New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Buffer Overflow into Out-of-Bounds Write #8
Comments
Thanks a ton for this! I'll work on a patch. |
I've fixed the issue with the overflow; however, we are dropping some type names (e.g., less descriptive and returning "Unknown" more frequently than I expect. This doesn't concern me too much, as I don't really know if reporting type names is all that valuable to users. The fix is currently in its own branch: https://github.com/enferex/pdfresurrect/tree/carter-fix Edit: I plan on merging this into master once I get a better understanding of why we are loosing more type names. |
I've fixed the type name information, now we should maintain consistency with reporting names as we were in v.19, but with the added sanity check now. |
This issue appears to have been assigned CVE-2020-9549. |
Yep, thanks for following up with that. Master has the latest fixes. |
Description
In v0.12 and newer, the function
get_type()
inpdf.c
has the following logic:pdfresurrect/pdf.c
Lines 1299 to 1304 in e4de322
If
buf
does not contain one of the expected terminating characters (whitespace,/
,>
),c
can point to an address outsidebuf
, causing a\x00
byte to be written out-of-bounds.Example
Instead of creating a PoC, I found a benign PDF that happens to trigger this bug: http://ftpcontent.worldnow.com/wbbh/documents/Remoteattacksurfaces.pdf
(sha256:
371d87d27666d1f97678cbf4eec03704f4c1e85029009ee2439690303f7dde28
)The problem occurs while parsing the following data:
Due to the reuse of
buf
between invocations of the function,buf
will eventually contain:This benign example causes a read to segfault, but a more carefully crafted input could cause an out-of-bounds write.
Valgrind
The text was updated successfully, but these errors were encountered: