Bug 1549469 - podofo 0.9.5 heap overflow read vulnerability in function UnescapeName() in PdfName.cpp
Summary: podofo 0.9.5 heap overflow read vulnerability in function UnescapeName() in P...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-27 07:50 UTC by Ziqiang Gu
Modified: 2018-02-27 07:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
poc of the vulnerability (8.23 KB, application/pdf)
2018-02-27 07:50 UTC, Ziqiang Gu 		no flags Details
View All

Description Ziqiang Gu 2018-02-27 07:50:13 UTC 
Created attachment 1401161 [details]
poc of the vulnerability

Description of problem:

In PoDoFo 0.9.5(the latest stable version), there exists a heap buffer overflow read vulnerability in UnescapeName() in PdfName.cpp. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

0x01 ASAN report:

Parsing  heap-buffer-overread ... (this might take a while)=================================================================
==113056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001100 at pc 0x555555821e60 bp 0x7fffffffc670 sp 0x7fffffffc668
READ of size 1 at 0x621000001100 thread T0
    #0 0x555555821e5f in UnescapeName<char const*> /home/gzq/fuzz/program/podofo/src/base/PdfName.cpp:140
    #1 0x555555821e5f in PoDoFo::PdfName::FromEscaped(char const*, long) /home/gzq/fuzz/program/podofo/src/base/PdfName.cpp:185
    #2 0x555555663d04 in PoDoFo::PdfTokenizer::ReadName(PoDoFo::PdfVariant&) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:824
    #3 0x555555666af2 in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:572
    #4 0x55555566aa77 in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:406
    #5 0x55555566aa77 in PoDoFo::PdfTokenizer::ReadDictionary(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:611
    #6 0x55555566d83d in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:560
    #7 0x55555566d83d in PoDoFo::PdfTokenizer::GetNextVariant(char const*, PoDoFo::EPdfTokenType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) /home/gzq/fuzz/program/podofo/src/base/PdfTokenizer.cpp:406
    #8 0x55555562f336 in PoDoFo::PdfParserObject::ParseFileComplete(bool) /home/gzq/fuzz/program/podofo/src/base/PdfParserObject.cpp:204
    #9 0x55555563065f in PoDoFo::PdfParserObject::DelayedLoadImpl() /home/gzq/fuzz/program/podofo/src/base/PdfParserObject.cpp:371
    #10 0x55555563065f in PoDoFo::PdfVariant::DelayedLoad() const /home/gzq/fuzz/program/podofo/src/base/PdfVariant.h:550
    #11 0x55555563065f in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) /home/gzq/fuzz/program/podofo/src/base/PdfParserObject.cpp:154
    #12 0x5555555fc788 in PoDoFo::PdfParser::ReadTrailer() /home/gzq/fuzz/program/podofo/src/base/PdfParser.cpp:602
    #13 0x55555561f17f in PoDoFo::PdfParser::ReadDocumentStructure() /home/gzq/fuzz/program/podofo/src/base/PdfParser.cpp:282
    #14 0x55555562827f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/gzq/fuzz/program/podofo/src/base/PdfParser.cpp:219
    #15 0x55555562827f in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/gzq/fuzz/program/podofo/src/base/PdfParser.cpp:166
    #16 0x5555555b5f98 in main /home/gzq/fuzz/program/podofo/tools/podofogc/podofogc.cpp:59
    #17 0x7ffff4f4df29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
    #18 0x5555555bafb9 in _start (/home/gzq/fuzz/install/podofo/bin/podofogc+0x66fb9)

0x621000001100 is located 0 bytes to the right of 4096-byte region [0x621000000100,0x621000001100)
allocated by thread T0 here:
    #0 0x7ffff6efedf8 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9df8)
    #1 0x55555563ff0c in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /home/gzq/fuzz/program/podofo/src/base/PdfRefCountedBuffer.cpp:166
    #2 0x5555559d1656  (/home/gzq/fuzz/install/podofo/bin/podofogc+0x47d656)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/gzq/fuzz/program/podofo/src/base/PdfName.cpp:140 in UnescapeName<char const*>
Shadow bytes around the buggy address:
  0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==113056==ABORTING
[Inferior 1 (process 113056) exited with code 01]


0x02 Cause Analysis

In PoDoFo::PdfRefCountedBuffer::ReallyResize(), a buffer of size 0x1000 was allocated:

Breakpoint 1, PoDoFo::PdfRefCountedBuffer::ReallyResize (this=this@entry=0x7fffffffe0e0, lSize=lSize@entry=0x1000) at /home/gzq/fuzz/program/podofo/src/base/PdfRefCountedBuffer.cpp:186
186	    PODOFO_RAISE_LOGIC_IF ( m_pBuffer->m_lVisibleSize > m_pBuffer->m_lBufferSize, "Buffer improperly allocated/resized");
gdb-peda$ print *m_pBuffer
$1 = {
  m_lBufferSize = 0x1000, 
  m_lVisibleSize = 0x0, 
  m_lRefCount = 0x1, 
  m_pHeapBuffer = 0x621000000100 "", 
  m_sInternalBuffer = '\000' <repeats 31 times>, 
  m_bPossesion = 0x1, 
  m_bOnHeap = 0x1
}
gdb-peda$ 

The buffer varies from 0x621000000100 to 0x621000001100

When reading crafted PDF files, an off-by-one read vulnerability exists. From the ASAN report, the grogram is trying to read the buffer at 0x621000001100.

Version-Release number of selected component (if applicable):

0.9.5 and the master

How reproducible:

use podofogc to read crafted PDF files.

Steps to Reproduce:
1. podofogc $POC a.pdf
2.
3.

Actual results:


Expected results:


Additional info:

A CVE ID is required if this issue if confirmed.
Note You need to log in before you can comment on or make changes to this bug.