Bug 1536179
| Summary: | Uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve (src/base/PdfVecObjects.h) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | probefuzzer <probefuzzer> | ||||
| Component: | podofo | Assignee: | Dan Horák <dan> | ||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | dan, manisandro | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2024-07-09 02:16:22 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug. |
Created attachment 1383033 [details] poc for podofo On 0.9.5 (the latest version) of podofo: there is an uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve function (src/base/PdfVecObjects.h), which can cause denial of service via a crafted pdf file. Error message: terminate called after throwing an instance of 'std::length_error' what(): vector::reserve Aborted The problem happens since in line 499 of src/base/PdfVecObjects.h, the "size" variable could by manipulated by POC, which results in huge amount of memory allocation. (gdb) l 494 // ----------------------------------------------------- 495 // 496 // ----------------------------------------------------- 497 inline void PdfVecObjects::Reserve( size_t size ) 498 { 499 m_vector.reserve( size ); 500 } 501 502 // ----------------------------------------------------- 503 // (gdb) p size $1 = 18446744073709551608 To reproduce the issue, run: podofoimgextract $POC OUTPUT The POC is attached.