 r9             0x0	0
 r10            0x7ffff7243cc0	140737339735232
 r11            0x0	0
 r12            0x7fffffffd760	140737488344928
 r13            0xfffffffffffffffc	-4
 r14            0x741ea0	7610016
 r15            0x741ed0	7610064
 rip            0x4be249	0x4be249 <XRef::constructXRef()+857>
 eflags         0x10202	[ IF RF ]
 cs             0x33	51
 ss             0x2b	43
 ds             0x0	0
 es             0x0	0
 fs             0x0	0
 gs             0x0	0
 (gdb)
	xpdf v2.0
	PoC: https://gofile.io/?c=grUzbG

	$ gdb ./pdfinfo
	(gdb) run out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
	Starting program: /home/input0/Downloads/xpdf-2.00/xpdf/pdfinfo out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:2971
	Error (2978): Dictionary key must be a name object
	Error (2980): Dictionary key must be a name object
	Error (2982): Dictionary key must be a name object
	Error (2989): Dictionary key must be a name object
	Error (0): PDF file is damaged - attempting to reconstruct xref table...

	Program received signal SIGSEGV, Segmentation fault.
	0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
	421 if (!entries[num].used \|\| gen >= entries[num].gen) {
	(gdb) bt
	#0 0x00000000004be249 in XRef::constructXRef (this=<optimized out>) at XRef.cc:421
	#1 0x00000000004bd13f in XRef::XRef (this=0x741ea0, strA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at XRef.cc:72
	#2 0x000000000049d0fb in PDFDoc::setup (this=0x740cd0, ownerPassword=0x3, userPassword=0x3) at PDFDoc.cc:120
	#3 0x000000000049cf3d in PDFDoc::PDFDoc (this=0x740cd0, fileNameA=<optimized out>, ownerPassword=0x0, userPassword=0x0) at PDFDoc.cc:96
	#4 0x00000000004c0fc3 in main (argc=<optimized out>, argv=<optimized out>) at pdfinfo.cc:119
	(gdb) i r
	rax 0x0 0
	rbx 0x741ed0 7610064
	rcx 0x3 3
	rdx 0x3 3
	rsi 0x4d9f24 5087012
	rdi 0x7fffffffd764 140737488344932
	rbp 0x1 0x1
	rsp 0x7fffffffd710 0x7fffffffd710
	r8 0x7fffffffd763 140737488344931
	r9 0x0 0
	r10 0x7ffff7243cc0 140737339735232
	r11 0x0 0
	r12 0x7fffffffd760 140737488344928
	r13 0xfffffffffffffffc -4
	r14 0x741ea0 7610016
	r15 0x741ed0 7610064
	rip 0x4be249 0x4be249 <XRef::constructXRef()+857>
	eflags 0x10202 [ IF RF ]
	cs 0x33 51
	ss 0x2b 43
	ds 0x0 0
	es 0x0 0
	fs 0x0 0
	gs 0x0 0
	(gdb)