Created attachment 1377945 [details] poc for podofo component podofoimgextract on 0.9.5 (the latest version): there is a memory malloc failure in the PdfParser::ReadXRefSubsection function (src/base/PdfParser.cpp), which can be triggered by podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf in the attachment. podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf OUTPUT_DIR ==112205==AddressSanitizer's allocator is terminating the process instead of returning 0 ==112205==If you don't like this behavior set allocator_may_return_null=1 ==112205==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7f7872382b14 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:68 #1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72 #2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 #3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141 #4 0x7f7872309b5d in Allocate ../../../../src/libsanitizer/asan/asan_allocator2.cc:298 #5 0x7f787237be9f in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:60 #6 0x7d05e7 in __gnu_cxx::new_allocator<PoDoFo::PdfParser::TXRefEntry>::allocate(unsigned long, void const*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7) #7 0x7d00cd in __gnu_cxx::__alloc_traits<std::allocator<PoDoFo::PdfParser::TXRefEntry> >::allocate(std::allocator<PoDoFo::PdfParser::TXRefEntry>&, unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd) #8 0x7cf661 in std::_Vector_base<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::_M_allocate(unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661) #9 0x7ccf00 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::_M_fill_insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00) #10 0x7ca5ef in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef) #11 0x7c93d4 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::resize(unsigned long, PoDoFo::PdfParser::TXRefEntry) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4) #12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&, long&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540) #13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8) #14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure() (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff) #15 0x79de77 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77) #16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566) #17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df) #18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424) #19 0x4b9640 in ImageExtractor::Init(char const*, char const*, int*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640) #20 0x4c1e3e in main (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e) #21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04) #22 0x4b8fe8 (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8)
This apparently was assigned CVE-2018-5296, was it reported to upstream?
(In reply to Salvatore Bonaccorso from comment #1) > This apparently was assigned CVE-2018-5296, was it reported to upstream? Thanks for your work. We have notified podofo developers via mailing list.