[Podofo-users] Uncontrolled memory allocation in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)

2018-01-06 Thread Probe Fuzzer 
Hello,
We found that on 0.9.5 (the latest version) of PoDoFo, there is a
memory malloc failure in the PdfParser::ReadXRefSubsection function
(src/base/PdfParser.cpp),
which can cause denial of service via a crafted pdf file.

==112205==AddressSanitizer's allocator is terminating the process
instead of returning 0
==112205==If you don't like this behavior set allocator_may_return_null=1
==112205==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
"((0)) != (0)" (0x0, 0x0)
#0 0x7f7872382b14 in AsanCheckFailed
../../../../src/libsanitizer/asan/asan_rtl.cc:68
#1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int,
char const*, unsigned long long, unsigned long long)
../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72
#2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
#3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141
#4 0x7f7872309b5d in Allocate
../../../../src/libsanitizer/asan/asan_allocator2.cc:298
#5 0x7f787237be9f in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:60
#6 0x7d05e7 in
__gnu_cxx::new_allocator::allocate(unsigned
long, void const*)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7)
#7 0x7d00cd in
__gnu_cxx::__alloc_traits
>::allocate(std::allocator&, unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd)
#8 0x7cf661 in std::_Vector_base >::_M_allocate(unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661)
#9 0x7ccf00 in std::vector
>::_M_fill_insert(__gnu_cxx::__normal_iterator > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00)
#10 0x7ca5ef in std::vector
>::insert(__gnu_cxx::__normal_iterator > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef)
#11 0x7c93d4 in std::vector >::resize(unsigned long,
PoDoFo::PdfParser::TXRefEntry)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4)
#12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&,
long&) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540)
#13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8)
#14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure()
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff)
#15 0x79de77 in
PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&,
bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77)
#16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566)
#17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df)
#18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char
const*, bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424)
#19 0x4b9640 in ImageExtractor::Init(char const*, char const*,
int*) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640)
#20 0x4c1e3e in main
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e)
#21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#22 0x4b8fe8
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8)

To reproduce the issue, compile PoDoFo with UBSAN
"-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:

https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf


Thanks,

ProbeFuzzer
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] (no subject)

2018-01-06 Thread Fryderyk Staszek 
In case of "Á" char, it was my mistake, sorry. I will check cyrylic
chars if there will be such possibility.



2018-01-06 19:41 GMT+01:00 Fryderyk Staszek :
> Hi, I asked you once for help with reading polish chars. You helpde me
> a lot with this:
> https://sourceforge.net/p/podofo/mailman/message/35654027/
> It works excellent with polish chars,  but it doesn't see some more,
> such as "Á", it's czech char probably. I noticed it doesn't read
> cyrylic chars as well. Is it something I can do to make it read all
> chars?
>
>
> --
> Pozdrawiam(Best regards),
> Fryderyk
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Podofo-users mailing list
> Podofo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/podofo-users



-- 
Pozdrawiam(Best regards),
Fryderyk

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] (no subject)

2018-01-06 Thread Fryderyk Staszek 
Hi, I asked you once for help with reading polish chars. You helpde me
a lot with this:
https://sourceforge.net/p/podofo/mailman/message/35654027/
It works excellent with polish chars,  but it doesn't see some more,
such as "Á", it's czech char probably. I noticed it doesn't read
cyrylic chars as well. Is it something I can do to make it read all
chars?


-- 
Pozdrawiam(Best regards),
Fryderyk

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-01-06 Thread Probe Fuzzer 
Hello,
we found that on latest version of PoDoFo (RELEASE_0.9.5_rc1), there is an
integer overflow in the PdfXRefStreamParserObject::ParseStream function
(src/base/PdfXRefStreamParserObject.cpp), which can cause denial of service
via a crafted pdf file.

src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: signed
integer overflow: 3 + 9223372036854775807 cannot be represented in type
'long int [3]'

To reproduce the issue, compile PoDoFo with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:
https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5-rc1_podofoimgextract_integer-overflow_PdfXRefStreamParserObject-ParseStream.pdf


Thanks,

ProbeFuzzer
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users