Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry #69

Closed
DaisyPo opened this issue Apr 18, 2023 · 3 comments
Closed

There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry #69

DaisyPo opened this issue Apr 18, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@DaisyPo
Copy link

DaisyPo commented Apr 18, 2023
edited

There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry

Environment

OS: Ubuntu 20.04.1
Release: podofo 0.10.0
Program: podofopdfinfo
To reproduce the problem, we need to build podofo with asan:
cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address -g3" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address -g3"

Command Input

./podofopdfinfo poc-file
poc-file.zip
poc-file is attached.

ASAN info

=================================================================
==4183448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000000d1 at pc 0x7fa657687bfc bp 0x7ffc5513f550 sp 0x7ffc5513f548
READ of size 1 at 0x6070000000d1 thread T0
    #0 0x7fa657687bfb in PoDoFo::PdfXRefStreamParserObject::readXRefStreamEntry(PoDoFo::PdfXRefEntry&, char*, long const*) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75
    #1 0x7fa657687485 in PoDoFo::PdfXRefStreamParserObject::parseStream(long const*, std::vector<long, std::allocator<long> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:130:17
    #2 0x7fa657685b59 in PoDoFo::PdfXRefStreamParserObject::ReadXRefTable() /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:86:5
    #3 0x7fa6575b20b3 in PoDoFo::PdfParser::ReadXRefStreamContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:571:21
    #4 0x7fa6575ae4fc in PoDoFo::PdfParser::ReadXRefContents(PoDoFo::InputStreamDevice&, unsigned long, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:368:13
    #5 0x7fa6575a9bfe in PoDoFo::PdfParser::ReadDocumentStructure(PoDoFo::InputStreamDevice&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:139:9
    #6 0x7fa6575a89cf in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfParser.cpp:82:9
    #7 0x7fa657447b44 in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
    #8 0x7fa657449486 in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
    #9 0x7fa6574490ac in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
    #10 0x513ac7 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/latest/20230418/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
    #11 0x512368 in main /root/target/latest/20230418/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
    #12 0x7fa656196082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #13 0x46711d in _start (/root/target/latest/20230418/podofo-0.10.0/target/podofopdfinfo+0x46711d)

0x6070000000d1 is located 0 bytes to the right of 65-byte region [0x607000000090,0x6070000000d1)
allocated by thread T0 here:
    #0 0x50efed in operator new(unsigned long) /root/llvm-project-llvmorg-10.0.1/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x7fa65664635d in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14335d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/target/latest/20230418/podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in PoDoFo::PdfXRefStreamParserObject::readXRefStreamEntry(PoDoFo::PdfXRefEntry&, char*, long const*)
Shadow bytes around the buggy address:
  0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00[01]fa fa fa fa fa
  0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4183448==ABORTING
@DaisyPo DaisyPo changed the title There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 There exists heap-buffer-overflow at podofo-0.10.0/src/podofo/main/PdfXRefStreamParserObject.cpp:180:75 in readXRefStreamEntry Apr 18, 2023
@ceztko ceztko closed this as completed in 535a786 Apr 21, 2023
@ceztko ceztko mentioned this issue Apr 25, 2023
Closed
@ceztko ceztko added the bug Something isn't working label Apr 25, 2023
@risicle
Copy link

risicle commented Jun 3, 2023

I don't expect we're going to get a backport of these fixes to 0.9.x are we? It might take a while for all applications to port to the new 0.10 API..

@ceztko
Copy link
Contributor

ceztko commented Jun 3, 2023

@risicle: not from me, sorry.

@dd8
Copy link

dd8 commented Jun 5, 2023
edited

It's not clear if this issue present in 0.9.x - the method fixed in 0.10.0 is PdfXRefStreamParserObject::parseStream but the method code is very different to the code for PdfXRefStreamParserObject::parseStream in 0.9.8 - it looks like the method was refactored in 0.10.0.

I've not been able to get the PoC to trigger an ASAN violation in 0.9.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@risicle @ceztko @dd8 @DaisyPo