Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()) #70

Open
longuu9 opened this issue Apr 25, 2023 · 1 comment
Labels
bug Something isn't working patch welcome A patch for this issue is welcome

Comments

@longuu9
Copy link

longuu9 commented Apr 25, 2023

We found a heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()).

Command Input

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==3903368==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000300 at pc 0x00000071995b bp 0x7ffffefd2300 sp 0x7ffffefd22f8
READ of size 1 at 0x613000000300 thread T0
    #0 0x71995a in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47
    #1 0x717ec2 in PoDoFo::PdfParserObject::parseStream() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:219:45
    #2 0x716a06 in PoDoFo::PdfParserObject::DelayedLoadStreamImpl() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:90:13
    #3 0x69c223 in PoDoFo::PdfObject::delayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:359:35
    #4 0x699211 in PoDoFo::PdfObject::DelayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:351:5
    #5 0x69a130 in PoDoFo::PdfObject::Write(PoDoFo::OutputStream&, PoDoFo::PdfWriteFlags, PoDoFo::PdfEncrypt const*, PoDoFo::charbuff_t<void>&) const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:212:5
    #6 0x756b85 in PoDoFo::PdfWriter::WritePdfObjects(PoDoFo::OutputStreamDevice&, PoDoFo::PdfIndirectObjectList const&, PoDoFo::PdfXRef&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:175:18
    #7 0x753a27 in PoDoFo::PdfWriter::Write(PoDoFo::OutputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:97:9
    #8 0x67467b in PoDoFo::PdfMemDocument::Save(PoDoFo::OutputStreamDevice&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:249:16
    #9 0x67426f in PoDoFo::PdfMemDocument::Save(std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:233:11
    #10 0x4dfe62 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:49:9
    #11 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #12 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)

0x613000000300 is located 256 bytes inside of 352-byte region [0x613000000200,0x613000000360)
freed by thread T0 here:
    #0 0x4ddb3d in operator delete(void*) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
    #1 0x5c0821 in PoDoFo::PdfEncryptAESV3::~PdfEncryptAESV3() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:623:7
    #2 0x4e1cd6 in std::default_delete<PoDoFo::PdfEncrypt>::operator()(PoDoFo::PdfEncrypt*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x6778a7 in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::reset(PoDoFo::PdfEncrypt*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x6768ec in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::operator=(std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:307:2
    #5 0x675e46 in PoDoFo::PdfMemDocument::SetEncrypted(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfPermissions, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfKeyLength) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:321:15
    #6 0x4dfe4b in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:48:9
    #7 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #8 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x5a387f in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:43
    #2 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
    #3 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
    #4 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
    #5 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
    #6 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
    #7 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
    #8 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #9 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const
Shadow bytes around the buggy address:
  0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c267fff8060:[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3903368==ABORTING

Environment

  • OS: Ubuntu 20.04.1
  • clang:12.0.0
  • podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc_file.zip

@ceztko
Copy link
Contributor

ceztko commented Apr 25, 2023

Than you for supplying fuzzing tests. Unfortunately I currently don't have much time to look at all of these, so the fix for encryption tests are delayed until I have more time to dig into them. Since there's no warranty, you're also welcome to supply your own patches.

@ceztko ceztko added bug Something isn't working patch welcome A patch for this issue is welcome labels Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working patch welcome A patch for this issue is welcome
Projects
None yet
Development

No branches or pull requests

2 participants