XPDF
pwndbg> run
Starting program: /home/v/fuzzing_xpdf/install/bin/pdftotext id:000000,sig:11,src:000539+000340,time:224079,execs:168152,op:splice,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error: PDF version � -- xpdf supports version 1.7 (continuing anyway)
Error: PDF file is damaged - attempting to reconstruct xref table...
Error (320): Illegal character <53> in hex string
Error (321): Illegal character <af> in hex string
Error (322): Illegal character <ad> in hex string
Error (324): Illegal character <83> in hex string
Error (325): Illegal character <bd> in hex string
Error (326): Illegal character <2c> in hex string
Error (327): Illegal character <15> in hex string
Error (328): Illegal character <9a> in hex string
Error (329): Illegal character <6d> in hex string
Error (330): Illegal character <53> in hex string
Error (331): Illegal character <69> in hex string
Error (332): Illegal character <7a> in hex string
Error (337): Illegal character <2f> in hex string
Error (338): Illegal character <49> in hex string
Error (339): Illegal character <6e> in hex string
Error (341): Illegal character <6f> in hex string
Error (347): Illegal character <52> in hex string
Error (348): Illegal character <2f> in hex string
Error (349): Illegal character <52> in hex string
Error (350): Illegal character <6f> in hex string
Error (351): Illegal character <6f> in hex string
Error (352): Illegal character <74> in hex string
Error (358): Illegal character <52> in hex string
Error (359): Illegal character <2f> in hex string
Error (360): Illegal character <49> in hex string
Error (362): Illegal character <5b> in hex string
Error (363): Illegal character <3c> in hex string
Error (431): Dictionary key must be a name object
Error (436): Dictionary key must be a name object
Error (2433): Illegal character <ff> in hex string
Error (2554): Illegal character <70> in hex string
Error (2555): Illegal character <67> in hex string
Error (2558): Illegal character <2f> in hex string
Error (2559): Illegal character <50> in hex string
Error (2561): Illegal character <67> in hex string
Error (2563): Illegal character <4d> in hex string
Error (2564): Illegal character <6f> in hex string
Error (2567): Illegal character <2f> in hex string
Error (2568): Illegal character <55> in hex string
Error (2569): Illegal character <73> in hex string
Error (2571): Illegal character <4e> in hex string
Error (2572): Illegal character <6f> in hex string
Error (2573): Illegal character <6e> in hex string
Error (2576): Illegal character <2f> in hex string
Error (2577): Illegal character <50> in hex string
Error (2579): Illegal character <67> in hex string
Error (2584): Illegal character <2f> in hex string
Error (2585): Illegal character <4d> in hex string
Error (2587): Illegal character <74> in hex string
Error (2591): Illegal character <74> in hex string
Error (2598): Illegal character <52> in hex string
Error (2601): Illegal character '>'
Error (2601): Dictionary key must be a name object
Error (2608): Dictionary key must be a name object
Error (2610): Dictionary key must be a name object
Error (2612): Dictionary key must be a name object
Error (2616): Dictionary key must be a name object
Error (2619): Dictionary key must be a name object
Error (2624): Dictionary key must be a name object
Catchpoint 1 (signal SIGSEGV), 0x00007ffff78a3ed7 in _int_malloc (av=av@entry=0x7ffff7a19c80 <main_arena>, bytes=bytes@entry=7) at ./malloc/malloc.c:3982
3982 ./malloc/malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
*RBX 0x7ffff7a19c80 (main_arena) ◂— 0x0
*RCX 0x10
*RDX 0x7ffff7a19d00 (main_arena+128) —▸ 0x7ffff7a19cf0 (main_arena+112) —▸ 0x7ffff7a19ce0 (main_arena+96) —▸ 0x21afcf0 ◂— 0x0
*RDI 0x5b
*RSI 0x7ffff7a19cf0 (main_arena+112) —▸ 0x7ffff7a19ce0 (main_arena+96) —▸ 0x21afcf0 ◂— 0x0
R8 0x0
*R9 0x7
*R10 0x21a2000 ◂— 0x902795dc94467aa1
*R11 0x691f48a33e2dd2ba
*R12 0xffffffffffffff28
*R13 0x20
*R14 0x2
R15 0x0
*RBP 0x7
*RSP 0x7fffff7fefe0
*RIP 0x7ffff78a3ed7 (_int_malloc+1191) ◂— mov qword ptr [rsp + 8], rax
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff78a3ed7 <_int_malloc+1191> mov qword ptr [rsp + 8], rax
0x7ffff78a3edc <_int_malloc+1196> cmp qword ptr fs:[r12], 0
0x7ffff78a3ee2 <_int_malloc+1202> je _int_malloc+1220 <_int_malloc+1220>
↓
0x7ffff78a3ef4 <_int_malloc+1220> lea r11, [rbx + 0x60]
0x7ffff78a3ef8 <_int_malloc+1224> mov qword ptr [rsp], 0
0x7ffff78a3f00 <_int_malloc+1232> mov dword ptr [rsp + 0x58], r14d
0x7ffff78a3f05 <_int_malloc+1237> movq xmm1, r11
0x7ffff78a3f0a <_int_malloc+1242> mov qword ptr [rsp + 0x28], rbp
0x7ffff78a3f0f <_int_malloc+1247> punpcklqdq xmm1, xmm1
0x7ffff78a3f13 <_int_malloc+1251> mov rdx, qword ptr [rbx + 0x78]
0x7ffff78a3f17 <_int_malloc+1255> cmp rdx, r11
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
<Could not read memory at 0x7fffff7fefe0>
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x7ffff78a3ed7 _int_malloc+1191
f 1 0x7ffff78a52e2 malloc+450
f 2 0x4dee21 copyString+49
f 3 0x4dee21 copyString+49
f 4 0x494c29 Lexer::getObj(Object*)+7737
f 5 0x49eada
f 6 0x49eada
f 7 0x49ef47
pwndbg> bt
#0 0x00007ffff78a3ed7 in _int_malloc (av=av@entry=0x7ffff7a19c80 <main_arena>, bytes=bytes@entry=7) at ./malloc/malloc.c:3982
#1 0x00007ffff78a52e2 in __GI___libc_malloc (bytes=7) at ./malloc/malloc.c:3321
#2 0x00000000004dee21 in gmalloc (size=0) at gmem.cc:97
#3 copyString (s=0x21af9c4 "Filter") at gmem.cc:261
#4 0x0000000000494c29 in Lexer::getObj (this=0x21af9a0, obj=0x21af978) at ./Object.h:93
#5 0x000000000049eada in Parser::shift (this=0x21af950) at Parser.cc:226
#6 Parser::getObj (this=0x21af950, this@entry=0x21af968, obj=obj@entry=0x7fffff7ff210, fileKey=fileKey@entry=0x0, encAlgorithm=encAlgorithm@entry=cryptRC4, keyLength=keyLength@entry=0, objNum=objNum@entry=7, objGen=0) at Parser.cc:111
#7 0x000000000049ef47 in Parser::getObj (this=<optimized out>, obj=0x7fffff7ff310, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:85
#8 0x00000000004d1641 in XRef::fetch (this=0x7a3230, num=7, gen=0, obj=0x7fffff7ff310) at XRef.cc:823
#9 0x000000000049f5e5 in Object::dictLookup (this=0x7fffff7ff490, key=0x7ffff7a19cf0 <main_arena+112> "\340\234\241\367\377\177", obj=0x7fffff7ff310) at ./Object.h:253
#10 Parser::makeStream (this=this@entry=0x21af470, dict=dict@entry=0x7fffff7ff490, fileKey=fileKey@entry=0x0, encAlgorithm=encAlgorithm@entry=cryptRC4, keyLength=keyLength@entry=0, objNum=objNum@entry=7, objGen=0) at Parser.cc:156
#11 0x000000000049f0c9 in Parser::getObj (this=<optimized out>, obj=0x7fffff7ff490, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
#12 0x00000000004d1641 in XRef::fetch (this=0x7a3230, num=7, gen=0, obj=0x7fffff7ff490) at XRef.cc:823
#13 0x000000000049f5e5 in Object::dictLookup (this=0x7fffff7ff610, key=0x7ffff7a19cf0 <main_arena+112> "\340\234\241\367\377\177", obj=0x7fffff7ff490) at ./Object.h:253
#14 Parser::makeStream (this=this@entry=0x21aef90, dict=dict@entry=0x7fffff7ff610, fileKey=fileKey@entry=0x0, encAlgorithm=encAlgorithm@entry=cryptRC4, keyLength=keyLength@entry=0, objNum=objNum@entry=7, objGen=0) at Parser.cc:156
#15 0x000000000049f0c9 in Parser::getObj (this=<optimized out>, obj=0x7fffff7ff610, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
#16 0x00000000004d1641 in XRef::fetch (this=0x7a3230, num=7, gen=0, obj=0x7fffff7ff610) at XRef.cc:823
#17 0x000000000049f5e5 in Object::dictLookup (this=0x7fffff7ff790, key=0x7ffff7a19cf0 <main_arena+112> "\340\234\241\367\377\177", obj=0x7fffff7ff610) at ./Object.h:253
没有符号信息,由于是开源代码重新编译一下
rm -r $HOME/fuzzing_xpdf/install
cd $HOME/fuzzing_xpdf/xpdf-3.02/
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install
之后重新GDB
pwndbg> bt
#0 0x00007ffff78a3ed7 in _int_malloc (av=av@entry=0x7ffff7a19c80 <main_arena>, bytes=bytes@entry=344) at ./malloc/malloc.c:3982
#1 0x00007ffff78a52e2 in __GI___libc_malloc (bytes=344) at ./malloc/malloc.c:3321
#2 0x00007ffff7cae9cc in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3 0x00005555556048cc in FileStream::makeSubStream (this=0x5555556cabf0, startA=2750, limitedA=0, lengthA=0, dictA=0x7fffff7ff170) at Stream.cc:596
#4 0x000055555562353b in XRef::fetch (this=0x5555556cc230, num=7, gen=0, obj=0x7fffff7ff2c0) at XRef.cc:809
#5 0x00005555555fa57e in Object::fetch (this=0x555556673ef8, xref=0x5555556cc230, obj=0x7fffff7ff2c0) at Object.cc:106
#6 0x000055555559c94c in Dict::lookup (this=0x555556673ea0, key=0x55555564ca6f "Length", obj=0x7fffff7ff2c0) at Dict.cc:76
#7 0x00005555555fb269 in Object::dictLookup (this=0x7fffff7ff540, key=0x55555564ca6f "Length", obj=0x7fffff7ff2c0) at /home/v/fuzzing-101-solutions/exercise-1/xpdf-3.02/xpdf/Object.h:253
#8 0x00005555555ff8f0 in Parser::makeStream (this=0x555556673df0, dict=0x7fffff7ff540, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:156
#9 0x00005555555ff51a in Parser::getObj (this=0x555556673df0, obj=0x7fffff7ff540, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
#10 0x0000555555623714 in XRef::fetch (this=0x5555556cc230, num=7, gen=0, obj=0x7fffff7ff540) at XRef.cc:823
#11 0x00005555555fa57e in Object::fetch (this=0x555556673a18, xref=0x5555556cc230, obj=0x7fffff7ff540) at Object.cc:106
#12 0x000055555559c94c in Dict::lookup (this=0x5555566739c0, key=0x55555564ca6f "Length", obj=0x7fffff7ff540) at Dict.cc:76
#13 0x00005555555fb269 in Object::dictLookup (this=0x7fffff7ff7c0, key=0x55555564ca6f "Length", obj=0x7fffff7ff540) at /home/v/fuzzing-101-solutions/exercise-1/xpdf-3.02/xpdf/Object.h:253
#14 0x00005555555ff8f0 in Parser::makeStream (this=0x555556673910, dict=0x7fffff7ff7c0, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:156
#15 0x00005555555ff51a in Parser::getObj (this=0x555556673910, obj=0x7fffff7ff7c0, fileKey=0x0, encAlgorithm=cryptRC4, keyLength=0, objNum=7, objGen=0) at Parser.cc:94
#16 0x0000555555623714 in XRef::fetch (this=0x5555556cc230, num=7, gen=0, obj=0x7fffff7ff7c0) at XRef.cc:823
#17 0x00005555555fa57e in Object::fetch (this=0x555556673538, xref=0x5555556cc230, obj=0x7fffff7ff7c0) at Object.cc:106
#18 0x000055555559c94c in Dict::lookup (this=0x5555566734e0, key=0x55555564ca6f "Length", obj=0x7fffff7ff7c0) at Dict.cc:76
#19 0x00005555555fb269 in Object::dictLookup (this=0x7fffff7ffa40, key=0x55555564ca6f "Length", obj=0x7fffff7ff7c0) at /home/v/fuzzing-101-solutions/exercise-1/xpdf-3.02/xpdf/Object.h:253
一个递归循环造成的Dos, 修复方案为限制一个循环数目,达到这个数目强制终止