1595689 – one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h

Bug 1595689 - one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h

Summary: one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	podofo
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Dan Horák
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-27 11:27 UTC by rookie
Modified:	2024-07-09 02:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-07-09 02:27:28 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
poc file to reproduce the bug (1.54 KB, application/pdf) 2018-06-27 11:27 UTC, rookie	no flags	Details
View All

Description rookie 2018-06-27 11:27:22 UTC

Created attachment 1455023 [details]
poc file to reproduce the bug

Description of problem:

There exists one invalid memory read bug in PdfVariant::DelayedLoad() in PdfVariant.h. in PoDoFo 0.9.6-rc1(the latest stable version). Remote attackers could leverage the this vulnerability to cause a denial-of-service via a crafted pdf file.

==36573==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x0000004cae98 bp 0x7ffcb36e0250 sp 0x7ffcb36e0240 T0)
    #0 0x4cae97 in PoDoFo::PdfVariant::DelayedLoad() const /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:545
    #1 0x4d68bb in PoDoFo::PdfVariant::GetString() const /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:732
    #2 0x58f15c in PoDoFo::PdfEncrypt::CreatePdfEncrypt(PoDoFo::PdfObject const*) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:569
    #3 0x5b3ad0 in PoDoFo::PdfParser::ReadObjects() /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:1019
    #4 0x5ad52a in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:220
    #5 0x5ad108 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:166
    #6 0x55791b in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:256
    #7 0x5567b5 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:102
    #8 0x4c6afa in ColorChanger::start() /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/colorchanger.cpp:110
    #9 0x4c5a85 in main /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/podofocolor.cpp:116
    #10 0x7fe896ff282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4c5508 in _start (/home/s2e/1/podofo-0.9.6-rc1/build/tools/podofocolor/podofocolor+0x4c5508)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/1/podofo-0.9.6-rc1/podofo/base/../../src/base/PdfVariant.h:545 PoDoFo::PdfVariant::DelayedLoad() const
==36573==ABORTING

Version-Release number of selected component (if applicable):

PoDoFo 0.9.6-rc1(also including PoDoFo 0.9.5)

How reproducible:

use podofocolor to read crafted pdf files.

Steps to Reproduce:
1.podofocolor dummy $pocfile foo
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Troy Dawson 2024-07-09 02:27:28 UTC

EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.

Note You need to log in before you can comment on or make changes to this bug.