Bug 1620065 - podofo 0.9.6 error handle pdf in PoDoFo::PdfVecObjects::Reserve()
Summary: podofo 0.9.6 error handle pdf in PoDoFo::PdfVecObjects::Reserve()
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: podofo
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-22 11:24 UTC by Krace
Modified: 2018-08-25 02:29 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-08-24 22:02:41 UTC


Attachments (Terms of Use)
the poc file (8.06 KB, application/pdf)
2018-08-22 11:46 UTC, Krace
no flags Details

Description Krace 2018-08-22 11:24:47 UTC
Description of problem:
In podofo 0.9.6(the lastest version),there exists an bug in the function PoDoFo::PdfParser::ReadObjects(),which can cause the program to be aborted.
Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file.

here is the backtrace:
#0  0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff57d202a in __GI_abort () at abort.c:89
#2  0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95
#3  0x00007ffff6110566 in __cxxabiv1::__terminate (handler=<optimized out>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47
#4  0x00007ffff61105b1 in std::terminate ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57
#5  0x00007ffff61107c8 in __cxxabiv1::__cxa_throw (obj=obj@entry=0x85e700,
    tinfo=0x7ffff63f0ac0 <typeinfo for std::length_error>,
    dest=0x7ffff6125240 <std::length_error::~length_error()>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87
#6  0x00007ffff6137e8f in std::__throw_length_error (
    __s=0x5c7ac2 "vector::reserve")
    at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86
#7  0x000000000055cc44 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve(unsigned long) ()
#8  0x000000000055bfdc in PoDoFo::PdfVecObjects::Reserve(unsigned long) ()
#9  0x00000000005546b5 in PoDoFo::PdfParser::ReadObjects() ()
#10 0x0000000000553a02 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) ()
#11 0x0000000000553329 in PoDoFo::PdfParser::ParseFile(char const*, bool) ()
#12 0x000000000050e297 in PoDoFo::PdfMemDocument::Load(char const*, bool) ()
#13 0x000000000050e0d4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) ()
#14 0x00000000004afec7 in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#15 0x00000000004b4625 in main ()
#16 0x00007ffff57bb830 in __libc_start_main (main=0x4b4460 <main>, argc=0x2,
    argv=0x7fffffffde18, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffde08)
    at ../csu/libc-start.c:291
#17 0x00000000004afd99 in _start ()


Version-Release number of selected component (if applicable):
podofo 0.9.6

How reproducible:
use podofopdfinfo to read crafted pdf files.

Steps to Reproduce:
1.podofopdfinfo poc
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Sandro Mani 2018-08-22 11:27:44 UTC
Can you please report this upstream at https://sourceforge.net/p/podofo/tickets/

(Btw epel7 does not have 0.9.6, so you probably mean F29 or rawhide)

Comment 2 Krace 2018-08-22 11:46 UTC
Created attachment 1477856 [details]
the poc file

Comment 3 Krace 2018-08-22 11:49:06 UTC
(In reply to Sandro Mani from comment #1)
> Can you please report this upstream at
> https://sourceforge.net/p/podofo/tickets/
> 
> (Btw epel7 does not have 0.9.6, so you probably mean F29 or rawhide)

ok,this is the first time I use the bugzilla.the 0.9.6 is the version of podofo:)

Comment 4 Sandro Mani 2018-08-22 12:13:19 UTC
Ok, but please take it upstream.

Comment 5 Krace 2018-08-23 01:33:22 UTC
(In reply to Sandro Mani from comment #4)
> Ok, but please take it upstream.

ok

Comment 6 Krace 2018-08-23 03:33:36 UTC
note that in PdfVecObjects::Reserve(size_t size),the size if 0xfffffffffffffffa,which cause the program to be aborted

Comment 7 Krace 2018-08-23 03:40:20 UTC
here is the back trace (with -g -O0):)

#0  0x00007ffff4f68428 in __GI_raise (sig=sig@entry=0x6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff4f6a02a in __GI_abort () at abort.c:89
#2  0x00007ffff58aa4fd in __gnu_cxx::__verbose_terminate_handler ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95
#3  0x00007ffff58a8566 in __cxxabiv1::__terminate (handler=<optimized out>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47
#4  0x00007ffff58a85b1 in std::terminate ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57
#5  0x00007ffff58a87c8 in __cxxabiv1::__cxa_throw (obj=0x60d00000cff0,
    tinfo=0x7ffff5b88ac0 <typeinfo for std::length_error>,
    dest=0x7ffff58bd240 <std::length_error::~length_error()>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87
#6  0x00007ffff58cfe8f in std::__throw_length_error (
    __s=0x671660 "vector::reserve")
    at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86
#7  0x00000000005b6388 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve (this=0x61400000fee0, __n=0xfffffffffffffffa)
    at /usr/include/c++/5/bits/vector.tcc:69
#8  0x00000000005b5ed9 in PoDoFo::PdfVecObjects::Reserve (this=0x61400000fec0,
    size=0xfffffffffffffffa)
    at /home/mikowoo/podofo-0.9.6/src/base/PdfVecObjects.h:499
#9  0x00000000005b16dd in PoDoFo::PdfParser::ReadObjects (this=0x61700000fc80)
    at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:1029
#10 0x00000000005ab5e7 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80,
    rDevice=..., bLoadOnDemand=0x1)
    at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:260
#11 0x00000000005ab1c5 in PoDoFo::PdfParser::ParseFile (this=0x61700000fc80,
    pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bLoadOnDemand=0x1)
    at /home/mikowoo/podofo-0.9.6/src/base/PdfParser.cpp:206
#12 0x000000000054a752 in PoDoFo::PdfMemDocument::Load (this=0x61400000fe40,
    pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bForUpdate=0x0)
    at /home/mikowoo/podofo-0.9.6/src/doc/PdfMemDocument.cpp:256
#13 0x00000000005495ec in PoDoFo::PdfMemDocument::PdfMemDocument (
    this=0x61400000fe40,
    pszFilename=0x60700000dfb0 "/home/mikowoo/id:000000,sig:06,src:000012+000154,op:splice,rep:16", bForUpdate=0x0)
    at /home/mikowoo/podofo-0.9.6/src/doc/PdfMemDocument.cpp:102
#14 0x00000000004c1672 in PdfInfo::PdfInfo (this=0x7fffffffdc10, inPathname=...)
    at /home/mikowoo/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:25
#15 0x00000000004c84db in main (argc=0x2, argv=0x7fffffffde08)
    at /home/mikowoo/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:110
#16 0x00007ffff4f53830 in __libc_start_main (main=0x4c821b <main(int, char**)>,
    argc=0x2, argv=0x7fffffffde08, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffddf8)
    at ../csu/libc-start.c:291
#17 0x00000000004c1539 in _start ()

Comment 8 Sandro Mani 2018-08-24 22:27:59 UTC
Feel free to leave the downstream bug open and post a link to the upstream bug, so that I can follow what happens upstream. Thanks.

Comment 9 Krace 2018-08-25 02:28:49 UTC
(In reply to Sandro Mani from comment #8)
> Feel free to leave the downstream bug open and post a link to the upstream
> bug, so that I can follow what happens upstream. Thanks.

ok,here it is :P
https://sourceforge.net/p/podofo/tickets/27/


Note You need to log in before you can comment on or make changes to this bug.