Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security_advisories/PDFgen-206ef1b/
security_advisories/PDFgen-206ef1b/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

a vulnerability in PDFgen (CVE-2018-11363)

There is a vulnerability in pdffigures (git repository: https://github.com/AndreRenaud/PDFGen, 206ef1b on Apr 4, 2018).

git log

commit 206ef1b560efed48aabcb9374ea0e6e832b59f7e
Author: Andre Renaud <arenaud@designa-electronics.com>
Date:   Wed Apr 4 08:59:06 2018 +1200

I set up a driver to fuzz the pdffigures libarary, and a crash was triggered due to heap-buffer-overflow. The driver is:

#include "pdfgen.h"
#include <stdio.h>
int main(int argc, char *argv[])
{
    if (argc != 2) {
        return 0;
    }
    // printf("%s\n",argv[1]);
    struct pdf_info info = {.creator = "1",
                            .producer = "2",
                            .title = "3",
                            .author = "4",
                            .subject = "5",
                            .date = "6"};
    struct pdf_doc *pdf = pdf_create(PDF_A4_WIDTH, PDF_A4_HEIGHT, &info);
    pdf_append_page(pdf);
    pdf_add_jpeg(pdf, NULL, 100, 500, 50, 150, argv[1]);
    pdf_save(pdf, "fuzz.pdf");
    pdf_destroy(pdf);
    return 0;
}

And compile it as follow:

CC=afl-clang-fast
CFLAGS=-g -Wall -pipe --std=c1x -O3 -pedantic -Wsuggest-attribute=const -Wsuggest-attribute=format -Wclobbered -Wempty-body -Wignored-qualifiers -Wmissing-field-initializers -Wold-style-declaration -Wmissing-parameter-type -Woverride-init -Wtype-limits -Wuninitialized -Wunused-but-set-parameter -fprofile-arcs -ftest-coverage -fsanitize=leak,address
LFLAGS=-fprofile-arcs -ftest-coverage -fsanitize=leak,address


default: testpdf

testpdf: testpdf.o pdfgen.o
    $(CC) -o testpdf pdfgen.o testpdf.o $(LFLAGS)
%.o: %.c Makefile
    $(CC) -c -o $@ $< $(CFLAGS)

When the testcase (see: https://github.com/ChijinZ/security_advisories/blob/master/PDFgen-206ef1b/crash.jpg) was input (command: ./testpdf testfile), a crash was trigger.

It seems that it try to access a memory out of array data in pdfgen.c:2015.

if (i + 3 < data_size && data[i] == 0xFF && data[i+`1] == 0xD8 &&
            data[i+2] == 0xFF && data[i+3] == 0xE0)`

AddressSanitizer provided information as below:

==5926==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b6 at pc 0x000000528b63 bp 0x7ffeb9450530 sp 0x7ffeb9450528
READ of size 1 at 0x6020000000b6 thread T0
    #0 0x528b62 in jpeg_size path/to/PDFGen/pdfgen.c:2015:12
    #1 0x528b62 in pdf_add_raw_jpeg path/to/PDFGen/pdfgen.c:2079
    #2 0x528b62 in pdf_add_jpeg path/to/PDFGen/pdfgen.c:2208
    #3 0x52b59c in main path/to/PDFGen/testpdf.c:17:5
    #4 0x7f568074f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41a418 in _start (path/to/PDFGen/testpdf+0x41a418)