Skip to content

stack out of bounds read in function iterate_rc4 #147

Closed
@hannob

Description

@hannob

The attached file will cause an out of bounds read in qpdf, detectable with address sanitizer.
qpdf-stack-oob-iterate_rc4.zip

==16591==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee632f740 at pc 0x00000075ee62 bp 0x7ffee632f390 sp 0x7ffee632f388
READ of size 1 at 0x7ffee632f740 thread T0
    #0 0x75ee61 in iterate_rc4(unsigned char*, int, unsigned char*, int, int, bool) /f/qpdf/qpdf/libqpdf/QPDF_encryption.cc:211:15
    #1 0x731971 in check_owner_password_V4(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDF::EncryptionData const&) /f/qpdf/qpdf/libqpdf/QPDF_encryption.cc:594:5
    #2 0x731971 in check_owner_password(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, QPDF::EncryptionData const&) /f/qpdf/qpdf/libqpdf/QPDF_encryption.cc:628
    #3 0x731971 in QPDF::initializeEncryption() /f/qpdf/qpdf/libqpdf/QPDF_encryption.cc:1014
    #4 0x568e6c in QPDF::parse(char const*) /f/qpdf/qpdf/libqpdf/QPDF.cc:343:5
    #5 0x565e1a in QPDF::processFile(char const*, char const*) /f/qpdf/qpdf/libqpdf/QPDF.cc:141:5
    #6 0x51853d in main /f/qpdf/qpdf/qpdf/qpdf.cc:2300:17
    #7 0x7f95a13f14f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
    #8 0x41d459 in _start (/f/qpdf/qpdf/qpdf/build/qpdf+0x41d459)

Address 0x7ffee632f740 is located in stack of thread T0 at offset 320 in frame
    #0 0x7273cf in QPDF::initializeEncryption() /f/qpdf/qpdf/libqpdf/QPDF_encryption.cc:785

  This frame has 146 object(s):
    [32, 40) '__dnew.i.i.i.i3390'
    [64, 72) '__dnew.i.i.i.i3372'
    [96, 97) 'disregard.i.i'
    [112, 120) '__dnew.i.i.i.i3318'
    [144, 176) 'u_value.i.i'
    [208, 240) 'u_value.i.i.i.i'
    [272, 280) '__dnew.i.i.i.i.i.i'
    [304, 320) 'key.i.i' <== Memory access at offset 320 overflows this variable
    [336, 368) 'O_data.i.i'
    [400, 432) 'new_user_password.i.i'
    [464, 472) '__dnew.i.i.i.i2662'
    [496, 504) '__dnew.i.i.i.i2627'
    [528, 536) '__dnew.i.i.i.i2561'
    [560, 568) '__dnew.i.i.i.i2543'
    [592, 600) '__dnew.i.i.i.i2372'
    [624, 632) '__dnew.i.i.i.i2354'
    [656, 664) '__dnew.i.i.i.i2102'
    [688, 696) '__dnew.i.i.i.i2084'
    [720, 728) '__dnew.i.i.i.i1953'
    [752, 760) '__dnew.i.i.i.i1935'
    [784, 792) '__dnew.i.i.i.i1760'
    [816, 824) '__dnew.i.i.i.i1454'
    [848, 856) '__dnew.i.i.i.i1436'
    [880, 888) '__dnew.i.i.i.i1206'
    [912, 920) '__dnew.i.i.i.i1188'
    [944, 952) '__dnew.i.i.i.i1081'
    [976, 984) '__dnew.i.i.i.i1063'
    [1008, 1016) '__dnew.i.i.i.i962'
    [1040, 1048) '__dnew.i.i.i.i902'
    [1072, 1104) 'ref.tmp'
    [1136, 1168) 'id1'
    [1200, 1240) 'id_obj'
    [1280, 1312) 'ref.tmp14'
    [1344, 1384) 'temp.lvalue'
    [1424, 1456) 'ref.tmp20'
    [1488, 1528) 'temp.lvalue21'
    [1568, 1696) 'ref.tmp23'
    [1728, 1760) 'ref.tmp28'
    [1792, 1824) 'ref.tmp35'
    [1856, 1896) 'encryption_dict'
    [1936, 1968) 'ref.tmp40'
    [2000, 2032) 'ref.tmp57'
    [2064, 2104) 'temp.lvalue60'
    [2144, 2176) 'ref.tmp61'
    [2208, 2240) 'ref.tmp64'
    [2272, 2312) 'temp.lvalue66'
    [2352, 2384) 'ref.tmp67'
    [2416, 2448) 'ref.tmp99'
    [2480, 2512) 'ref.tmp106'
    [2544, 2584) 'temp.lvalue110'
    [2624, 2656) 'ref.tmp111'
    [2688, 2816) 'ref.tmp115'
    [2848, 2880) 'ref.tmp123'
    [2912, 2944) 'ref.tmp130'
    [2976, 3016) 'temp.lvalue132'
    [3056, 3088) 'ref.tmp133'
    [3120, 3160) 'temp.lvalue136'
    [3200, 3232) 'ref.tmp137'
    [3264, 3304) 'temp.lvalue145'
    [3344, 3376) 'ref.tmp146'
    [3408, 3448) 'temp.lvalue154'
    [3488, 3520) 'ref.tmp155'
    [3552, 3592) 'temp.lvalue163'
    [3632, 3664) 'ref.tmp164'
    [3696, 3728) 'ref.tmp221'
    [3760, 3792) 'ref.tmp228'
    [3824, 3864) 'temp.lvalue232'
    [3904, 3936) 'ref.tmp233'
    [3968, 4008) 'temp.lvalue236'
    [4048, 4080) 'ref.tmp237'
    [4112, 4144) 'O'
    [4176, 4216) 'temp.lvalue241'
    [4256, 4288) 'ref.tmp242'
    [4320, 4352) 'U'
    [4384, 4424) 'temp.lvalue244'
    [4464, 4496) 'ref.tmp245'
    [4528, 4568) 'temp.lvalue247'
    [4608, 4640) 'ref.tmp248'
    [4672, 4704) 'ref.tmp266'
    [4736, 4768) 'ref.tmp273'
    [4800, 4832) 'ref.tmp274'
    [4864, 4896) 'ref.tmp275'
    [4928, 4960) 'ref.tmp276'
    [4992, 5024) 'ref.tmp277'
    [5056, 5088) 'ref.tmp279'
    [5120, 5152) 'OE'
    [5184, 5216) 'UE'
    [5248, 5280) 'Perms'
    [5312, 5344) 'ref.tmp300'
    [5376, 5408) 'ref.tmp307'
    [5440, 5480) 'temp.lvalue311'
    [5520, 5552) 'ref.tmp312'
    [5584, 5624) 'temp.lvalue315'
    [5664, 5696) 'ref.tmp316'
    [5728, 5768) 'temp.lvalue324'
    [5808, 5840) 'ref.tmp325'
    [5872, 5904) 'ref.tmp362'
    [5936, 5968) 'ref.tmp369'
    [6000, 6032) 'ref.tmp373'
    [6064, 6104) 'temp.lvalue374'
    [6144, 6176) 'ref.tmp375'
    [6208, 6240) 'ref.tmp378'
    [6272, 6312) 'temp.lvalue379'
    [6352, 6384) 'ref.tmp380'
    [6416, 6448) 'ref.tmp383'
    [6480, 6520) 'temp.lvalue384'
    [6560, 6592) 'ref.tmp385'
    [6624, 6656) 'ref.tmp406'
    [6688, 6720) 'ref.tmp413'
    [6752, 6792) 'temp.lvalue417'
    [6832, 6864) 'ref.tmp418'
    [6896, 6936) 'temp.lvalue421'
    [6976, 7008) 'ref.tmp422'
    [7040, 7072) 'ref.tmp437'
    [7104, 7136) 'ref.tmp444'
    [7168, 7208) 'temp.lvalue451'
    [7248, 7280) 'ref.tmp452'
    [7312, 7352) 'temp.lvalue470'
    [7392, 7424) 'ref.tmp471'
    [7456, 7496) 'CF'
    [7536, 7568) 'ref.tmp479'
    [7600, 7648) 'keys'
    [7680, 7720) 'cdict'
    [7760, 7800) 'temp.lvalue488'
    [7840, 7872) 'ref.tmp489'
    [7904, 7936) 'method_name'
    [7968, 8008) 'temp.lvalue492'
    [8048, 8080) 'ref.tmp493'
    [8112, 8152) 'StmF'
    [8192, 8224) 'ref.tmp502'
    [8256, 8296) 'StrF'
    [8336, 8368) 'ref.tmp504'
    [8400, 8440) 'EFF'
    [8480, 8512) 'ref.tmp506'
    [8544, 8584) 'agg.tmp'
    [8624, 8664) 'agg.tmp511'
    [8704, 8744) 'agg.tmp516'
    [8784, 9000) 'data'
    [9072, 9104) 'ref.tmp554'
    [9136, 9168) 'ref.tmp556'
    [9200, 9232) 'ref.tmp561'
    [9264, 9265) 'perms_valid'
    [9280, 9312) 'ref.tmp568'
    [9344, 9472) 'ref.tmp577'
    [9504, 9536) 'ref.tmp585'
    [9568, 9600) 'ref.tmp592'

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions