[Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream
Hello, we found that on latest version of PoDoFo (RELEASE_0.9.5_rc1), there is an integer overflow in the PdfXRefStreamParserObject::ParseStream function (src/base/PdfXRefStreamParserObject.cpp), which can cause denial of service via a crafted pdf file. src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: signed integer overflow: 3 + 9223372036854775807 cannot be represented in type 'long int [3]' To reproduce the issue, compile PoDoFo with UBSAN "-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR The POC file can be downloaded from: https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5-rc1_podofoimgextract_integer-overflow_PdfXRefStreamParserObject-ParseStream.pdf Thanks, ProbeFuzzer -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] Uncontrolled memory allocation in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)
Hello, We found that on 0.9.5 (the latest version) of PoDoFo, there is a memory malloc failure in the PdfParser::ReadXRefSubsection function (src/base/PdfParser.cpp), which can cause denial of service via a crafted pdf file. ==112205==AddressSanitizer's allocator is terminating the process instead of returning 0 ==112205==If you don't like this behavior set allocator_may_return_null=1 ==112205==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7f7872382b14 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:68 #1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72 #2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 #3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141 #4 0x7f7872309b5d in Allocate ../../../../src/libsanitizer/asan/asan_allocator2.cc:298 #5 0x7f787237be9f in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:60 #6 0x7d05e7 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7) #7 0x7d00cd in __gnu_cxx::__alloc_traits >::allocate(std::allocator&, unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd) #8 0x7cf661 in std::_Vector_base >::_M_allocate(unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661) #9 0x7ccf00 in std::vector >::_M_fill_insert(__gnu_cxx::__normal_iterator > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00) #10 0x7ca5ef in std::vector >::insert(__gnu_cxx::__normal_iterator > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef) #11 0x7c93d4 in std::vector >::resize(unsigned long, PoDoFo::PdfParser::TXRefEntry) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4) #12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&, long&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540) #13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8) #14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure() (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff) #15 0x79de77 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77) #16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566) #17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df) #18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424) #19 0x4b9640 in ImageExtractor::Init(char const*, char const*, int*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640) #20 0x4c1e3e in main (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e) #21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #22 0x4b8fe8 (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8) To reproduce the issue, compile PoDoFo with UBSAN "-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR The POC file can be downloaded from: https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf Thanks, ProbeFuzzer -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/base/PdfObjectStreamParserObject.cpp)
on 0.9.5 (the latest version): there is a signed integer overflow in the PdfObjectStreamParserObject::ReadObjectsFromStream function (src/base/PdfObjectStreamParserObject.cpp), which can cause denial of service via a crafted pdf file. src/base/PdfObjectStreamParserObject.cpp:99:30: runtime error: signed integer overflow: 94 + 9223372036854775807 cannot be represented in type 'long int' To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR The POC is attached. podofo_0-9-5_podofoimgextract_integer-overflow_PdfObjectStreamParserObject-ReadObjectsFromStream.pdf Description: Adobe PDF document -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] Undefined behavior (memcpy with NULL pointer) in PdfMemoryOutputStream::Write (src/base/PdfOutputStream.cpp)
on 0.9.5 (the latest version) of podofo: there is an undefined behavior (memcpy with null pointer) in PdfMemoryOutputStream::Write function (src/base/PdfOutputStream.cpp), which can cause denial of service (crash) or possibly other unspecified impacts via a crafted pdf file. src/base/PdfOutputStream.cpp:124:48: runtime error: null pointer passed as argument 2, which is declared to never be null To reproduce the issue, compile podofo with UBSAN "-fsanitize=undefined", then execute: podofoimgextract $POC OUTPUT_DIR The POC is attached. podofo_0-9-5_podofoimgextract_undefined-behavior_PdfMemoryOutputStream-Write.pdf Description: Adobe PDF document -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] Excessive Iteration in PdfParser::ReadObjectsInternal function (src/base/PdfParser.cpp)
On latest release version (0.9.5) and master branch of podofo: There is an Excessive Iteration in PdfParser::ReadObjectsInternal function of file, which could be triggered by the POC below. The issue happens since in PdfParser::ReadObjectsInternal function, there is a while loop (line 1053), whose iteration times could be manipulated by the input file. The POC file, which is only 98 bytes in size, could make the "m_nNumObjects" variable a huge value (i.e., 210041). It takes tens of minutes for podofo to handle this tiny POC file. 1046 void PdfParser::ReadObjectsInternal() 1047 { 1048 int i= 0; 1049 int nLast= 0; 1050 PdfParserObject* pObject = NULL; 1051 1052 // Read objects 1053 for( i=0; i < m_nNumObjects; i++ ) 1054 { ... } To trigger the issue, run: podofoimgextract $POC OUTPUT The POC file could be downloaded at: https://bugzilla.redhat.com/show_bug.cgi?id=1539237 The backtrace is: (gdb) bt #0 0x0058a148 in std::_Deque_iterator::operator+= (this=0x7fffcd40, __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_deque.h:216 #1 0x00589bf9 in std::__advance, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:156 #2 0x00583c1f in std::advance, long> (__i=..., __n=449699) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_iterator_base_funcs.h:177 #3 0x0057c88d in std::__equal_range, PoDoFo::PdfReference, __gnu_cxx::__ops::_Iter_comp_val, __gnu_cxx::__ops::_Val_comp_iter > (__first=..., __last=..., __val=..., __comp_it_val=..., __comp_val_it=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2140 #4 0x00578346 in std::equal_range, PoDoFo::PdfReference, PoDoFo::ReferenceComparatorPredicate> (__first=..., __last=..., __val=..., __comp=...) at /home/test/ProbeFuzzer/dep/gcc/exe/include/c++/5.4.0/bits/stl_algo.h:2237 #5 0x0056bef7 in PoDoFo::PdfVecObjects::AddFreeObject (this=0x7fffd890, rReference=...) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfVecObjects.cpp:256 #6 0x007c7913 in PoDoFo::PdfParser::ReadObjectsInternal (this=0x6170fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1156 #7 0x007c395f in PoDoFo::PdfParser::ReadObjects (this=0x6170fc80) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:1043 #8 0x007a842c in PoDoFo::PdfParser::ParseFile (this=0x6170fc80, rDevice=..., bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:220 #9 0x007a7a23 in PoDoFo::PdfParser::ParseFile (this=0x6170fc80, pszFilename=0x7fffe12a "6.pdf", bLoadOnDemand=true) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/base/PdfParser.cpp:166 #10 0x00645a00 in PoDoFo::PdfMemDocument::Load (this=0x7fffd810, pszFilename=0x7fffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:256 #11 0x0063f545 in PoDoFo::PdfMemDocument::PdfMemDocument (this=0x7fffd810, pszFilename=0x7fffe12a "6.pdf", bForUpdate=false) at /u/test/ProbeFuzzer/product/podofo/patch/src/src/doc/PdfMemDocument.cpp:102 #12 0x004bd761 in ImageExtractor::Init (this=0x7fffdaa0, pszInput=0x7fffe12a "6.pdf", pszOutput=0x7fffe130 "/tmp/", pnNum=0x7fffda60) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/ImageExtractor.cpp:51 #13 0x004c5f5f in main (argc=3, argv=0x7fffddf8) at /u/test/ProbeFuzzer/product/podofo/patch/src/tools/podofoimgextract/podofoimgextract.cpp:54 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users