New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in QPDF::processXRefStream found by ASAN
#701
Comments
|
8.4.2 is very old. Does this happen with 10.6.3 or, better yet, with the tip of main? |
|
I cannot reproduce the issue with the latest qpdf main branch, nor with 10.6.3 or 10.3.2 (qpdf versions in stable Fedoras). My compilation/testing steps: Versions 10.6.3 and 10.3.2: Current main branch: |
|
Output for the current main: |
|
|
|
Thank you all for the investigation and analysis. Feel free to close the issue if you think the vulnerability has been fixed. |
|
Thanks, all, for helping out. I'll go ahead and close. |
Hi, I have found a heap-buffer-overflow in QPDF 8.4.2 using ASAN, which has not been reported yet. But after d71f05c, the heap-buffer-overflow seems to disappear. I don't know exactly how the commit mitigate the problem since it was intended to fix sign and conversion warnings.
To reproduce, compile QPDF with address sanitizer
Download the testcase HeapBOF-processXRefStream.zip
qpdf ./HeapBOF-processXRefStream -Then after some warnings, ASAN should complain about heap-buffer-overflow.
I find https://github.com/qpdf/qpdf/blob/release-qpdf-8.4.2/libqpdf/QPDF.cc#L1111-L1134 responsible for this heap-buffer-overflow.
After reading and debugging this code, I try to explain the reason as below.
datapoints to a piece of previously allocated buf with size of 38, which equals toactual_size.expected_size=entry_size*num_entries= 5 * 7 = 35, and the expected_size < actual_size is just warn and will not throw an exception.In each time of the first loop,
entry += entry_size, thenp = entry. The second loop iterates j in range(0,3), the innermost loop and then increase W[j] to p, the final overflow exceeds the size of 38, triggering heap-buffer-overflow.The text was updated successfully, but these errors were encountered: