Bug 1575851

Summary: (in PdfDocument.cpp:327)podofo Null Pointer Dereference Denial of Service
Product: [Fedora] Fedora EPEL Reporter: Zhiyuan Wang of Chengdu Qihoo360 Tech Co. Ltd <libfuzz>
Component: podofoAssignee: Dan HorĂ¡k <dan>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: carnil, dan, manisandro
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-09 02:20:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
crash demo file none

Description Zhiyuan Wang of Chengdu Qihoo360 Tech Co. Ltd 2018-05-08 05:54:40 UTC 
Created attachment 1432992 [details]
crash demo file

Description of problem:
The function PdfDocument::Append() in PdfDocument.cpp:327 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.



Detailed analysis of crash:
$ gdb podofomerge 
(gdb) r crash1.pdf crash1.pdf out.pdf
Starting program: /home/zzuf/pdf-fuzz/podofo/tools/podofomerge/podofomerge crash1.pdf crash1.pdf out.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Reading file: crash1.pdf
WARNING: There are more objects (85) in this XRef table than specified in the size key of the trailer directory (9)!
WARNING: There are more objects (86) in this XRef table than specified in the size key of the trailer directory (85)!
WARNING: There are more objects (87) in this XRef table than specified in the size key of the trailer directory (86)!
WARNING: There are more objects (88) in this XRef table than specified in the size key of the trailer directory (87)!
WARNING: There are more objects (99) in this XRef table than specified in the size key of the trailer directory (88)!
WARNING: There are more objects (100) in this XRef table than specified in the size key of the trailer directory (99)!
WARNING: There are more objects (101) in this XRef table than specified in the size key of the trailer directory (100)!
WARNING: There are more objects (102) in this XRef table than specified in the size key of the trailer directory (101)!
WARNING: There are more objects (103) in this XRef table than specified in the size key of the trailer directory (102)!
<</Root 98 0 R/Size 9>>
Reading file: crash1.pdf
WARNING: There are more objects (85) in this XRef table than specified in the size key of the trailer directory (9)!
WARNING: There are more objects (86) in this XRef table than specified in the size key of the trailer directory (85)!
WARNING: There are more objects (87) in this XRef table than specified in the size key of the trailer directory (86)!
WARNING: There are more objects (88) in this XRef table than specified in the size key of the trailer directory (87)!
WARNING: There are more objects (99) in this XRef table than specified in the size key of the trailer directory (88)!
WARNING: There are more objects (100) in this XRef table than specified in the size key of the trailer directory (99)!
WARNING: There are more objects (101) in this XRef table than specified in the size key of the trailer directory (100)!
WARNING: There are more objects (102) in this XRef table than specified in the size key of the trailer directory (101)!
WARNING: There are more objects (103) in this XRef table than specified in the size key of the trailer directory (102)!
<</Root 98 0 R/Size 9>>
Appending 2 pages on a document with 2 pages.
Fixing references in 103 1 R by 102
Fixing references in 186 0 R by 102
Fixing references in 187 0 R by 102
Fixing references in 188 0 R by 102
Fixing references in 189 0 R by 102
Fixing references in 200 0 R by 102
Fixing references in 201 0 R by 102
Fixing references in 202 0 R by 102
Fixing references in 203 0 R by 102
Fixing references in 204 0 R by 102
CRITICAL: Cannot find page 1 or page 1 has no parents. Cannot insert new page.
Program received signal SIGSEGV, Segmentation fault.
0xb7dab770 in PoDoFo::PdfDocument::Append (this=0xbfffed9c, rDoc=..., 
    bAppendAll=true)
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfDocument.cpp:327
327	            PdfPage*      pPage = rDoc.GetPage( i );



(gdb) list
323	
324	        // append all pages now to our page tree
325	        for(int i=0;i<rDoc.GetPageCount();i++ )
326	        {
327	            PdfPage*      pPage = rDoc.GetPage( i );
328	            PdfObject*    pObj  = m_vecObjects.GetObject( PdfReference( pPage->GetObject()->Reference().ObjectNumber() + difference, pPage->GetObject()->Reference().GenerationNumber() ) );
329	            if( pObj->IsDictionary() && pObj->GetDictionary().HasKey( "Parent" ) )
330	                pObj->GetDictionary().RemoveKey( "Parent" );
331	



(gdb) i r
eax            0x0	0
ecx            0x0	0
edx            0x0	0
ebx            0xb7fce000	-1208164352
esp            0xbfffebf0	0xbfffebf0
ebp            0xbfffed68	0xbfffed68
esi            0xbfffee84	-1073746300
edi            0x8066a80	134638208
eip            0xb7dab770	0xb7dab770 <PoDoFo::PdfDocument::Append(PoDoFo::PdfMemDocument const&, bool)+3712>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51



(gdb) disassemble /m $pc
Dump of assembler code for function PoDoFo::PdfDocument::Append(PoDoFo::PdfMemDocument const&, bool):
...
326	        {
327	            PdfPage*      pPage = rDoc.GetPage( i );
   0xb7dab760 <+3696>:	sub    $0x8,%esp
   0xb7dab763 <+3699>:	push   %ecx
   0xb7dab764 <+3700>:	push   %esi
   0xb7dab765 <+3701>:	call   0xb7bd9b20 <_ZNK6PoDoFo11PdfDocument7GetPageEi@plt>
   0xb7dab76a <+3706>:	mov    %eax,-0x140(%ebp)
=> 0xb7dab770 <+3712>:	mov    0x4(%eax),%eax       //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

328	            PdfObject*    pObj  = m_vecObjects.GetObject( PdfReference( pPage->GetObject()->Reference().ObjectNumber() + difference, pPage->GetObject()->Reference().GenerationNumber() ) );
   0xb7dab779 <+3721>:	mov    -0x144(%ebp),%edi
   0xb7dab789 <+3737>:	add    0x20(%eax),%edi
   0xb7dab795 <+3749>:	mov    -0x148(%ebp),%eax
   0xb7dab7a2 <+3762>:	mov    -0x13c(%ebp),%esi


How reproducible:

use podofomerge to read the attached poc file.

Steps to Reproduce:
1. podofomerge crash1.pdf crash1.pdf out.pdf
Comment 1 Troy Dawson 2024-07-09 02:20:46 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.