Bug 1532381 - integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/base/PdfObjectStreamParserObject.cpp)
Summary: integer overflow in PdfObjectStreamParserObject::ReadObjectsFromStream (src/b...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-08 20:33 UTC by probefuzzer
Modified: 2018-01-11 21:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
POC for podofo integer overflow issue (7.76 KB, application/pdf)
2018-01-08 20:33 UTC, probefuzzer 		no flags Details
View All

Description probefuzzer 2018-01-08 20:33:06 UTC 
Created attachment 1378729 [details]
POC for podofo integer overflow issue

on 0.9.5 (the latest version): 
there is a signed integer overflow in the PdfObjectStreamParserObject::ReadObjectsFromStream function (src/base/PdfObjectStreamParserObject.cpp), which can cause denial of service via a crafted pdf file.

src/base/PdfObjectStreamParserObject.cpp:99:30: runtime error: signed integer overflow: 94 + 9223372036854775807 cannot be represented in type 'long int'

To reproduce the issue, compile libming with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC is attached.
Comment 1 Salvatore Bonaccorso 2018-01-09 09:47:14 UTC 
CVE-2018-5309 was assigned for this issue.

Can you notify upstream about this issue?
Comment 2 probefuzzer 2018-01-11 21:47:08 UTC 
(In reply to Salvatore Bonaccorso from comment #1)
> CVE-2018-5309 was assigned for this issue.
> 
> Can you notify upstream about this issue?

Thanks for your work. 
We have notified podofo developers via mailing list.
Note You need to log in before you can comment on or make changes to this bug.