Bug 1548930
| Summary: | podofo 0.9.5 infinite loop vulnerability in ParseFileComplete() | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Ziqiang Gu <papeer> | ||||
| Component: | podofo | Assignee: | Dan HorĂ¡k <dan> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | dan, manisandro | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1400720 [details] poc file of podofo infinite loop vulnerability Description of problem: In PoDoFo 0.9.5(the latest stable version), there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially remote code execution via a crafted pdf file. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) () #0 0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) () #1 0x000055555563afda in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #2 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #3 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #4 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #5 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #6 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #7 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #8 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #9 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #10 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #11 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #12 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #13 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () ... ... ... #58208 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58209 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58210 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58211 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58212 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58213 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58214 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58215 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58216 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58217 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58218 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58219 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58220 0x000055555563af72 in PoDoFo::PdfTokenizer::GetNextVariant(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58221 0x000055555563bd67 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58222 0x000055555563b8fc in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58223 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () #58224 0x00005555556b4c4e in PoDoFo::PdfParserObject::ParseFileComplete(bool) () #58225 0x00005555556b5576 in PoDoFo::PdfParserObject::DelayedLoadImpl() () #58226 0x00005555556254c8 in PoDoFo::PdfVariant::DelayedLoad() const () #58227 0x00005555556b4acd in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) () #58228 0x00005555556ad3f4 in PoDoFo::PdfParser::ReadTrailer() () #58229 0x00005555556ab37c in PoDoFo::PdfParser::ReadDocumentStructure() () #58230 0x00005555556ab017 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) () #58231 0x00005555556aad5d in PoDoFo::PdfParser::ParseFile(char const*, bool) () #58232 0x00005555556725dd in PoDoFo::PdfMemDocument::Load(char const*, bool) () #58233 0x0000555555671bd4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) () #58234 0x000055555561f00d in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #58235 0x0000555555623448 in main () Version-Release number of selected component (if applicable): 0.9.5 How reproducible: use podofopdfinfo to read crafted pdf files. Steps to Reproduce: 1.podofopdfinfo $POCFILE 2. 3. Actual results: Expected results: Additional info: