Bug 1595693 - one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp
Summary: one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() ...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-27 11:35 UTC by rookie
Modified: 2018-06-27 11:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
poc file to reproduce the crash (20.11 KB, application/pdf)
2018-06-27 11:35 UTC, rookie
no flags Details

Description rookie 2018-06-27 11:35:20 UTC
Created attachment 1455024 [details]
poc file to reproduce the crash

Description of problem:

There exists one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1(the latest stable version). Remote attackers could leverage the two vulnerabilities to cause a denial-of-service or potentially remote code execution via a crafted pdf file.

Version-Release number of selected component (if applicable):

PoDoFo 0.9.6-rc1(also including PoDoFo 0.9.5)

How reproducible:

use podofocolor to read crafted pdf files.

Steps to Reproduce:
1.podofocolor dummy $pocfile foo
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 rookie 2018-06-27 11:38:52 UTC
==40052==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff874eab00 at pc 0x7fc298864935 bp 0x7fff874ea950 sp 0x7fff874ea0f8
READ of size 116 at 0x7fff874eab00 thread T0
    #0 0x7fc298864934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x591af9 in PoDoFo::PdfEncryptMD5Base::ComputeEncryptionKey(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned char*, unsigned char*, int, int, int, unsigned char*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:867
    #2 0x595250 in PoDoFo::PdfEncryptRC4::Authenticate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, PoDoFo::PdfString const&) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:1115
    #3 0x5b3d37 in PoDoFo::PdfParser::ReadObjects() /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:1044
    #4 0x5ad52a in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:220
    #5 0x5ad108 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:166
    #6 0x55791b in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:256
    #7 0x5567b5 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:102
    #8 0x4c6afa in ColorChanger::start() /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/colorchanger.cpp:110
    #9 0x4c5a85 in main /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/podofocolor.cpp:116
    #10 0x7fc296e2582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4c5508 in _start (/home/s2e/1/podofo-0.9.6-rc1/build/tools/podofocolor/podofocolor+0x4c5508)


Note You need to log in before you can comment on or make changes to this bug.