Description:
podofo is a C++ library to work with the PDF file format.
A fuzz on it discovered an heap overflow. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.
This will probably forwarded the the -users mailing list.
The complete ASan output:
# podofopdfinfo $FILE ==13498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dd00 at pc 0x7fdb98e8ab81 bp 0x7ffcef268950 sp 0x7ffcef268948 WRITE of size 1 at 0x62100001dd00 thread T0 #0 0x7fdb98e8ab80 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 #1 0x7fdb98e8bb56 in PoDoFo::PdfTokenizer::GetNextNumber() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:356:27 #2 0x7fdb98e57903 in PoDoFo::PdfParserObject::ReadObjectNumber() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:105:30 #3 0x7fdb98e58d00 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:134:9 #4 0x7fdb98e38c91 in PoDoFo::PdfParser::ReadTrailer() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:603:56 #5 0x7fdb98e33127 in PoDoFo::PdfParser::ReadDocumentStructure() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:283:9 #6 0x7fdb98e30e0f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9 #7 0x7fdb98e2f1d4 in PoDoFo::PdfParser::ParseFile(char const*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11 #8 0x7fdb9908c3f3 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16 #9 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14 #10 0x50ecd6 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24 #11 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x41b5a8 in _start (/usr/bin/podofocountpages+0x41b5a8) 0x62100001dd00 is located 0 bytes to the right of 4096-byte region [0x62100001cd00,0x62100001dd00) allocated by thread T0 here: #0 0x4d4565 in calloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72 #1 0x7fdb98e17989 in PoDoFo::podofo_calloc(unsigned long, unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfMemoryManagement.cpp:139:9 #2 0x7fdb98e621f8 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.cpp:166:59 #3 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:307:9 #4 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:227 #5 0x7fdb98e86044 in PoDoFo::PdfTokenizer::PdfTokenizer() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:186 #6 0x7fdb98e2debe in PoDoFo::PdfParser::PdfParser(PoDoFo::PdfVecObjects*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:76:7 #7 0x7fdb9908c3a5 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:185:21 #8 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14 #9 0x50ecd6 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24 #10 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) Shadow bytes around the buggy address: 0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffbba0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13498==ABORTING
Affected version:
0.9.4
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-5886
Reproducer:
https://github.com/asarubbo/poc/blob/master/00146-podofo-heapoverflow-PdfTokenizer
Timeline:
2017-02-02: bug discovered
2017-02-03: blog post about the issue
2017-02-05: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp
Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno