1548930 – podofo 0.9.5 infinite loop vulnerability in ParseFileComplete()

Bug 1548930 - podofo 0.9.5 infinite loop vulnerability in ParseFileComplete()

Summary: podofo 0.9.5 infinite loop vulnerability in ParseFileComplete()

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	podofo
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Dan Horák
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-26 03:38 UTC by Ziqiang Gu
Modified:	2018-02-26 03:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
poc file of podofo infinite loop vulnerability (28.09 KB, application/pdf) 2018-02-26 03:38 UTC, Ziqiang Gu	no flags	Details
View All

Description Ziqiang Gu 2018-02-26 03:38:49 UTC

Created attachment 1400720 [details]
poc file of podofo infinite loop vulnerability

Description of problem:

In PoDoFo 0.9.5(the latest stable version), there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) ()
#0  0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) ()
#1  0x000055555563afda in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#2  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#3  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#4  0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#5  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#6  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#7  0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#8  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#9  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#10 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#11 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#12 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#13 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
...
...
...
#58208 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58209 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58210 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58211 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58212 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58213 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58214 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58215 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58216 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58217 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58218 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58219 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58220 0x000055555563af72 in PoDoFo::PdfTokenizer::GetNextVariant(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58221 0x000055555563bd67 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58222 0x000055555563b8fc in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58223 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58224 0x00005555556b4c4e in PoDoFo::PdfParserObject::ParseFileComplete(bool) ()
#58225 0x00005555556b5576 in PoDoFo::PdfParserObject::DelayedLoadImpl() ()
#58226 0x00005555556254c8 in PoDoFo::PdfVariant::DelayedLoad() const ()
#58227 0x00005555556b4acd in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) ()
#58228 0x00005555556ad3f4 in PoDoFo::PdfParser::ReadTrailer() ()
#58229 0x00005555556ab37c in PoDoFo::PdfParser::ReadDocumentStructure() ()
#58230 0x00005555556ab017 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) ()
#58231 0x00005555556aad5d in PoDoFo::PdfParser::ParseFile(char const*, bool) ()
#58232 0x00005555556725dd in PoDoFo::PdfMemDocument::Load(char const*, bool) ()
#58233 0x0000555555671bd4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) ()
#58234 0x000055555561f00d in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#58235 0x0000555555623448 in main ()

Version-Release number of selected component (if applicable):

0.9.5

How reproducible:

use podofopdfinfo to read crafted pdf files.

Steps to Reproduce:
1.podofopdfinfo $POCFILE
2.
3.

Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.