Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on dumpelf an out of bounds read. It was reported to vapier which fixed the issue immediately.
Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.
This is not CVE-worthy because of the “READ of size 1” in a command-line tool. I’m sharing it because some distro/packagers may want to have the patch aboard.

# dumpelf $FILE
unknown-crash on address 0x7fc30f701000 at pc 0x000000520111 bp 0x7ffdc3db8eb0 sp 0x7ffdc3db8ea8
READ of size 1 at 0x7fc30f701000 thread T0

(gdb)
#0  dump_notes (B=B@entry=64, memory=memory@entry=0x7ffff7ff428c, memory_end=0x7ffff7ff42ac, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:245
#1  0x0000000000405636 in dump_phdr (elf=elf@entry=0x60d8e0, phdr_void=phdr_void@entry=0x7ffff7ff4158, phdr_cnt=phdr_cnt@entry=5) at dumpelf.c:324
#2  0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91
#3  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#4  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Affected version:
1.2.2

Fixed version:
N/A

Commit fix:
https://github.com/gentoo/pax-utils/commit/10a9643d90a1ba6058a66066803fac6cf43f6917

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00142-pax-utils-dumpelf-oob1

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-out-of-bounds-read-in-dump_notes-dumpelf-c

Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on scanelf exposed two invalid memory read. They was reported to vapier which fixed the issue immediately.
Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.

# dumpelf $FILE
  SEGV on unknown address 0x7f8d94dc9e28 (pc 0x00000051efc6 bp 0x7ffe15ddbfa0 sp 0x7ffe15ddbf60 T0)
==31647==The signal is caused by a READ memory access.

(gdb)
#0  0x00000000004067f7 in dump_dyn (dyn_void=dyn_void@entry=0x7ff5f7ff6e28, dyn_cnt=dyn_cnt@entry=0, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:486
#1  0x0000000000401e24 in dumpelf (file_cnt=0, filename=) at dumpelf.c:146
#2  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#3  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Reproducer:
https://github.com/asarubbo/poc/blob/master/00140-pax-utils-dumpelf-invalidread-dump_dyn

# dumpelf $FILE
SEGV on unknown address 0x6360e1292000 (pc 0x00000051fba9 bp 0x7ffeef817f20 sp 0x7ffeef817ec0 T0)
==8213==The signal is caused by a READ memory access.

(gdb)
#0  dump_notes (B=B@entry=64, memory=memory@entry=0x63fff7ff5000, memory_end=0x6414f7ff5000, elf=0x60d8e0, elf=0x60d8e0) at dumpelf.c:228
#1  0x0000000000405636 in dump_phdr (elf=elf@entry=0x60d8e0, phdr_void=phdr_void@entry=0x7ffff7ff50f0, phdr_cnt=phdr_cnt@entry=1) at dumpelf.c:324
#2  0x0000000000401dd9 in dumpelf (file_cnt=0, filename=) at dumpelf.c:91
#3  parseargs (argv=0x7fffffffe1a8, argc=2) at dumpelf.c:557
#4  main (argc=2, argv=0x7fffffffe1a8) at dumpelf.c:566

Reproducer:
https://github.com/asarubbo/poc/blob/master/00141-pax-utils-dumpelf-invalidread-dump_notes

Affected version:
1.2.2

Fixed version:
N/A

Commit fix:
https://github.com/gentoo/pax-utils/commit/18ded0e30ee5a84260cceb80d818b9c21ade4c76

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-two-invalid-memory-read-in-dumpelf-c

Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on dumpelf shows multiple divide-by-zero . They was reported to vapier which fixed the issues immediately.
Unfortunately I can’t get the ASan stacktrace, so I will show only the useful(not at all) part of the crash.

# dumpelf $FILE
 FPE on unknown address 0x00000051ca65 (pc 0x00000051ca65 bp 0x7ffc31bb6f80 sp 0x7ffc31bb6e40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00137-pax-utils-dumpelf-fpe1

# dumpelf $FILE
  FPE on unknown address 0x00000051d335 (pc 0x00000051d335 bp 0x7ffc17babf80 sp 0x7ffc17babe40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00138-pax-utils-dumpelf-fpe2

# dumpelf $FILE
  FPE on unknown address 0x00000051db76 (pc 0x00000051db76 bp 0x7ffdf90fff80 sp 0x7ffdf90ffe40 T0)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00139-pax-utils-dumpelf-fpe3

Affected version:
1.2.2

Fixed version:
N/A

Commit fix:
https://github.com/gentoo/pax-utils/commit/4609f57a690b4a5670baeb93167dab5300d07d4e

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-01: upstream released a patch
2017-02-04: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-multiple-divide-by-zero-in-dumpelf-c

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an heap overflow. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.
This will probably forwarded the the -users mailing list.

The complete ASan output:

# podofopdfinfo $FILE
==13498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dd00 at pc 0x7fdb98e8ab81 bp 0x7ffcef268950 sp 0x7ffcef268948
WRITE of size 1 at 0x62100001dd00 thread T0
    #0 0x7fdb98e8ab80 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35
    #1 0x7fdb98e8bb56 in PoDoFo::PdfTokenizer::GetNextNumber() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:356:27
    #2 0x7fdb98e57903 in PoDoFo::PdfParserObject::ReadObjectNumber() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:105:30
    #3 0x7fdb98e58d00 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:134:9
    #4 0x7fdb98e38c91 in PoDoFo::PdfParser::ReadTrailer() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:603:56
    #5 0x7fdb98e33127 in PoDoFo::PdfParser::ReadDocumentStructure() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:283:9
    #6 0x7fdb98e30e0f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9
    #7 0x7fdb98e2f1d4 in PoDoFo::PdfParser::ParseFile(char const*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11
    #8 0x7fdb9908c3f3 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16
    #9 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14
    #10 0x50ecd6 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24
    #11 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x41b5a8 in _start (/usr/bin/podofocountpages+0x41b5a8)

0x62100001dd00 is located 0 bytes to the right of 4096-byte region [0x62100001cd00,0x62100001dd00)
allocated by thread T0 here:
    #0 0x4d4565 in calloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
    #1 0x7fdb98e17989 in PoDoFo::podofo_calloc(unsigned long, unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfMemoryManagement.cpp:139:9
    #2 0x7fdb98e621f8 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.cpp:166:59
    #3 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:307:9
    #4 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:227
    #5 0x7fdb98e86044 in PoDoFo::PdfTokenizer::PdfTokenizer() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:186
    #6 0x7fdb98e2debe in PoDoFo::PdfParser::PdfParser(PoDoFo::PdfVecObjects*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:76:7
    #7 0x7fdb9908c3a5 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:185:21
    #8 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14
    #9 0x50ecd6 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24
    #10 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*)
Shadow bytes around the buggy address:
  0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffbba0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13498==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5886

Reproducer:
https://github.com/asarubbo/poc/blob/master/00146-podofo-heapoverflow-PdfTokenizer

Timeline:
2017-02-02: bug discovered
2017-02-03: blog post about the issue
2017-02-05: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an infinite loop. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete ASan output:

# podofopdfinfo $FILE
==8407==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcff058fe0 (pc 0x000000425a5f bp 0x6400000003f0 sp 0x7ffcff058fe0 T0)
    #0 0x425a5e in GenericScopedLock /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_mutex.h:179
    #1 0x425a5e in __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::PopulateFreeList(__sanitizer::AllocatorStats*, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::RegionInfo*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:540
    #2 0x426297 in __sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>::AllocateBatch(__sanitizer::AllocatorStats*, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:359
    #3 0x4262f6 in __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >::Refill(__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1003
    #4 0x4298ed in __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:952
    #5 0x4298ed in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >*, unsigned long, unsigned long, bool, bool) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1324
    #6 0x4298ed in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:368
    #7 0x50e8b8 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
    #8 0x7f2e77512621 in PoDoFo::PdfVariant::PdfVariant(PoDoFo::PdfDictionary const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVariant.cpp:151:20
    #9 0x7f2e77495f6d in PoDoFo::PdfObject::PdfObject(PoDoFo::PdfReference const&, char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfObject.cpp:62:7
    #10 0x7f2e7751dcf8 in PoDoFo::PdfVecObjects::GetObject(PoDoFo::PdfReference const&) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVecObjects.cpp:151:15
    #11 0x7f2e7749afe1 in PoDoFo::PdfObject::GetIndirectKey(PoDoFo::PdfName const&) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfObject.cpp:237:30
    #12 0x7f2e77741533 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:230:26
    #13 0x7f2e777415a4 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:232:20
    [.....]
    #254 0x7f2e777415a4 in PoDoFo::PdfPage::GetInheritedKeyFromObject(char const*, PoDoFo::PdfObject const*) const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfPage.cpp:232:20

SUMMARY: AddressSanitizer: stack-overflow /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_mutex.h:179 in GenericScopedLock
==8407==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5852

Reproducer:
https://github.com/asarubbo/poc/blob/master/00145-podofo-infiniteloop-PdfPage

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue
2017-02-02: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it with the UBSAN discovered a signed integer overflow. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete UBSan output:

# podofopdfinfo $FILE
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:757:23: runtime error: signed integer overflow: 9223372036854775807 + 9 cannot be represented in type 'long'

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5853

Reproducer:
https://github.com/asarubbo/poc/blob/master/00144-podofo-signintoverflow-PdfParser

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue
2017-02-02: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it with the UBSAN discovered a NULL pointer access. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete UBSan output:

# podofopdfinfo $FILE
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfOutputStream.cpp:116:33: runtime error: null pointer passed as argument 2, which is declared to never be null

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5854

Reproducer:
https://github.com/asarubbo/poc/blob/master/00143-podofo-nullptr-PdfOutputStream

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue
2017-02-02: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a NULL pointer access. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete ASan output:

# podofopdfinfo $FILE
==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc 0x7f496cb0ab76 bp 0x7ffff028f9d0 sp 0x7ffff028f148 T0)                                                                                                                                             
==9418==The signal is caused by a WRITE memory access.                                                                                                                                                                                                                         
==9418==Hint: address points to the zero page.                                                                                                                                                                                                                                 
    #0 0x7f496cb0ab75  /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1989                                                                                                                                     
    #1 0x4c063e in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413                                                                                                                               
    #2 0x7f496dde143c in void std::_Construct(PoDoFo::PdfParser::TXRefEntry*, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_construct.h:83:38             
    #3 0x7f496dde143c in void std::__uninitialized_fill_n::__uninit_fill_n(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:202                                                                                                                                                                                                                       
    #4 0x7f496dde143c in void std::uninitialized_fill_n(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:244                                                                                                                                                                                                                                                 
    #5 0x7f496dde143c in void std::__uninitialized_fill_n_a(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&, std::allocator&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:355                                                                                                                                                              
    #6 0x7f496dde143c in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::_M_fill_insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/vector.tcc:496                                                                                                                                 
    #7 0x7f496ddd4a67 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator > >, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:1073:9                                                                                                                                    
    #8 0x7f496ddd4a67 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::resize(unsigned long, PoDoFo::PdfParser::TXRefEntry) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:716                          
    #9 0x7f496ddd4a67 in PoDoFo::PdfParser::ReadXRefSubsection(long&, long&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:772                                                                                                                   
    #10 0x7f496ddc60bd in PoDoFo::PdfParser::ReadXRefContents(long, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:725:17                                                                                                                   
    #11 0x7f496ddbfaae in PoDoFo::PdfParser::ReadDocumentStructure() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:337:9                                                                                                                         
    #12 0x7f496ddbce1f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9                                                                                        
    #13 0x7f496ddbb1e4 in PoDoFo::PdfParser::ParseFile(char const*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11                                                                                                                   
    #14 0x7f496e018393 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16                                                                                                                     
    #15 0x7f496e018062 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:88:11                                                                                                            
    #16 0x511b44 in PdfInfo::PdfInfo(std::string const&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:25:16                                                                                                                            
    #17 0x521ac8 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/podofopdfinfo.cpp:110:15                                                                                                                                                     
    #18 0x7f496c9f461f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                       
    #19 0x41e8f8 in _start (/usr/bin/podofopdfinfo+0x41e8f8)                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1989                                                                                                                            
==9418==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5855

Reproducer:
https://github.com/asarubbo/poc/blob/master/00134-podofo-nullptr-pdfparser-cpp

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue
2017-02-02: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a NULL pointer access. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them.

The complete ASan output:

# podofopdfinfo $FILE
==24654==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005149a7 bp 0x7ffe59e91e70 sp 0x7ffe59e91d80 T0)
==24654==The signal is caused by a READ memory access.
==24654==Hint: address points to the zero page.
    #0 0x5149a6 in PdfInfo::GuessFormat() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19
    #1 0x512351 in PdfInfo::OutputDocumentInfo(std::ostream&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:40:35
    #2 0x522132 in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/podofopdfinfo.cpp:117:18
    #3 0x7fcaaf4b861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x41e8f8 in _start (/usr/bin/podofopdfinfo+0x41e8f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19 in PdfInfo::GuessFormat()
==24654==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00133-podofo-nullptr-pdfinfo-cpp

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp