[Podofo-users] Uncontrolled memory allocation in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)

Sat, 06 Jan 2018 12:44:49 -0800 

Hello,
We found that on 0.9.5 (the latest version) of PoDoFo, there is a
memory malloc failure in the PdfParser::ReadXRefSubsection function
(src/base/PdfParser.cpp),
which can cause denial of service via a crafted pdf file.

==112205==AddressSanitizer's allocator is terminating the process
instead of returning 0
==112205==If you don't like this behavior set allocator_may_return_null=1
==112205==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
"((0)) != (0)" (0x0, 0x0)
    #0 0x7f7872382b14 in AsanCheckFailed
../../../../src/libsanitizer/asan/asan_rtl.cc:68
    #1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int,
char const*, unsigned long long, unsigned long long)
../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72
    #2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
    #3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141
    #4 0x7f7872309b5d in Allocate
../../../../src/libsanitizer/asan/asan_allocator2.cc:298
    #5 0x7f787237be9f in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:60
    #6 0x7d05e7 in
__gnu_cxx::new_allocator<PoDoFo::PdfParser::TXRefEntry>::allocate(unsigned
long, void const*)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7)
    #7 0x7d00cd in
__gnu_cxx::__alloc_traits<std::allocator<PoDoFo::PdfParser::TXRefEntry>
>::allocate(std::allocator<PoDoFo::PdfParser::TXRefEntry>&, unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd)
    #8 0x7cf661 in std::_Vector_base<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry> >::_M_allocate(unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661)
    #9 0x7ccf00 in std::vector<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry>
>::_M_fill_insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*,
std::vector<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00)
    #10 0x7ca5ef in std::vector<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry>
>::insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*,
std::vector<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef)
    #11 0x7c93d4 in std::vector<PoDoFo::PdfParser::TXRefEntry,
std::allocator<PoDoFo::PdfParser::TXRefEntry> >::resize(unsigned long,
PoDoFo::PdfParser::TXRefEntry)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4)
    #12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&,
long&) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540)
    #13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8)
    #14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure()
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff)
    #15 0x79de77 in
PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&,
bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77)
    #16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566)
    #17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df)
    #18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char
const*, bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424)
    #19 0x4b9640 in ImageExtractor::Init(char const*, char const*,
int*) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640)
    #20 0x4c1e3e in main
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e)
    #21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #22 0x4b8fe8
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8)

To reproduce the issue, compile PoDoFo with UBSAN
"-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:

https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf


Thanks,

ProbeFuzzer

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to