Hi, I'm Mike Zhang of Pangu Lab. It seems that the before 2 mail are being held because of my image size too large, so I decreased the mail size and send it again. I found a heap buffer overflow problem in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3 function when I do some fuzzing work. And the following is this problem's report. { } so, I think I should send the bug report here.
Best wishes,
//+++++++++++++++++++++++++++++++++++++++ Vulnerability ReportFuzzing targetrev 1981 under Ubuntu 16.04.3 LTS fuzzing target: podofopdfinfo Conclusion of this analysis read___heap-buffer-overflow in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3 It allows an attacker to use a crafted pdf file to cause arbitrary code execution. To reproduce the crash, build with Asan. Without Asan, we also can see that the memcpy try to copy 48 bytes from the 36 bytes sized heap buffer, but it just not trigger a crash. crash log =================================================================
==85573==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000028b4 at pc 0x000107a336df bp 0x7ffee90dec20 sp 0x7ffee90de3d0
READ of size 48 at 0x6040000028b4 thread T0
#0 0x107a336de in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x596de)
#1 0x106bcde31 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, int, PoDoFo::PdfString) PdfEncrypt.cpp:1923
#2 0x106bb50b4 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, int, PoDoFo::PdfString) PdfEncrypt.cpp:1914
#3 0x106bb4092 in PoDoFo::PdfEncrypt::CreatePdfEncrypt(PoDoFo::PdfObject const*) PdfEncrypt.cpp:635
#4 0x106c575b8 in PoDoFo::PdfParser::ReadObjects() PdfParser.cpp:1087
#5 0x106c54a72 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) PdfParser.cpp:260
#6 0x106c5380f in PoDoFo::PdfParser::ParseFile(char const*, bool) PdfParser.cpp:206
#7 0x106edda8e in PoDoFo::PdfMemDocument::Load(char const*, bool) PdfMemDocument.cpp:256
#8 0x106edd509 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:102
#9 0x106eddc0b in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:101
#10 0x106b21fac in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:25
#11 0x106b2205c in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:24
#12 0x106b3c3ed in main podofopdfinfo.cpp:110
#13 0x7fff76a713d4 in start (libdyld.dylib:x86_64+0x163d4)
0x6040000028b4 is located 0 bytes to the right of 36-byte region [0x604000002890,0x6040000028b4)
allocated by thread T0 here:
#0 0x107a36597 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c597)
#1 0x106c31f77 in PoDoFo::podofo_calloc(unsigned long, unsigned long) PdfMemoryManagement.cpp:136
#2 0x106c9cd1a in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) PdfRefCountedBuffer.cpp:166
#3 0x106cb18bd in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) PdfRefCountedBuffer.h:307
#4 0x106cb61d6 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) PdfRefCountedBuffer.h:227
#5 0x106caf66c in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) PdfRefCountedBuffer.h:226
#6 0x106cad261 in PoDoFo::PdfString::Init(char const*, long) PdfString.cpp:574
#7 0x106cae928 in PoDoFo::PdfString::PdfString(char const*, long, bool, PoDoFo::PdfEncoding const*) PdfString.cpp:183
#8 0x106caea0b in PoDoFo::PdfString::PdfString(char const*, long, bool, PoDoFo::PdfEncoding const*) PdfString.cpp:181
#9 0x106cc2da2 in PoDoFo::PdfTokenizer::ReadString(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:813
#10 0x106cbf7bc in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:567
#11 0x106cc0859 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:651
#12 0x106cbf784 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:561
#13 0x106cc0859 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:651
#14 0x106cbf784 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:561
#15 0x106cbd8a5 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) PdfTokenizer.cpp:407
#16 0x106c8ad16 in PoDoFo::PdfParserObject::ParseFileComplete(bool) PdfParserObject.cpp:204
#17 0x106c8cd3a in PoDoFo::PdfParserObject::DelayedLoadImpl() PdfParserObject.cpp:371
#18 0x106cd9be1 in PoDoFo::PdfVariant::DelayedLoad() const PdfVariant.h:560
#19 0x106c8a596 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) PdfParserObject.cpp:154
#20 0x106c59489 in PoDoFo::PdfParser::ReadTrailer() PdfParser.cpp:641
#21 0x106c55ba0 in PoDoFo::PdfParser::ReadDocumentStructure() PdfParser.cpp:322
#22 0x106c54a64 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) PdfParser.cpp:259
#23 0x106c5380f in PoDoFo::PdfParser::ParseFile(char const*, bool) PdfParser.cpp:206
#24 0x106edda8e in PoDoFo::PdfMemDocument::Load(char const*, bool) PdfMemDocument.cpp:256
#25 0x106edd509 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:102
#26 0x106eddc0b in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) PdfMemDocument.cpp:101
#27 0x106b21fac in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:25
#28 0x106b2205c in PdfInfo::PdfInfo(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) pdfinfo.cpp:24
#29 0x106b3c3ed in main podofopdfinfo.cpp:110
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x596de) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c08000004c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000500: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x1c0800000510: fa fa 00 00 00 00[04]fa fa fa fd fd fd fd fd fa
0x1c0800000520: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000530: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000540: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000550: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c0800000560: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==85573==ABORTING
Abort trap: 6 void PdfParser::ParseFile( const PdfRefCountedInputDevice & rDevice, bool bLoadOnDemand )
{
Clear();
m_device = rDevice;
m_bLoadOnDemand = bLoadOnDemand;
try {
if( !IsPdfFile() )
{
PODOFO_RAISE_ERROR( ePdfError_NoPdfFile );
}
ReadDocumentStructure();
ReadObjects();
PdfEncrypt* PdfEncrypt::CreatePdfEncrypt( const PdfObject* pObject )
{
PdfEncrypt* PdfEncrypt::CreatePdfEncrypt( const PdfObject* pObject )
{
try {
uValue = pObject->GetDictionary().MustGetKey( PdfName("U") ).GetString();
#ifdef PODOFO_HAVE_LIBIDN
else if( (lV == 5L) && (rValue == 5L)
&& PdfEncrypt::IsEncryptionEnabled( ePdfEncryptAlgorithm_AESV3 ) )
{
pdfEncrypt = new PdfEncryptAESV3(oValue, oeValue, uValue, ueValue, pValue, permsValue);
}
#endif
|
poc