{"id":1549,"date":"2017-03-31T17:17:34","date_gmt":"2017-03-31T15:17:34","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1549"},"modified":"2017-04-01T16:14:00","modified_gmt":"2017-04-01T14:14:00","slug":"podofo-four-null-pointer-dereference","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/31\/podofo-four-null-pointer-dereference\/","title":{"rendered":"podofo: four null pointer dereference"},"content":{"rendered":"

Description<\/strong>:
\npodofo<\/a> is a C++ library to work with the PDF file format.<\/p>\n

A fuzz on it through the podofotxtextract command line tool reavealed some NULL dereferences. This post will be forwarded on the upstream mailing list.<\/p>\n

The complete ASan output:<\/p>\n

# podofotxtextract $FILE\r\n==21905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2e6fad8bd8 bp 0x7ffee4f96d10 sp 0x7ffee4f96ca0 T0)\r\n==21905==The signal is caused by a READ memory access.\r\n==21905==Hint: address points to the zero page.\r\n    #0 0x7f2e6fad8bd7 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfPage.cpp:614:20\r\n    #1 0x51dda3 in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:98:47\r\n    #2 0x51d021 in TextExtractor::Init(char const*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:48:15\r\n    #3 0x539f6d in main \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/podofotxtextract.cpp:52:17\r\n    #4 0x7f2e6db4e6ff in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x420d48 in _start (\/usr\/bin\/podofotxtextract+0x420d48)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfPage.cpp:614:20 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00250-podofo-nullptr1<\/a>
\nCVE:<\/strong>
\nCVE-2017-7380<\/p>\n
##############################################################<\/p>\n
# podofotxtextract $FILE\r\n==23885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f44177e97b7 bp 0x7ffe130bed10 sp 0x7ffe130beca0 T0)\r\n==23885==The signal is caused by a READ memory access.\r\n==23885==Hint: address points to the zero page.\r\n    #0 0x7f44177e97b6 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfPage.cpp:609:23\r\n    #1 0x51dda3 in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:98:47\r\n    #2 0x51d021 in TextExtractor::Init(char const*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:48:15\r\n    #3 0x539f6d in main \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/podofotxtextract.cpp:52:17\r\n    #4 0x7f441585f6ff in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #5 0x420d48 in _start (\/usr\/bin\/podofotxtextract+0x420d48)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfPage.cpp:609:23 in PoDoFo::PdfPage::GetFromResources(PoDoFo::PdfName const&, PoDoFo::PdfName const&)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00251-podofo-nullptr2<\/a>
\nCVE:<\/strong>
\nCVE-2017-7381<\/p>\n
##############################################################<\/p>\n
# podofotxtextract $FILE\r\n==20388==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f08c6a3c3de bp 0x7ffd52235bd0 sp 0x7ffd52235b20 T0)\r\n==20388==The signal is caused by a READ memory access.\r\n==20388==Hint: address points to the zero page.\r\n    #0 0x7f08c6a3c3dd in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontFactory.cpp:200:88\r\n    #1 0x7f08c6a1028d in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontCache.cpp:362:22\r\n    #2 0x51debb in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:104:43\r\n    #3 0x51d021 in TextExtractor::Init(char const*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:48:15\r\n    #4 0x539f6d in main \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/podofotxtextract.cpp:52:17\r\n    #5 0x7f08c4c9a6ff in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x420d48 in _start (\/usr\/bin\/podofotxtextract+0x420d48)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontFactory.cpp:200:88 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00251-podofo-nullptr3<\/a>
\nCVE:<\/strong>
\nCVE-2017-7382<\/p>\n
##############################################################<\/p>\n
# podofotxtextract $FILE\r\n==26727==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4c23dd5e41 bp 0x7ffd6ce24bd0 sp 0x7ffd6ce24b20 T0)\r\n==26727==The signal is caused by a READ memory access.\r\n==26727==Hint: address points to the zero page.\r\n    #0 0x7f4c23dd5e40 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontFactory.cpp:195:62\r\n    #1 0x7f4c23daa28d in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontCache.cpp:362:22\r\n    #2 0x51debb in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:104:43\r\n    #3 0x51d021 in TextExtractor::Init(char const*) \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/TextExtractor.cpp:48:15\r\n    #4 0x539f6d in main \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/tools\/podofotxtextract\/podofotxtextract.cpp:52:17\r\n    #5 0x7f4c220346ff in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #6 0x420d48 in _start (\/usr\/bin\/podofotxtextract+0x420d48)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/tmp\/portage\/app-text\/podofo-0.9.5\/work\/podofo-0.9.5\/src\/doc\/PdfFontFactory.cpp:195:62 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)\r\n<\/font><\/pre>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00252-podofo-nullptr4<\/a>
\nCVE:<\/strong>
\nCVE-2017-7383<\/p>\n
##############################################################<\/p>\n
Affected version:<\/strong>
\n0.9.5<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/A<\/p>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2017-03-31: bug discovered and reported to upstream
\n2017-03-31: blog post about the issue
\n2017-03-31: CVE assigned<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
podofo: four null pointer dereference<\/a><\/p><\/blockquote>\n