Bug 1595693

Summary: one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp
Product: [Fedora] Fedora EPEL Reporter: rookie <92wyunchao>
Component: podofoAssignee: Dan HorĂ¡k <dan>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: 92wyunchao, dan, manisandro
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
poc file to reproduce the crash none

Description rookie 2018-06-27 11:35:20 UTC
Created attachment 1455024 [details]
poc file to reproduce the crash

Description of problem:

There exists one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1(the latest stable version). Remote attackers could leverage the two vulnerabilities to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

Version-Release number of selected component (if applicable):

PoDoFo 0.9.6-rc1(also including PoDoFo 0.9.5)

How reproducible:

use podofocolor to read crafted pdf files.

Steps to Reproduce:
1.podofocolor dummy $pocfile foo

Actual results:

Expected results:

Additional info:

Comment 1 rookie 2018-06-27 11:38:52 UTC
==40052==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff874eab00 at pc 0x7fc298864935 bp 0x7fff874ea950 sp 0x7fff874ea0f8
READ of size 116 at 0x7fff874eab00 thread T0
    #0 0x7fc298864934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x591af9 in PoDoFo::PdfEncryptMD5Base::ComputeEncryptionKey(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned char*, unsigned char*, int, int, int, unsigned char*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:867
    #2 0x595250 in PoDoFo::PdfEncryptRC4::Authenticate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, PoDoFo::PdfString const&) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:1115
    #3 0x5b3d37 in PoDoFo::PdfParser::ReadObjects() /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:1044
    #4 0x5ad52a in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:220
    #5 0x5ad108 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:166
    #6 0x55791b in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:256
    #7 0x5567b5 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:102
    #8 0x4c6afa in ColorChanger::start() /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/colorchanger.cpp:110
    #9 0x4c5a85 in main /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/podofocolor.cpp:116
    #10 0x7fc296e2582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4c5508 in _start (/home/s2e/1/podofo-0.9.6-rc1/build/tools/podofocolor/podofocolor+0x4c5508)