Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry #69

Closed
DaisyPo opened this issue Apr 18, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@DaisyPo
Copy link

DaisyPo commented Apr 18, 2023

There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry

Environment

OS: Ubuntu 20.04.1
Release: podofo 0.10.0
Program: podofopdfinfo
To reproduce the problem, we need to build podofo with asan:
cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address -g3" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address -g3"

Command Input

./podofopdfinfo poc-file
poc-file.zip
poc-file is attached.

ASAN info

=================================================================
==4183448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000000d1 at pc 0x7fa657687bfc bp 0x7ffc5513f550 sp 0x7ffc5513f548
READ of size 1 at 0x6070000000d1 thread T0
    #0 0x7fa657687bfb in PoDoFo::PdfXRefStreamParserObject::readXRefStreamEntry(PoDoFo::PdfXRefEntry&, char*, long const*) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75
    #1 0x7fa657687485 in PoDoFo::PdfXRefStreamParserObject::parseStream(long const*, std::vector<long, std::allocator<long> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:130:17
    #2 0x7fa657685b59 in PoDoFo::PdfXRefStreamParserObject::ReadXRefTable() /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:86:5
    #3 0x7fa6575b20b3 in PoDoFo::PdfParser::ReadXRefStreamContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:571:21
    #4 0x7fa6575ae4fc in PoDoFo::PdfParser::ReadXRefContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:368:13
    #5 0x7fa6575a9bfe in PoDoFo::PdfParser::ReadDocumentStructure(PoDoFo::InputStreamDevice&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:139:9
    #6 0x7fa6575a89cf in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:82:9
    #7 0x7fa657447b44 in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
    #8 0x7fa657449486 in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
    #9 0x7fa6574490ac in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
    #10 0x513ac7 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/latest/20230418/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
    #11 0x512368 in main /root/target/latest/20230418/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
    #12 0x7fa656196082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #13 0x46711d in _start (/root/target/latest/20230418/podofo-0.10.0/target/podofopdfinfo+0x46711d)

0x6070000000d1 is located 0 bytes to the right of 65-byte region [0x607000000090,0x6070000000d1)
allocated by thread T0 here:
    #0 0x50efed in operator new(unsigned long) /root/llvm-project-llvmorg-10.0.1/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x7fa65664635d in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14335d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in PoDoFo::PdfXRefStreamParserObject::readXRefStreamEntry(PoDoFo::PdfXRefEntry&, char*, long const*)
Shadow bytes around the buggy address:
  0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00[01]fa fa fa fa fa
  0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4183448==ABORTING
@DaisyPo DaisyPo changed the title There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry Apr 18, 2023
@ceztko ceztko closed this as completed in 535a786 Apr 21, 2023
@ceztko ceztko added the bug Something isn't working label Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants