Bug 1536179 - Uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve (src/base/PdfVecObjects.h)
Summary: Uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve (src/base/Pd...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-18 19:49 UTC by probefuzzer
Modified: 2018-01-18 19:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
poc for podofo (7.76 KB, application/pdf)
2018-01-18 19:49 UTC, probefuzzer 		no flags Details
View All

Description probefuzzer 2018-01-18 19:49:43 UTC 
Created attachment 1383033 [details]
poc for podofo

On 0.9.5 (the latest version) of podofo:
there is an uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve function (src/base/PdfVecObjects.h), which can cause denial of service via a crafted pdf file. 

Error message:
terminate called after throwing an instance of 'std::length_error'
  what():  vector::reserve
Aborted

The problem happens since in line 499 of src/base/PdfVecObjects.h, the "size" variable could by manipulated by POC, which results in huge amount of memory allocation. 

(gdb) l
494	// -----------------------------------------------------
495	// 
496	// -----------------------------------------------------
497	inline void PdfVecObjects::Reserve( size_t size )
498	{
499	    m_vector.reserve( size );
500	}
501	
502	// -----------------------------------------------------
503	// 
(gdb) p size
$1 = 18446744073709551608


To reproduce the issue, run: podofoimgextract $POC OUTPUT
The POC is attached.
Note You need to log in before you can comment on or make changes to this bug.