Description of problem: In podofo 0.9.6(the lastest version),there exists an bug in the function PoDoFo::PdfParser::ReadObjects(),which can cause the program to be aborted. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file. here is the backtrace: #0 0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff57d202a in __GI_abort () at abort.c:89 #2 0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler () at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95 #3 0x00007ffff6110566 in __cxxabiv1::__terminate (handler=<optimized out>) at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47 #4 0x00007ffff61105b1 in std::terminate () at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57 #5 0x00007ffff61107c8 in __cxxabiv1::__cxa_throw (obj=obj@entry=0x85e700, tinfo=0x7ffff63f0ac0 <typeinfo for std::length_error>, dest=0x7ffff6125240 <std::length_error::~length_error()>) at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87 #6 0x00007ffff6137e8f in std::__throw_length_error ( __s=0x5c7ac2 "vector::reserve") at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86 #7 0x000000000055cc44 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve(unsigned long) () #8 0x000000000055bfdc in PoDoFo::PdfVecObjects::Reserve(unsigned long) () #9 0x00000000005546b5 in PoDoFo::PdfParser::ReadObjects() () #10 0x0000000000553a02 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) () #11 0x0000000000553329 in PoDoFo::PdfParser::ParseFile(char const*, bool) () #12 0x000000000050e297 in PoDoFo::PdfMemDocument::Load(char const*, bool) () #13 0x000000000050e0d4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) () #14 0x00000000004afec7 in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #15 0x00000000004b4625 in main () #16 0x00007ffff57bb830 in __libc_start_main (main=0x4b4460 <main>, argc=0x2, argv=0x7fffffffde18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde08) at ../csu/libc-start.c:291 #17 0x00000000004afd99 in _start () Version-Release number of selected component (if applicable): podofo 0.9.6 How reproducible: use podofopdfinfo to read crafted pdf files. Steps to Reproduce: 1.podofopdfinfo poc 2. 3. Actual results: Expected results: Additional info:
Can you please report this upstream at https://sourceforge.net/p/podofo/tickets/ (Btw epel7 does not have 0.9.6, so you probably mean F29 or rawhide)
Created attachment 1477856 [details] the poc file
(In reply to Sandro Mani from comment #1) > Can you please report this upstream at > https://sourceforge.net/p/podofo/tickets/ > > (Btw epel7 does not have 0.9.6, so you probably mean F29 or rawhide) ok,this is the first time I use the bugzilla.the 0.9.6 is the version of podofo:)
Ok, but please take it upstream.
(In reply to Sandro Mani from comment #4) > Ok, but please take it upstream. ok
note that in PdfVecObjects::Reserve(size_t size),the size if 0xfffffffffffffffa,which cause the program to be aborted
here is the back trace (with -g -O0):) #0 0x00007ffff4f68428 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff4f6a02a in __GI_abort () at abort.c:89 #2 0x00007ffff58aa4fd in __gnu_cxx::__verbose_terminate_handler () at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95 #3 0x00007ffff58a8566 in __cxxabiv1::__terminate (handler=<optimized out>) at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47 #4 0x00007ffff58a85b1 in std::terminate () at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57 #5 0x00007ffff58a87c8 in __cxxabiv1::__cxa_throw (obj=0x60d00000cff0, tinfo=0x7ffff5b88ac0 <typeinfo for std::length_error>, dest=0x7ffff58bd240 <std::length_error::~length_error()>) at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87 #6 0x00007ffff58cfe8f in std::__throw_length_error ( __s=0x671660 "vector::reserve") at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86 #7 0x00000000005b6388 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve (this=0x61400000fee0, __n=0xfffffffffffffffa) at /usr/include/c++/5/bits/vector.tcc:69 #8 0x00000000005b5ed9 in PoDoFo::PdfVecObjects::Reserve (this=0x61400000fec0, size=0xfffffffffffffffa) at /home/mikowoo/podofo-0.9.6/src/base/PdfVecObjects.h:499 #9 0x00000000005b16dd in PoDoFo::PdfParser::ReadObjects (this=0x61700000fc80) at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:1029 #10 0x00000000005ab5e7 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, rDevice=..., bLoadOnDemand=0x1) at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:260 #11 0x00000000005ab1c5 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80, pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bLoadOnDemand=0x1) at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:206 #12 0x000000000054a752 in PoDoFo::PdfMemDocument::Load (this=0x61400000fe40, pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bForUpdate=0x0) at /home/mikowoo/podofo-0.9.6/src/doc/PdfMemDocument.cpp:256 #13 0x00000000005495ec in PoDoFo::PdfMemDocument::PdfMemDocument ( this=0x61400000fe40, pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bForUpdate=0x0) at /home/mikowoo/podofo-0.9.6/src/doc/PdfMemDocument.cpp:102 #14 0x00000000004c1672 in PdfInfo::PdfInfo (this=0x7fffffffdc10, inPathname=...) at /home/mikowoo/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:25 #15 0x00000000004c84db in main (argc=0x2, argv=0x7fffffffde08) at /home/mikowoo/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:110 #16 0x00007ffff4f53830 in __libc_start_main (main=0x4c821b <main(int, char**)>, argc=0x2, argv=0x7fffffffde08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddf8) at ../csu/libc-start.c:291 #17 0x00000000004c1539 in _start ()
Feel free to leave the downstream bug open and post a link to the upstream bug, so that I can follow what happens upstream. Thanks.
(In reply to Sandro Mani from comment #8) > Feel free to leave the downstream bug open and post a link to the upstream > bug, so that I can follow what happens upstream. Thanks. ok,here it is :P https://sourceforge.net/p/podofo/tickets/27/
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.