Bug 1532381 - integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/base/PdfObjectStreamParserObject.cpp)
Summary: integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/b...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-08 20:33 UTC by probefuzzer
Modified: 2024-07-09 02:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-07-09 02:15:40 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
POC for podofo integer overflow issue (7.76 KB, application/pdf)
2018-01-08 20:33 UTC, probefuzzer
no flags Details

Description probefuzzer 2018-01-08 20:33:06 UTC
Created attachment 1378729 [details]
POC for podofo integer overflow issue

on 0.9.5 (the latest version): 
there is a signed integer overflow in the PdfObjectStreamParserObject::ReadObjectsFromStream function (src/base/PdfObjectStreamParserObject.cpp), which can cause denial of service via a crafted pdf file.

src/base/PdfObjectStreamParserObject.cpp:99:30: runtime error: signed integer overflow: 94 + 9223372036854775807 cannot be represented in type 'long int'

To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC is attached.

Comment 1 Salvatore Bonaccorso 2018-01-09 09:47:14 UTC
CVE-2018-5309 was assigned for this issue.

Can you notify upstream about this issue?

Comment 2 probefuzzer 2018-01-11 21:47:08 UTC
(In reply to Salvatore Bonaccorso from comment #1)
> CVE-2018-5309 was assigned for this issue.
> 
> Can you notify upstream about this issue?

Thanks for your work. 
We have notified podofo developers via mailing list.

Comment 3 Troy Dawson 2024-07-09 02:15:40 UTC
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.


Note You need to log in before you can comment on or make changes to this bug.