[Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-01-06 Thread Probe Fuzzer 
Hello,
we found that on latest version of PoDoFo (RELEASE_0.9.5_rc1), there is an
integer overflow in the PdfXRefStreamParserObject::ParseStream function
(src/base/PdfXRefStreamParserObject.cpp), which can cause denial of service
via a crafted pdf file.

src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: signed
integer overflow: 3 + 9223372036854775807 cannot be represented in type
'long int [3]'

To reproduce the issue, compile PoDoFo with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:
https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5-rc1_podofoimgextract_integer-overflow_PdfXRefStreamParserObject-ParseStream.pdf


Thanks,

ProbeFuzzer
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Uncontrolled memory allocation in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)

2018-01-06 Thread Probe Fuzzer 
Hello,
We found that on 0.9.5 (the latest version) of PoDoFo, there is a
memory malloc failure in the PdfParser::ReadXRefSubsection function
(src/base/PdfParser.cpp),
which can cause denial of service via a crafted pdf file.

==112205==AddressSanitizer's allocator is terminating the process
instead of returning 0
==112205==If you don't like this behavior set allocator_may_return_null=1
==112205==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
"((0)) != (0)" (0x0, 0x0)
#0 0x7f7872382b14 in AsanCheckFailed
../../../../src/libsanitizer/asan/asan_rtl.cc:68
#1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int,
char const*, unsigned long long, unsigned long long)
../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72
#2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
#3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull()
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141
#4 0x7f7872309b5d in Allocate
../../../../src/libsanitizer/asan/asan_allocator2.cc:298
#5 0x7f787237be9f in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:60
#6 0x7d05e7 in
__gnu_cxx::new_allocator::allocate(unsigned
long, void const*)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7)
#7 0x7d00cd in
__gnu_cxx::__alloc_traits
>::allocate(std::allocator&, unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd)
#8 0x7cf661 in std::_Vector_base >::_M_allocate(unsigned
long) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661)
#9 0x7ccf00 in std::vector
>::_M_fill_insert(__gnu_cxx::__normal_iterator > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00)
#10 0x7ca5ef in std::vector
>::insert(__gnu_cxx::__normal_iterator > >, unsigned long,
PoDoFo::PdfParser::TXRefEntry const&)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef)
#11 0x7c93d4 in std::vector >::resize(unsigned long,
PoDoFo::PdfParser::TXRefEntry)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4)
#12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&,
long&) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540)
#13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8)
#14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure()
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff)
#15 0x79de77 in
PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&,
bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77)
#16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566)
#17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool)
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df)
#18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char
const*, bool) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424)
#19 0x4b9640 in ImageExtractor::Init(char const*, char const*,
int*) 
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640)
#20 0x4c1e3e in main
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e)
#21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
#22 0x4b8fe8
(/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8)

To reproduce the issue, compile PoDoFo with UBSAN
"-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:

https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf


Thanks,

ProbeFuzzer
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/base/PdfObjectStreamParserObject.cpp)

2018-01-11 Thread Probe Fuzzer 
on 0.9.5 (the latest version):
there is a signed integer overflow in the
PdfObjectStreamParserObject::ReadObjectsFromStream function
(src/base/PdfObjectStreamParserObject.cpp), which can cause denial of
service via a crafted pdf file.

src/base/PdfObjectStreamParserObject.cpp:99:30: runtime error: signed
integer overflow: 94 + 9223372036854775807 cannot be represented in
type 'long int'

To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC is attached.


podofo_0-9-5_podofoimgextract_integer-overflow_PdfObjectStreamParserObject-ReadObjectsFromStream.pdf
Description: Adobe PDF document
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Undefined behavior (memcpy with NULL pointer) in PdfMemoryOutputStream::Write (src/base/PdfOutputStream.cpp)

2018-01-11 Thread Probe Fuzzer 
on 0.9.5 (the latest version) of podofo:
there is an undefined behavior (memcpy with null pointer) in
PdfMemoryOutputStream::Write function (src/base/PdfOutputStream.cpp),
which can cause denial of service (crash) or possibly other
unspecified impacts via a crafted pdf file.

src/base/PdfOutputStream.cpp:124:48: runtime error: null pointer
passed as argument 2, which is declared to never be null

To reproduce the issue, compile podofo with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC is attached.


podofo_0-9-5_podofoimgextract_undefined-behavior_PdfMemoryOutputStream-Write.pdf
Description: Adobe PDF document
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfParser.cpp)

2018-01-31 Thread Probe Fuzzer 
On latest release version (0.9.5) and master branch of podofo:
There is an Excessive Iteration in PdfParser::ReadObjectsInternal
function of file, which could be triggered by the POC below.

The issue happens since in PdfParser::ReadObjectsInternal function,
there is a while loop (line 1053), whose iteration times could be
manipulated by the input file. The POC file, which is only 98 bytes in
size, could make the "m_nNumObjects" variable a huge value (i.e.,
210041). It takes tens of minutes for podofo to handle this tiny
POC file.


   1046 void PdfParser::ReadObjectsInternal()
   1047 {
   1048 int  i= 0;
   1049 int  nLast= 0;
   1050 PdfParserObject* pObject  = NULL;
   1051
   1052 // Read objects
   1053 for( i=0; i < m_nNumObjects; i++ )
   1054 {
...
}

To trigger the issue, run: podofoimgextract $POC OUTPUT

The POC file could be downloaded at:
https://bugzilla.redhat.com/show_bug.cgi?id=1539237


 The backtrace is:
(gdb) bt
#0  0x0058a148 in std::_Deque_iterator::operator+=
(this=0x7fffcd40, __n=449699)
at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216
#1  0x00589bf9 in
std::__advance, long> (__i=...,
__n=449699)
at 
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156
#2  0x00583c1f in
std::advance, long> (__i=...,
__n=449699)
at 
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177
#3  0x0057c88d in
std::__equal_range, PoDoFo::PdfReference,
__gnu_cxx::__ops::_Iter_comp_val,
__gnu_cxx::__ops::_Val_comp_iter
> (__first=..., __last=..., __val=...,
__comp_it_val=..., __comp_val_it=...) at
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140
#4  0x00578346 in
std::equal_range, PoDoFo::PdfReference,
PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=...,
__val=..., __comp=...) at
/home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237
#5  0x0056bef7 in PoDoFo::PdfVecObjects::AddFreeObject
(this=0x7fffd890, rReference=...)
at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256
#6  0x007c7913 in PoDoFo::PdfParser::ReadObjectsInternal
(this=0x6170fc80) at
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156
#7  0x007c395f in PoDoFo::PdfParser::ReadObjects
(this=0x6170fc80) at
/u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043
#8  0x007a842c in PoDoFo::PdfParser::ParseFile
(this=0x6170fc80, rDevice=..., bLoadOnDemand=true)
at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220
#9  0x007a7a23 in PoDoFo::PdfParser::ParseFile
(this=0x6170fc80, pszFilename=0x7fffe12a "6.pdf",
bLoadOnDemand=true)
at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166
#10 0x00645a00 in PoDoFo::PdfMemDocument::Load
(this=0x7fffd810, pszFilename=0x7fffe12a "6.pdf",
bForUpdate=false)
at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256
#11 0x0063f545 in PoDoFo::PdfMemDocument::PdfMemDocument
(this=0x7fffd810, pszFilename=0x7fffe12a "6.pdf",
bForUpdate=false)
at 
/u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102
#12 0x004bd761 in ImageExtractor::Init (this=0x7fffdaa0,
pszInput=0x7fffe12a "6.pdf", pszOutput=0x7fffe130 "/tmp/",
pnNum=0x7fffda60)
at 
/u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51
#13 0x004c5f5f in main (argc=3, argv=0x7fffddf8) at
/u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users