Bug 1548918 - podofo 0.9.5 heap overflow write vulnerability in GetNextToken()
Summary: podofo 0.9.5 heap overflow write vulnerability in GetNextToken()
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-02-26 02:26 UTC by Ziqiang Gu
Modified: 2021-03-01 12:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-03-01 12:00:33 UTC
Type: Bug

Attachments (Terms of Use)
poc file of podofo-heap-buffer-overflow-GetNextToken (26.11 KB, application/pdf)
2018-02-26 02:26 UTC, Ziqiang Gu
no flags Details

Description Ziqiang Gu 2018-02-26 02:26:42 UTC
Created attachment 1400716 [details]
poc file of podofo-heap-buffer-overflow-GetNextToken

Description of problem:

In PoDoFo 0.9.5(the latest stable version), there exists a heap buffer overflow vulnerability in PoDoFo::PdfTokenizer::GetNextToken() in PdfTokenizer.cpp. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

0x01 ASAN report:

==85897==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x5555556a7334 bp 0x7fffffffcd90 sp 0x7fffffffcd88
WRITE of size 1 at 0x621000002500 thread T0
    #0 0x5555556a7333 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) /home/gzq/fuzz/podofo-0.9.5/src/base/PdfTokenizer.cpp:319
    #1 0x5555556b14b4 in PoDoFo::PdfTokenizer::GetNextNumber() /home/gzq/fuzz/podofo-0.9.5/src/base/PdfTokenizer.cpp:356
    #2 0x555555a5cdae in PoDoFo::PdfParserObject::ReadObjectNumber() /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParserObject.cpp:104
    #3 0x555555a5f018 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParserObject.cpp:133
    #4 0x555555a3acb5 in PoDoFo::PdfParser::ReadObjectsInternal() /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParser.cpp:1032
    #5 0x555555a3d9a1 in PoDoFo::PdfParser::ReadObjects() /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParser.cpp:1003
    #6 0x555555a56507 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParser.cpp:221
    #7 0x555555a56507 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/gzq/fuzz/podofo-0.9.5/src/base/PdfParser.cpp:164
    #8 0x55555584f722 in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/gzq/fuzz/podofo-0.9.5/src/doc/PdfMemDocument.cpp:256
    #9 0x55555584f722 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/gzq/fuzz/podofo-0.9.5/src/doc/PdfMemDocument.cpp:102
    #10 0x5555555e987d in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/gzq/fuzz/podofo-0.9.5/tools/podofopdfinfo/pdfinfo.cpp:25
    #11 0x5555555d8789 in main /home/gzq/fuzz/podofo-0.9.5/tools/podofopdfinfo/podofopdfinfo.cpp:110
    #12 0x7ffff51b8f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #13 0x5555555e90f9 in _start (/home/g/podofo/bin/podofopdfinfo+0x950f9)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
    #0 0x7ffff6efedf8 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9df8)
    #1 0x555555675da4 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /home/gzq/fuzz/podofo-0.9.5/src/base/PdfRefCountedBuffer.cpp:166
    #2 0x555555c81071 in typeinfo name for PoDoFo::PdfName (/home/g/podofo/bin/podofopdfinfo+0x72d071)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/gzq/fuzz/podofo-0.9.5/src/base/PdfTokenizer.cpp:319 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*)
Shadow bytes around the buggy address:
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

0x02 Cause Analysis

We set two breakpoints in gdb:
gdb-peda$ b PdfRefCountedBuffer.cpp:166
Breakpoint 1 at 0x121d98: file /home/gzq/fuzz/podofo-0.9.5/src/base/PdfRefCountedBuffer.cpp, line 166.
gdb-peda$ b PdfTokenizer.cpp:319 if counter>=0x1000
Breakpoint 2 at 0x150588: file /home/gzq/fuzz/podofo-0.9.5/src/base/PdfTokenizer.cpp, line 319.

In PdfRefCountedBuffer.cpp, line 166, a buffer of size 0x1000 is allocated:
Breakpoint 1, PoDoFo::PdfRefCountedBuffer::ReallyResize (this=0x617000000090, lSize=0x1000) at /home/gzq/fuzz/podofo-0.9.5/src/base/PdfRefCountedBuffer.cpp:166
166	            m_pBuffer->m_pHeapBuffer = static_cast<char*>(podofo_calloc( lSize, sizeof(char) ));
gdb-peda$ print lSize
$1 = 0x1000

In PdfTokenizer.cpp, line 319, the program write this buffer at offset 0x1000, which result in an off-by-one write vulnerability:
Breakpoint 2, PoDoFo::PdfTokenizer::GetNextToken (this=0x616000002ac0, pszToken=<optimized out>, peType=<optimized out>) at /home/gzq/fuzz/podofo-0.9.5/src/base/PdfTokenizer.cpp:319
319	    m_buffer.GetBuffer()[counter] = '\0';
gdb-peda$ print counter
$3 = 0x1000

Version-Release number of selected component (if applicable):

How reproducible:

use podofopdfinfo to read the attached poc file.

Steps to Reproduce:
1. podofopdfinfo $POC

Actual results:

Expected results:

Additional info:

Comment 1 Ziqiang Gu 2018-02-27 06:51:23 UTC
A CVE ID required if confirmed

Note You need to log in before you can comment on or make changes to this bug.