Bug 1531956 - podofoimgextract: memory malloc failure in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)
Summary: podofoimgextract: memory malloc failure in PdfParser::ReadXRefSubsection (src...
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-06 20:34 UTC by probefuzzer
Modified: 2018-01-11 21:48 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
poc for podofo component podofoimgextract (423.82 KB, application/pdf)
2018-01-06 20:34 UTC, probefuzzer
no flags Details

Description probefuzzer 2018-01-06 20:34:25 UTC
Created attachment 1377945 [details]
poc for podofo component podofoimgextract

on 0.9.5 (the latest version):
there is a memory malloc failure in the PdfParser::ReadXRefSubsection function (src/base/PdfParser.cpp), which can be triggered by podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf in the
attachment.

podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf OUTPUT_DIR

==112205==AddressSanitizer's allocator is terminating the process instead of returning 0
==112205==If you don't like this behavior set allocator_may_return_null=1
==112205==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f7872382b14 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:68
    #1 0x7f7872387573 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:72
    #2 0x7f78723044a1 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147
    #3 0x7f78723857f5 in __sanitizer::AllocatorReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:141
    #4 0x7f7872309b5d in Allocate ../../../../src/libsanitizer/asan/asan_allocator2.cc:298
    #5 0x7f787237be9f in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:60
    #6 0x7d05e7 in __gnu_cxx::new_allocator<PoDoFo::PdfParser::TXRefEntry>::allocate(unsigned long, void const*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d05e7)
    #7 0x7d00cd in __gnu_cxx::__alloc_traits<std::allocator<PoDoFo::PdfParser::TXRefEntry> >::allocate(std::allocator<PoDoFo::PdfParser::TXRefEntry>&, unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7d00cd)
    #8 0x7cf661 in std::_Vector_base<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::_M_allocate(unsigned long) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7cf661)
    #9 0x7ccf00 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::_M_fill_insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ccf00)
    #10 0x7ca5ef in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7ca5ef)
    #11 0x7c93d4 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator<PoDoFo::PdfParser::TXRefEntry> >::resize(unsigned long, PoDoFo::PdfParser::TXRefEntry) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7c93d4)
    #12 0x7b3540 in PoDoFo::PdfParser::ReadXRefSubsection(long&, long&) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b3540)
    #13 0x7b1cc8 in PoDoFo::PdfParser::ReadXRefContents(long, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7b1cc8)
    #14 0x7a16ff in PoDoFo::PdfParser::ReadDocumentStructure() (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x7a16ff)
    #15 0x79de77 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79de77)
    #16 0x79d566 in PoDoFo::PdfParser::ParseFile(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x79d566)
    #17 0x6418df in PoDoFo::PdfMemDocument::Load(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x6418df)
    #18 0x63b424 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x63b424)
    #19 0x4b9640 in ImageExtractor::Init(char const*, char const*, int*) (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b9640)
    #20 0x4c1e3e in main (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4c1e3e)
    #21 0x7f786f096c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #22 0x4b8fe8  (/home/youwei/ProbeFuzzer/product/podofo/master/exe_repro/bin/podofoimgextract+0x4b8fe8)

Comment 1 Salvatore Bonaccorso 2018-01-08 20:14:57 UTC
This apparently was assigned CVE-2018-5296, was it reported to upstream?

Comment 2 probefuzzer 2018-01-11 21:48:52 UTC
(In reply to Salvatore Bonaccorso from comment #1)
> This apparently was assigned CVE-2018-5296, was it reported to upstream?

Thanks for your work. 
We have notified podofo developers via mailing list.


Note You need to log in before you can comment on or make changes to this bug.