Bug 1532390

Summary: Undefined behavior (memcpy with NULL pointer) in PdfMemoryOutputStream::Write (src/base/PdfOutputStream.cpp)
Product: [Fedora] Fedora EPEL Reporter: probefuzzer <probefuzzer>
Component: podofoAssignee: Dan HorĂ¡k <dan>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: carnil, dan, manisandro
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-09 02:15:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
POC for podofoimgextract issue none

Description probefuzzer 2018-01-08 21:32:29 UTC 
Created attachment 1378732 [details]
POC for podofoimgextract issue

on 0.9.5 (the latest version) of podofo:
there is an undefined behavior (memcpy with null pointer) in PdfMemoryOutputStream::Write function (src/base/PdfOutputStream.cpp), which can cause denial of service (crash) or possibly other unspecified impacts via a crafted pdf file.

src/base/PdfOutputStream.cpp:124:48: runtime error: null pointer passed as argument 2, which is declared to never be null

To reproduce the issue, compile podofo with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC file is attached.
Comment 1 Salvatore Bonaccorso 2018-01-09 09:47:48 UTC 
This issue was assigned CVE-2018-5308.
Comment 2 probefuzzer 2018-01-11 21:49:33 UTC 
(In reply to Salvatore Bonaccorso from comment #1)
> This issue was assigned CVE-2018-5308.

Thanks for your work. 
We have notified podofo developers via mailing list.
Comment 3 Troy Dawson 2024-07-09 02:15:43 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.