Description:
podofo is a C++ library to work with the PDF file format.
A fuzz on it discovered an heap overflow. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.
The complete ASan output:
# podofocolor dummy $FILE foo
==5749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000a0f8 at pc 0x000000529e84 bp 0x7ffee90e1ad0 sp 0x7ffee90e1ac8
READ of size 1 at 0x62500000a0f8 thread T0
#0 0x529e83 in PoDoFo::PdfVariant::DelayedLoad() const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:545:10
#1 0x529e83 in PoDoFo::PdfVariant::GetReal() const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:675
#2 0x52887e in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:423:33
#3 0x525d4b in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, std::allocator >&, GraphicsStack&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:449:28
#4 0x521b3c in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:214:31
#5 0x51ed8e in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
#6 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
#7 0x7f6c2623561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#8 0x428718 in _start (/usr/bin/podofocolor+0x428718)
0x62500000a0f8 is located 8 bytes to the left of 8192-byte region [0x62500000a100,0x62500000c100)
allocated by thread T0 here:
#0 0x518700 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
#1 0x52aa18 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/ext/new_allocator.h:104:27
#2 0x52aa18 in __gnu_cxx::__alloc_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/ext/alloc_traits.h:182
#3 0x52aa18 in std::_Vector_base<PoDoFo::PdfVariant, std::allocator >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:170
#4 0x52aa18 in std::vector<PoDoFo::PdfVariant, std::allocator >::_M_insert_aux(__gnu_cxx::__normal_iterator<PoDoFo::PdfVariant*, std::vector<PoDoFo::PdfVariant, std::allocator > >, PoDoFo::PdfVariant const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/vector.tcc:353
#5 0x521bdd in std::vector<PoDoFo::PdfVariant, std::allocator >::push_back(PoDoFo::PdfVariant const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:925:4
#6 0x521bdd in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:170
#7 0x51ed8e in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
#8 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
#9 0x7f6c2623561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:545:10 in PoDoFo::PdfVariant::DelayedLoad() const
Shadow bytes around the buggy address:
0x0c4a7fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff9420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff9460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5749==ABORTING
Affected version:
0.9.4
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-6843
Reproducer:
https://github.com/asarubbo/poc/blob/master/00170-podofo-heapoverflow-PoDoFo-PdfTokenizer-GetNextToken
Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue
2017-03-12: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
podofo: heap-based buffer overflow in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)