Bug 1548930 - podofo 0.9.5 infinite loop vulnerability in ParseFileComplete()
Summary: podofo 0.9.5 infinite loop vulnerability in ParseFileComplete()
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-26 03:38 UTC by Ziqiang Gu
Modified: 2018-02-26 03:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
poc file of podofo infinite loop vulnerability (28.09 KB, application/pdf)
2018-02-26 03:38 UTC, Ziqiang Gu
no flags Details

Description Ziqiang Gu 2018-02-26 03:38:49 UTC
Created attachment 1400720 [details]
poc file of podofo infinite loop vulnerability

Description of problem:

In PoDoFo 0.9.5(the latest stable version), there exists an infinite loop vulnerability in PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may result in stack overflow. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) ()
#0  0x000055555563b026 in PoDoFo::PdfTokenizer::DetermineDataType(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&) ()
#1  0x000055555563afda in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#2  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#3  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#4  0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#5  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#6  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#7  0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#8  0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#9  0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#10 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#11 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#12 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#13 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
...
...
...
#58208 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58209 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58210 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58211 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58212 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58213 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58214 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58215 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58216 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58217 0x000055555563c08b in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58218 0x000055555563b918 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58219 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58220 0x000055555563af72 in PoDoFo::PdfTokenizer::GetNextVariant(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58221 0x000055555563bd67 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58222 0x000055555563b8fc in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58223 0x000055555563b012 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
#58224 0x00005555556b4c4e in PoDoFo::PdfParserObject::ParseFileComplete(bool) ()
#58225 0x00005555556b5576 in PoDoFo::PdfParserObject::DelayedLoadImpl() ()
#58226 0x00005555556254c8 in PoDoFo::PdfVariant::DelayedLoad() const ()
#58227 0x00005555556b4acd in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) ()
#58228 0x00005555556ad3f4 in PoDoFo::PdfParser::ReadTrailer() ()
#58229 0x00005555556ab37c in PoDoFo::PdfParser::ReadDocumentStructure() ()
#58230 0x00005555556ab017 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) ()
#58231 0x00005555556aad5d in PoDoFo::PdfParser::ParseFile(char const*, bool) ()
#58232 0x00005555556725dd in PoDoFo::PdfMemDocument::Load(char const*, bool) ()
#58233 0x0000555555671bd4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) ()
#58234 0x000055555561f00d in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#58235 0x0000555555623448 in main ()

Version-Release number of selected component (if applicable):

0.9.5

How reproducible:

use podofopdfinfo to read crafted pdf files.

Steps to Reproduce:
1.podofopdfinfo $POCFILE
2.
3.

Actual results:


Expected results:


Additional info:


Note You need to log in before you can comment on or make changes to this bug.