Bug 1595689 - one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h
Summary: one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-27 11:27 UTC by rookie
Modified: 2018-06-27 11:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)
poc file to reproduce the bug (1.54 KB, application/pdf)
2018-06-27 11:27 UTC, rookie
no flags Details

Description rookie 2018-06-27 11:27:22 UTC
Created attachment 1455023 [details]
poc file to reproduce the bug

Description of problem:

There exists one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h. in PoDoFo 0.9.6-rc1(the latest stable version). Remote attackers could leverage the this vulnerability to cause a denial-of-service via a crafted pdf file.

==36573==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x0000004cae98 bp 0x7ffcb36e0250 sp 0x7ffcb36e0240 T0)
    #0 0x4cae97 in PoDoFo::PdfVariant::DelayedLoad() const /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:545
    #1 0x4d68bb in PoDoFo::PdfVariant::GetString() const /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:732
    #2 0x58f15c in PoDoFo::PdfEncrypt::CreatePdfEncrypt(PoDoFo::PdfObject const*) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:569
    #3 0x5b3ad0 in PoDoFo::PdfParser::ReadObjects() /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:1019
    #4 0x5ad52a in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:220
    #5 0x5ad108 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:166
    #6 0x55791b in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:256
    #7 0x5567b5 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:102
    #8 0x4c6afa in ColorChanger::start() /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/colorchanger.cpp:110
    #9 0x4c5a85 in main /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/podofocolor.cpp:116
    #10 0x7fe896ff282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4c5508 in _start (/home/s2e/1/podofo-0.9.6-rc1/build/tools/podofocolor/podofocolor+0x4c5508)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:545 PoDoFo::PdfVariant::DelayedLoad() const
==36573==ABORTING

Version-Release number of selected component (if applicable):

PoDoFo 0.9.6-rc1(also including PoDoFo 0.9.5)

How reproducible:

use podofocolor to read crafted pdf files.

Steps to Reproduce:
1.podofocolor dummy $pocfile foo
2.
3.

Actual results:


Expected results:


Additional info:


Note You need to log in before you can comment on or make changes to this bug.