1576174 – (Excessive Iteration in PdfPagesTree::GetPageNode()) podofo Denial of Service

Bug 1576174 - (Excessive Iteration in PdfPagesTree::GetPageNode()) podofo Denial of Service

Summary: (Excessive Iteration in PdfPagesTree::GetPageNode()) podofo Denial of Service

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	podofo
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Dan Horák
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-09 04:22 UTC by Zhiyuan Wang of Chengdu Qihoo360 Tech Co. Ltd
Modified:	2024-07-09 02:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-07-09 02:20:50 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
crash demo file (2.29 KB, application/pdf) 2018-05-09 04:22 UTC, Zhiyuan Wang of Chengdu Qihoo360 Tech Co. Ltd	no flags	Details
View All

Description Zhiyuan Wang of Chengdu Qihoo360 Tech Co. Ltd 2018-05-09 04:22:55 UTC

Created attachment 1433509 [details]
crash demo file

Description of problem:
there is an Excessive Iteration in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp:423. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file.

Version-Release number of selected component (if applicable):
podofo 0.9.5

Detailed analysis of crash:
$ gdb podofomerge 
(gdb) r crash.pdf crash.pdf out.pdf
...
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary
Reference to invalid object: 1 0 R

Program received signal SIGSEGV, Segmentation fault.
0xb785b197 in __find_specmb (format=0xb7f79464 "%s") at printf-parse.h:108
108	printf-parse.h: No such file or directory.




(gdb) bt
#0  0xb785b197 in __find_specmb (format=0xb7f79464 "%s") at printf-parse.h:108
#1  _IO_vfprintf_internal (s=0xbf800538, format=0xb7f79464 "%s", ap=0xbf802b3c "5j\367\267Wqķ") at vfprintf.c:1312
#2  0xb785d671 in buffered_vfprintf (s=s@entry=0xb79cbcc0 <_IO_2_1_stderr_>, format=format@entry=0xb7f79464 "%s", args=args@entry=0xbf802b3c "5j\367\267Wqķ") at vfprintf.c:2320
#3  0xb785b2d1 in _IO_vfprintf_internal (s=0xb79cbcc0 <_IO_2_1_stderr_>, format=0xb7f79464 "%s", ap=0xbf802b3c "5j\367\267Wqķ") at vfprintf.c:1293
#4  0xb790e456 in ___fprintf_chk (fp=0xb79cbcc0 <_IO_2_1_stderr_>, flag=1, format=0xb7f79464 "%s") at fprintf_chk.c:35
#5  0xb7c47347 in fprintf (__fmt=0xb7f79464 "%s", __stream=<optimized out>) at /usr/include/i386-linux-gnu/bits/stdio2.h:98
#6  PoDoFo::PdfError::LogMessageInternal (eLogSeverity=PoDoFo::eLogSeverity_Critical, 
    pszMsg=0xb7f8a408 "Requesting page index %i. Invalid datatype referenced in kids array: %s\nReference to invalid object: %i %i R\n", args=@0xbf802b68: 0xbf802b88 "")
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/base/PdfError.cpp:574
#7  0xb7c476aa in PoDoFo::PdfError::LogMessage (eLogSeverity=PoDoFo::eLogSeverity_Critical, 
    pszMsg=0xb7f8a408 "Requesting page index %i. Invalid datatype referenced in kids array: %s\nReference to invalid object: %i %i R\n") at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/base/PdfError.cpp:528
#8  0xb7edd832 in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:447
#9  0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#10 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#11 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#12 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#13 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#14 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#15 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#16 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#17 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#18 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
    at /home/zzuf/pdf-fuzz/podofo-0.9.5/src/doc/PdfPagesTree.cpp:423
#19 0xb7eddc8b in PoDoFo::PdfPagesTree::GetPageNode (this=0x8062540, nPageNum=134615064, pParent=0x8061018, rLstParents=std::deque with 52325 elements = {...})
...


PdfPagesTree.cpp:312:

PdfObject* PdfPagesTree::GetPageNode( int nPageNum, PdfObject* pParent, 
                                      PdfObjectList & rLstParents ) 
{
   ...
        // We have to traverse the tree
        while( it != rKidsArray.end() ) 
        {
           ...
            else if( (*it).IsReference() ) 
            {
                PdfObject* pChild = GetRoot()->GetOwner()->GetObject( (*it).GetReference() );
                if (!pChild) 
                {
                    PdfError::LogMessage( eLogSeverity_Critical, "Requesting page index %i. Child not found: %s\n", 
                                          nPageNum, (*it).GetReference().ToString().c_str()); 
                    return NULL;
                }

                if( this->IsTypePages(pChild) ) 
                {
                    int childCount = GetChildCount( pChild );
                    if( childCount < nPageNum + 1 ) // Pages are 0 based, but count is not
                    {
                        // skip this page node
                        // and go to the next one
                        nPageNum -= childCount;
                    }
                    else
                    {
                        rLstParents.push_back( pParent );
                        return this->GetPageNode( nPageNum, pChild, rLstParents );  //?????????????????????????????????
                    }
                }
                else if( this->IsTypePage(pChild) ) 
                {
                    if( 0 == nPageNum )
                    {
                        rLstParents.push_back( pParent );
                        return pChild;
                    } 

                    // Skip a normal page
                    if(nPageNum > 0 )
                        nPageNum--;
                }
		else
		{
                    const PdfReference & rLogRef = pChild->Reference();
                    pdf_objnum nLogObjNum = rLogRef.ObjectNumber();
                    pdf_gennum nLogGenNum = rLogRef.GenerationNumber();
		    PdfError::LogMessage( eLogSeverity_Critical,
                                          "Requesting page index %i. "
                        "Invalid datatype referenced in kids array: %s\n"
                        "Reference to invalid object: %i %i R\n", nPageNum,
                        pChild->GetDataTypeString(), nLogObjNum, nLogGenNum);
                }
            }
            else
            {
                PdfError::LogMessage( eLogSeverity_Critical, "Requesting page index %i. Invalid datatype in kids array: %s\n", 
                                      nPageNum, (*it).GetDataTypeString()); 
                return NULL;
            }
            
            ++it;
        }
    }

    return NULL;
}


How reproducible:

use podofomerge to read the attached poc file.

Steps to Reproduce:
1. podofomerge crash.pdf crash.pdf out.pdf

Comment 1 Troy Dawson 2024-07-09 02:20:50 UTC

EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.

Note You need to log in before you can comment on or make changes to this bug.