[Podofo-users] Seems bug in OutputInfoDict() in pdfinfo.cpp

Wed, 23 Jan 2019 13:15:53 -0800 

Hi,
I tried to fuzz program podofopdfinfo and get the following asan report. I
also attach the poc file.
I analyzed the crash report first and found that there seems a bug
in OutputInfoDict() in pdfinfo.cpp. The coding style is weird. In the
following called function GetStringUtf8->InitUtf8 the buffer is allocated
based on lBufferLen, but in GetStringUtf8->InitUtf8->ConvertUTF16toUTF8  it
tries to make sure buffer is 0 termnated as buffer[lBufferLen], it is
obvious an off-by-one overflow. And back in GetStringUtf8->InitUtf8  it
will first free the buffer and return the buffer pointer to output. It is
obvious a use-after-free.
So, I don't know if it is a "write" vulnerability to code like that or a
"real" bug? As I am researching vulnerabilities, it is appreciate to have
your reply.

Thank you.
Xiangkun Jia

**********************************************************************************
$./run_fuzz/target/podofopdfinfo/podofopdfinfo
./run_fuzz/output/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:5364\,val\:-33

Document Info
-------------
File:
./run_fuzz/output/crashes/id:000000,sig:06,src:000000,op:arith8,pos:5364,val:-33
PDF Version: 1.5
Page Count: 2
Page Size: 612 x 792 pts

Fast Web View Enabled: No
Tagged: No
Encrypted: No
Printing Allowed: Yes
Modification Allowed: Yes
Copy&Paste Allowed: Yes
Add/Modify Annotations Allowed: Yes
Fill&Sign Allowed: Yes
Accessibility Allowed: Yes
Document Assembly Allowed: Yes
High Quality Print Allowed: Yes

Classic Metadata
----------------
=================================================================
==30227==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xf440719e at pc 0x0820f5d0 bp 0xffffc848 sp 0xffffc83c
WRITE of size 1 at 0xf440719e thread T0
    #0 0x820f5cf in PoDoFo::PdfString::ConvertUTF16toUTF8(unsigned short
const*, int, unsigned char*, int, PoDoFo::EPdfStringConversion)
/home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:836:30
    #1 0x820e2f6 in PoDoFo::PdfString::InitUtf8()
/home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:626:26
    #2 0x81ab44b in PoDoFo::PdfString::GetStringUtf8[abi:cxx11]() const
/home/ajia/git/podofo-0.9.6/src/doc/../base/PdfString.h:501:39
    #3 0x81ab44b in PdfInfo::OutputInfoDict(std::ostream&)
/home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:62
    #4 0x81b8b20 in main
/home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:125:14
    #5 0xf7812636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #6 0x80a099d in _start
(/home/xxj56/git/experiment/podofo/run_fuzz/target/podofopdfinfo/podofopdfinfo+0x80a099d)

0xf440719e is located 0 bytes to the right of 62-byte region
[0xf4407160,0xf440719e)
allocated by thread T0 here:
    #0 0x8167584 in calloc
/home/ajia/git/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:204
    #1 0x842af9e in PoDoFo::podofo_calloc(unsigned int, unsigned int)
/home/ajia/git/podofo-0.9.6/src/base/PdfMemoryManagement.cpp:136:9
    #2 0x81ab44b in PoDoFo::PdfString::GetStringUtf8[abi:cxx11]() const
/home/ajia/git/podofo-0.9.6/src/doc/../base/PdfString.h:501:39
    #3 0x81ab44b in PdfInfo::OutputInfoDict(std::ostream&)
/home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:62
    #4 0x81b8b20 in main
/home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:125:14
    #5 0xf7812636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:836:30 in
PoDoFo::PdfString::ConvertUTF16toUTF8(unsigned short const*, int, unsigned
char*, int, PoDoFo::EPdfStringConversion)
Shadow bytes around the buggy address:
  0x3e880de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e880e20: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
=>0x3e880e30: 00 00 00[06]fa fa fa fa 00 00 00 00 00 00 04 fa
  0x3e880e40: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
  0x3e880e50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x3e880e60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x3e880e70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x3e880e80: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30227==ABORTING
****************************************************************************************

_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users






















					Reply via email to