PDFParser vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
A tool to parse pdf file.
Affected version:
=====
lastest version
Vulnerability Description:
==========================
1. The ObjReader::ReadObj() function in ObjReader.cpp in PDFParser allow
remote attackers to cause a remote code execution (stack buffer overflow) via a
crafted pdf file.
./PDFParser stack-buffer-overflow.pdf
==46431==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe6c7fb350 at pc 0x000000534f7c bp 0x7ffe6c7f3310 sp 0x7ffe6c7f3308
WRITE of size 1 at 0x7ffe6c7fb350 thread T0
#0 0x534f7b in ObjReader::ReadObj()
/home/xxx/PDFParser/src/ObjReader.cpp:53:12
#1 0x537d27 in PDF::PDF(InputStream*) /home/xxx/PDFParser/src/PDF.cpp:78:51
#2 0x536073 in Run(char const*, RendererFactory::RendererType)
/home/xxx/PDFParser/src/PDFParser.cpp:24:13
#3 0x536073 in main /home/xxx/PDFParser/src/PDFParser.cpp:164
#4 0x7f71d393582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x4211e8 in _start (/home/xxx/PDFParser/build/PDFParser+0x4211e8)
Address 0x7ffe6c7fb350 is located in stack of thread T0 at offset 32816 in frame
#0 0x533a3f in ObjReader::ReadObj() /home/xxx/PDFParser/src/ObjReader.cpp:16
This frame has 2 object(s):
[32, 36) 'str.i' (line 175)
[48, 32816) 'str' (line 22) <== Memory access at offset 32816 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Reproducer:
stack-buffer-overflow.pdf
CVE:
CVE-2018-11128
===============================
Best,
Webin security lab - dbapp security Ltd
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
