On Fri, 2018-01-26 at 07:34 +0100, zyx wrote:
> I see. It looks like I did something wrong when testing the change.
> When trying once again now I can confirm what you see, the change
> does
> fix the CVE. I do not know what I did wrong the last time, I'm sorry
> about that.
>
> I committed the patch as revision 1872:
> http://sourceforge.net/p/podofo/code/1872
Hi,
I reverted the main part of the above change, because it causes
use-after-free in test/unit/podofo-test, more details below. I left
most of the (more or less unrelated) changes of the above change also
due to conflicting changes in the sources which happened meanwhile.
That means that CVE-2017-8054 is not fixed since revision 1881:
http://sourceforge.net/p/podofo/code/1881
Bye,
zyx
P.S.: the reported use-after-free was due to rVal holding the array it
had been freeing inside the operator=(). Info from Address Sanitizer:
==9812==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000e23ca0
at pc 0x7f53c345914a bp 0x7ffeb1f284c0 sp 0x7ffeb1f284b0
READ of size 8 at 0x606000e23ca0 thread T0
#0 0x7f53c3459149 in PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant
const&) ..../src/base/PdfVariant.cpp:346
#1 0x7f53c37d8c91 in PoDoFo::PdfPagesTree::GetPageNodeFromArray(int,
PoDoFo::PdfArray const&, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:491
#2 0x7f53c37d5903 in PoDoFo::PdfPagesTree::GetPageNode(int,
PoDoFo::PdfObject*, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:354
#3 0x7f53c37d424a in PoDoFo::PdfPagesTree::DeletePage(int)
..../src/doc/PdfPagesTree.cpp:282
#4 0x717d3e in PagesTreeTest::testDeleteAll(PoDoFo::PdfMemDocument&)
..../test/unit/PagesTreeTest.cpp:306
#5 0x7171c7 in PagesTreeTest::testDeleteAllCustom()
..../test/unit/PagesTreeTest.cpp:290
#6 0x726e00 in void std::__invoke_impl<void, void (PagesTreeTest::*&)(),
PagesTreeTest*&>(std::__invoke_memfun_deref, void (PagesTreeTest::*&)(),
PagesTreeTest*&) /usr/include/c++/7/bits/invoke.h:73
#7 0x7269e7 in std::__invoke_result<void (PagesTreeTest::*&)(),
PagesTreeTest*&>::type std::__invoke<void (PagesTreeTest::*&)(),
PagesTreeTest*&>(void (PagesTreeTest::*&)(), PagesTreeTest*&)
/usr/include/c++/7/bits/invoke.h:95
#8 0x72669f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::__call<void, , 0ul>(std::tuple<>&&,
std::_Index_tuple<0ul>) /usr/include/c++/7/functional:467
#9 0x72605f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::operator()<, void>()
/usr/include/c++/7/functional:551
#10 0x725482 in std::_Function_handler<void (), std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()> >::_M_invoke(std::_Any_data const&)
/usr/include/c++/7/bits/std_function.h:316
#11 0x65cadc in std::function<void ()>::operator()() const
/usr/include/c++/7/bits/std_function.h:706
#12 0x727d83 in CppUnit::TestCaller<PagesTreeTest>::runTest()
/usr/include/cppunit/TestCaller.h:175
#13 0x7f53c0d14531 in CppUnit::TestCaseMethodFunctor::operator()() const
(/lib64/libcppunit-1.14.so.0+0x24531)
#14 0x7f53c0d0adf0 in CppUnit::DefaultProtector::protect(CppUnit::Functor
const&, CppUnit::ProtectorContext const&) (/lib64/libcppunit-1.14.so.0+0x1adf0)
#15 0x7f53c0d11834 in CppUnit::ProtectorChain::protect(CppUnit::Functor
const&, CppUnit::ProtectorContext const&) (/lib64/libcppunit-1.14.so.0+0x21834)
#16 0x7f53c0d1a18c in CppUnit::TestResult::protect(CppUnit::Functor const&,
CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&) (/lib64/libcppunit-1.14.so.0+0x2a18c)
#17 0x7f53c0d14364 in CppUnit::TestCase::run(CppUnit::TestResult*)
(/lib64/libcppunit-1.14.so.0+0x24364)
#18 0x7f53c0d14852 in
CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*)
(/lib64/libcppunit-1.14.so.0+0x24852)
#19 0x7f53c0d1475d in CppUnit::TestComposite::run(CppUnit::TestResult*)
(/lib64/libcppunit-1.14.so.0+0x2475d)
#20 0x7f53c0d14852 in
CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*)
(/lib64/libcppunit-1.14.so.0+0x24852)
#21 0x7f53c0d1475d in CppUnit::TestComposite::run(CppUnit::TestResult*)
(/lib64/libcppunit-1.14.so.0+0x2475d)
#22 0x7f53c0d1a0c1 in CppUnit::TestResult::runTest(CppUnit::Test*)
(/lib64/libcppunit-1.14.so.0+0x2a0c1)
#23 0x7f53c0d1ca2d in CppUnit::TestRunner::run(CppUnit::TestResult&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >
const&) (/lib64/libcppunit-1.14.so.0+0x2ca2d)
#24 0x7f53c0d1e73f in
CppUnit::TextTestRunner::run(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, bool, bool, bool)
(/lib64/libcppunit-1.14.so.0+0x2e73f)
#25 0x45edaa in main ..../test/unit/main.cpp:100
#26 0x7f53c003a039 in __libc_start_main (/lib64/libc.so.6+0x21039)
#27 0x45d7a9 in _start (..../build/test/unit/podofo-test+0x45d7a9)
0x606000e23ca0 is located 0 bytes inside of 56-byte region
[0x606000e23ca0,0x606000e23cd8)
freed by thread T0 here:
#0 0x7f53c5d39fd0 in operator delete(void*)
(/usr/lib64/libasan.so.4+0xe0fd0)
#1 0x6ad31c in
__gnu_cxx::new_allocator<PoDoFo::PdfObject>::deallocate(PoDoFo::PdfObject*,
unsigned long) /usr/include/c++/7/ext/new_allocator.h:125
#2 0x6aa735 in std::allocator_traits<std::allocator<PoDoFo::PdfObject>
>::deallocate(std::allocator<PoDoFo::PdfObject>&, PoDoFo::PdfObject*, unsigned
long) /usr/include/c++/7/bits/alloc_traits.h:462
#3 0x6a8b35 in std::_Vector_base<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::_M_deallocate(PoDoFo::PdfObject*, unsigned
long) /usr/include/c++/7/bits/stl_vector.h:180
#4 0x7f53c3248109 in std::_Vector_base<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::~_Vector_base()
(..../build/src/libpodofo.so.0.9.6+0xbcd109)
#5 0x7f53c3245889 in std::vector<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::~vector()
(..../build/src/libpodofo.so.0.9.6+0xbca889)
#6 0x7f53c323d481 in PoDoFo::PdfArray::~PdfArray()
..../src/base/PdfArray.cpp:48
#7 0x7f53c323d4d8 in PoDoFo::PdfArray::~PdfArray()
..../src/base/PdfArray.cpp:50
#8 0x7f53c3454c4f in PoDoFo::PdfVariant::Clear()
..../src/base/PdfVariant.cpp:190
#9 0x7f53c34590de in PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant
const&) ..../src/base/PdfVariant.cpp:344
#10 0x7f53c37d8c91 in PoDoFo::PdfPagesTree::GetPageNodeFromArray(int,
PoDoFo::PdfArray const&, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:491
#11 0x7f53c37d5903 in PoDoFo::PdfPagesTree::GetPageNode(int,
PoDoFo::PdfObject*, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:354
#12 0x7f53c37d424a in PoDoFo::PdfPagesTree::DeletePage(int)
..../src/doc/PdfPagesTree.cpp:282
#13 0x717d3e in PagesTreeTest::testDeleteAll(PoDoFo::PdfMemDocument&)
..../test/unit/PagesTreeTest.cpp:306
#14 0x7171c7 in PagesTreeTest::testDeleteAllCustom()
..../test/unit/PagesTreeTest.cpp:290
#15 0x726e00 in void std::__invoke_impl<void, void (PagesTreeTest::*&)(),
PagesTreeTest*&>(std::__invoke_memfun_deref, void (PagesTreeTest::*&)(),
PagesTreeTest*&) /usr/include/c++/7/bits/invoke.h:73
#16 0x7269e7 in std::__invoke_result<void (PagesTreeTest::*&)(),
PagesTreeTest*&>::type std::__invoke<void (PagesTreeTest::*&)(),
PagesTreeTest*&>(void (PagesTreeTest::*&)(), PagesTreeTest*&)
/usr/include/c++/7/bits/invoke.h:95
#17 0x72669f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::__call<void, , 0ul>(std::tuple<>&&,
std::_Index_tuple<0ul>) /usr/include/c++/7/functional:467
#18 0x72605f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::operator()<, void>()
/usr/include/c++/7/functional:551
#19 0x725482 in std::_Function_handler<void (), std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()> >::_M_invoke(std::_Any_data const&)
/usr/include/c++/7/bits/std_function.h:316
#20 0x65cadc in std::function<void ()>::operator()() const
/usr/include/c++/7/bits/std_function.h:706
#21 0x727d83 in CppUnit::TestCaller<PagesTreeTest>::runTest()
/usr/include/cppunit/TestCaller.h:175
#22 0x7f53c0d14531 in CppUnit::TestCaseMethodFunctor::operator()() const
(/lib64/libcppunit-1.14.so.0+0x24531)
#23 0x60b00000003f (<unknown module>)
previously allocated by thread T0 here:
#0 0x7f53c5d39158 in operator new(unsigned long)
(/usr/lib64/libasan.so.4+0xe0158)
#1 0x6adc9b in
__gnu_cxx::new_allocator<PoDoFo::PdfObject>::allocate(unsigned long, void
const*) /usr/include/c++/7/ext/new_allocator.h:111
#2 0x6ad070 in std::allocator_traits<std::allocator<PoDoFo::PdfObject>
>::allocate(std::allocator<PoDoFo::PdfObject>&, unsigned long)
/usr/include/c++/7/bits/alloc_traits.h:436
#3 0x6aa569 in std::_Vector_base<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::_M_allocate(unsigned long)
/usr/include/c++/7/bits/stl_vector.h:172
#4 0x7f53c3249073 in std::_Vector_base<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::_M_create_storage(unsigned long)
/usr/include/c++/7/bits/stl_vector.h:187
#5 0x7f53c3247f63 in std::_Vector_base<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::_Vector_base(unsigned long,
std::allocator<PoDoFo::PdfObject> const&)
(..../build/src/libpodofo.so.0.9.6+0xbccf63)
#6 0x7f53c32454e4 in std::vector<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> >::vector(std::vector<PoDoFo::PdfObject,
std::allocator<PoDoFo::PdfObject> > const&)
(..../build/src/libpodofo.so.0.9.6+0xbca4e4)
#7 0x7f53c323daa0 in PoDoFo::PdfArray::PdfArray(PoDoFo::PdfArray const&)
..../src/base/PdfArray.cpp:59
#8 0x7f53c3459c21 in PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant
const&) ..../src/base/PdfVariant.cpp:355
#9 0x7f53c37da757 in PoDoFo::PdfPagesTree::GetPageNodeFromArray(int,
PoDoFo::PdfArray const&, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:529
#10 0x7f53c37d5903 in PoDoFo::PdfPagesTree::GetPageNode(int,
PoDoFo::PdfObject*, std::deque<PoDoFo::PdfObject*,
std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:354
#11 0x7f53c37d424a in PoDoFo::PdfPagesTree::DeletePage(int)
..../src/doc/PdfPagesTree.cpp:282
#12 0x717d3e in PagesTreeTest::testDeleteAll(PoDoFo::PdfMemDocument&)
..../test/unit/PagesTreeTest.cpp:306
#13 0x7171c7 in PagesTreeTest::testDeleteAllCustom()
..../test/unit/PagesTreeTest.cpp:290
#14 0x726e00 in void std::__invoke_impl<void, void (PagesTreeTest::*&)(),
PagesTreeTest*&>(std::__invoke_memfun_deref, void (PagesTreeTest::*&)(),
PagesTreeTest*&) /usr/include/c++/7/bits/invoke.h:73
#15 0x7269e7 in std::__invoke_result<void (PagesTreeTest::*&)(),
PagesTreeTest*&>::type std::__invoke<void (PagesTreeTest::*&)(),
PagesTreeTest*&>(void (PagesTreeTest::*&)(), PagesTreeTest*&)
/usr/include/c++/7/bits/invoke.h:95
#16 0x72669f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::__call<void, , 0ul>(std::tuple<>&&,
std::_Index_tuple<0ul>) /usr/include/c++/7/functional:467
#17 0x72605f in void std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()>::operator()<, void>()
/usr/include/c++/7/functional:551
#18 0x725482 in std::_Function_handler<void (), std::_Bind<void
(PagesTreeTest::*(PagesTreeTest*))()> >::_M_invoke(std::_Any_data const&)
/usr/include/c++/7/bits/std_function.h:316
#19 0x65cadc in std::function<void ()>::operator()() const
/usr/include/c++/7/bits/std_function.h:706
#20 0x727d83 in CppUnit::TestCaller<PagesTreeTest>::runTest()
/usr/include/cppunit/TestCaller.h:175
#21 0x7f53c0d14531 in CppUnit::TestCaseMethodFunctor::operator()() const
(/lib64/libcppunit-1.14.so.0+0x24531)
#22 0x60b00000003f (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free ..../src/base/PdfVariant.cpp:346
in PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant const&)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users
