Bug 1578637
Summary: | podofo 0.9.5 NULL Pointer Denial of Service in function PoDoFo::PdfDocument::GetPageCount in PdfDocument.cpp | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | mmm <o0xmuhe> | ||||
Component: | podofo | Assignee: | Dan HorĂ¡k <dan> | ||||
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | epel7 | CC: | dan, manisandro | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | Type: | Bug | |||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Created attachment 1437078 [details] Crafted pdf file and crash log Description of problem: 0x00: In PoDoFo 0.9.5(the latest stable version), there exists a NULL Pointer Denial of Service in function PoDoFo::PdfDocument::GetPageCount in PdfDocument.cpp. 0x01:Crash log gdb-peda$ set args crash1.pdf out.pdf crash1.pdf gdb-peda$ r Starting program: /home/syclover/podofo/build/tools/podofoimpose/podofoimpose crash1.pdf out.pdf crash1.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Source : crash1.pdf Target : out.pdf Plan : crash1.pdf PdfTranslator::PdfTranslator 1 2 Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x991ae0 --> 0x7ffff6d95988 --> 0x7ffff6b29b70 (<_ZNSoD1Ev>: ) RBX: 0x0 RCX: 0x0 RDX: 0x0 RSI: 0x7ffff64f9770 --> 0x0 RDI: 0x0 RBP: 0x7ffff6d9c1c0 --> 0x7ffff6d918d0 --> 0x7ffff6acfdd0 (<_ZNSt5ctypeIcED2Ev>:) RSP: 0x7fffffffdac8 --> 0x448ee1 ( <PoDoFo::Impose::PdfTranslator::setSource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+5681>: ) RIP: 0x4f0f48 (<PoDoFo::PdfDocument::GetPageCount() const+56>: ) R8 : 0x7ffff64f9770 --> 0x0 R9 : 0x7ffff7fd6740 (0x00007ffff7fd6740) R10: 0x1 R11: 0x246 R12: 0x7fffffffdae8 --> 0x7ffff7000002 (MemError) R13: 0x9af090 --> 0x0 R14: 0x9b15a0 --> 0x2 R15: 0x7fffffffdb08 ("crash1.pdf") EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4f0f37 <PoDoFo::PdfDocument::GetPageCount() const+39>: mov rcx,QWORD PTR [rsp+0x8] 0x4f0f3c <PoDoFo::PdfDocument::GetPageCount() const+44>: mov rdx,QWORD PTR [rsp] 0x4f0f40 <PoDoFo::PdfDocument::GetPageCount() const+48>: lea rsp,[rsp+0x98] => 0x4f0f48 <PoDoFo::PdfDocument::GetPageCount() const+56>: mov rdi,QWORD PTR [rdi+0x70] 0x4f0f4c <PoDoFo::PdfDocument::GetPageCount() const+60>: jmp 0x5996c0 <PoDoFo::PdfPagesTree::GetTotalNumberOfPages() const> 0x4f0f51: nop DWORD PTR [rax+rax*1+0x0] 0x4f0f56: nop WORD PTR cs:[rax+rax*1+0x0] 0x4f0f60 <PoDoFo::PdfDocument::GetPage(int) const>: lea rsp,[rsp-0x98] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdac8 --> 0x448ee1 ( <PoDoFo::Impose::PdfTranslator::setSource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+5681>: ) 0008| 0x7fffffffdad0 --> 0x2 0016| 0x7fffffffdad8 --> 0x7fffffffdae8 --> 0x7ffff7000002 (MemError) 0024| 0x7fffffffdae0 --> 0x2 0032| 0x7fffffffdae8 --> 0x7ffff7000002 (MemError) 0040| 0x7fffffffdaf0 --> 0x1 0048| 0x7fffffffdaf8 --> 0x7fffffffdb08 ("crash1.pdf") 0056| 0x7fffffffdb00 --> 0xa ('\n') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00000000004f0f48 in PoDoFo::PdfDocument::GetPageCount (this=0x0) at /home/syclover/podofo/src/doc/PdfDocument.cpp:179 179 return m_pPagesTree->GetTotalNumberOfPages(); gdb-peda$ Version-Release number of selected component (if applicable): 0.9.5 How reproducible: use podofoimpose to handle crafted PDF files. Steps to Reproduce: 1. podofoimpose crash1.pdf out.pdf crash1.pdf 2. 3. Actual results: Expected results: Additional info: A CVE ID is required if this issue if confirmed.