oss-sec mailing list archives
Re: CVE Request: podofo: stack overflow in PoDoFo::PdfParser::ReadDocumentStructure(PdfParser.cpp )
From: Andrej Nemec <anemec () redhat com>
Date: Mon, 24 Apr 2017 10:21:15 +0200
Hello Xiaobo, Unfortunately, CVE assignments are not done through this list anymore. You need to visit [1] and request a CVE by filing out the form. Could you please look at it and let the list know about the assigned CVE? Thanks! Best Regards, [1] https://cveform.mitre.org/ -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA On 04/22/2017 05:02 AM, Xiaobo Xiang wrote:
Hi,
There is a infinite recursion in
PoDoFo::PdfParser::ReadDocumentStructure(PdfParser.cpp )
In the ReadDocumentStructure function, it calls ReadXRefContents several
time, for exmple in the end of ReadDocumentStructure:.
try {
ReadXRefContents( m_nXRefOffset );
} catch( PdfError & e ) {
e.AddToCallstack( __FILE__, __LINE__, "Unable to load xref
entries." );
throw e;
}
The ReadXRefContents and ReadXRefStreamContents will call each other if it
meet some conditions. Just as below.
void PdfParser::ReadXRefStreamContents( pdf_long lOffset, bool
bReadOnlyTrailer )
{
m_device.Device()->Seek( lOffset );
//....
if(xrefObject.HasPrevious())
{
try {
m_nIncrementalUpdates++;
// PDFs that have been through multiple PDF tools may have a
mix of xref tables (ISO 32000-1 7.5.4)
// and XRefStm streams (ISO 32000-1 7.5.8.1) and in the Prev
chain,
// so call ReadXRefContents (which deals with both) instead of
ReadXRefStreamContents
ReadXRefContents( xrefObject.GetPreviousOffset(),
bReadOnlyTrailer );
} catch(PdfError &e) {
//....
}
}
}
void PdfParser::ReadXRefContents( pdf_long lOffset, bool bPositionAtEnd )
{
pdf_int64 nFirstObject = 0;
pdf_int64 nNumObjects = 0;
if( !this->IsNextToken( "xref" ) )
{
// if( m_ePdfVersion < ePdfVersion_1_5 )
// Ulrich Arnold 19.10.2009, found linearized 1.3-pdf's with
trailer-info in xref-stream
if( m_ePdfVersion < ePdfVersion_1_3 )
{
PODOFO_RAISE_ERROR( ePdfError_NoXRef );
}
else
{
ReadXRefStreamContents( lOffset, bPositionAtEnd );
return;
}
}
The crash log is just as follows:
./podofofuzzer: Running 1 inputs 1 time(s) each.
Running: crash-5aac275479284034b46368c836564266b0ed3694
ASAN:DEADLYSIGNAL
=================================================================
==30073==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc70e74f18
(pc 0x0000004e6119 bp 0x7ffc70e75790 sp 0x7ffc70e74f20 T0)
#0 0x4e6118 (/home/name/FUZZ-WORKSPACE/podofofuzzer+0x4e6118)
#1 0x8a75c1 (/home/name/FUZZ-WORKSPACE/podofofuzzer+0x8a75c1)
#2 0x4e6efc (/home/name/FUZZ-WORKSPACE/podofofuzzer+0x4e6efc)
#3 0x7fdbbe094277 (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x121277)
#4 0x61085e (/home/name/FUZZ-WORKSPACE/podofofuzzer+0x61085e)
when debugging with gdb and checking the stack backtrace, it showed the
program runs out of the stack as below :
#6884 0x000000000063a434 in PoDoFo::PdfParser::ReadXRefStreamContents
(this=0x617000000080, lOffset=5923, bReadOnlyTrailer=false)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:875
#6885 0x000000000063438c in PoDoFo::PdfParser::ReadXRefContents
(this=0x617000000080, lOffset=5923, bPositionAtEnd=false) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:682
#6886 0x000000000063a434 in PoDoFo::PdfParser::ReadXRefStreamContents
(this=0x617000000080, lOffset=5923, bReadOnlyTrailer=false)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:875
#6887 0x000000000063438c in PoDoFo::PdfParser::ReadXRefContents
(this=0x617000000080, lOffset=5923, bPositionAtEnd=false) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:682
#6888 0x000000000063a434 in PoDoFo::PdfParser::ReadXRefStreamContents
(this=0x617000000080, lOffset=5923, bReadOnlyTrailer=false)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:875
#6889 0x000000000063438c in PoDoFo::PdfParser::ReadXRefContents
(this=0x617000000080, lOffset=5923, bPositionAtEnd=false) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:682
#6890 0x000000000063a434 in PoDoFo::PdfParser::ReadXRefStreamContents
(this=0x617000000080, lOffset=5923, bReadOnlyTrailer=false)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:875
#6891 0x000000000063438c in PoDoFo::PdfParser::ReadXRefContents
(this=0x617000000080, lOffset=5923, bPositionAtEnd=false) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:682
#6892 0x000000000063a434 in PoDoFo::PdfParser::ReadXRefStreamContents
(this=0x617000000080, lOffset=116, bReadOnlyTrailer=false)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:875
#6893 0x000000000063438c in PoDoFo::PdfParser::ReadXRefContents
(this=0x617000000080, lOffset=116, bPositionAtEnd=false) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:682
#6894 0x00000000006303bf in PoDoFo::PdfParser::ReadDocumentStructure
(this=0x617000000080) at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:337
#6895 0x000000000062e252 in PoDoFo::PdfParser::ParseFile
(this=0x617000000080, rDevice=..., bLoadOnDemand=true) at
/home/name/podofo-0.9.5/src/base/PdfParser.cpp:220
#6896 0x000000000062ce49 in PoDoFo::PdfParser::ParseFile
(this=0x617000000080, pszFilename=0x8ca380 <.str> "tempinput.pdf",
bLoadOnDemand=true)
at /home/name/podofo-0.9.5/src/base/PdfParser.cpp:164
#6897 0x00000000005cdc65 in PoDoFo::PdfMemDocument::Load
(this=0x7fffffffbfe0, pszFilename=0x8ca380 <.str> "tempinput.pdf",
bForUpdate=false)
at /home/name/podofo-0.9.5/src/doc/PdfMemDocument.cpp:256
#6898 0x00000000005cd682 in PoDoFo::PdfMemDocument::PdfMemDocument
(this=0x7fffffffbfe0, pszFilename=0x8ca380 <.str> "tempinput.pdf",
bForUpdate=false)
at /home/name/podofo-0.9.5/src/doc/PdfMemDocument.cpp:102
Thus,causing denial of service.
crash-5aac275479284034b46368c836564266b0ed3694
<https://drive.google.com/file/d/0B_D2GM9VAVyvanRadmhWd1RKM0U/view?usp=drive_web>
Best Regards,
Xiang Xiaobo
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: podofo: stack overflow in PoDoFo::PdfParser::ReadDocumentStructure(PdfParser.cpp ) Xiaobo Xiang (Apr 22)
- Re: CVE Request: podofo: stack overflow in PoDoFo::PdfParser::ReadDocumentStructure(PdfParser.cpp) Agostino Sarubbo (Apr 22)
- Re: CVE Request: podofo: stack overflow in PoDoFo::PdfParser::ReadDocumentStructure(PdfParser.cpp ) Andrej Nemec (Apr 24)