Segmentation Fault in "GetDataType()->DelayedLoad()" caused by...
A PDF parsing, modification and creation library.
Brought to you by:
domseichter
Menu
▾
▴
1 Attachments
#111 Segmentation Fault in "GetDataType()->DelayedLoad()" caused by `PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)`
accepted
2021-03-10
2020-12-08
No
version: 0.9.6. svn tree: r2016
How to reproduce: ./podofotxtextract poc
Backtrace:
0x4be964 <PoDoFo::PdfVariant::DelayedLoad()+0> test BYTE PTR [rax+0x13], 0x1
[#0] 0x4be964 → PoDoFo::PdfVariant::DelayedLoad() const()
[#1] 0x4bea09 → PoDoFo::PdfVariant::GetDataType() const()
[#2] 0x4c5c15 → PoDoFo::PdfVariant::IsDictionary() const()
[#3] 0x4cfead → PoDoFo::PdfObject::GetIndirectKey(PoDoFo::PdfName const&) const()
[#4] 0x501413 → PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)()
[#5] 0x4faa50 → PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*)()
[#6] 0x5146a1 → PoDoFo::PdfMemDocument::GetFont(PoDoFo::PdfObject*)()
[#7] 0x4bd97c → TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*)()
[#8] 0x4bd3a5 → TextExtractor::Init(char const*)()
[#9] 0x4c07b7 → main()
The source code is:
555 // Whoops! Delayed loading triggered during delayed loading. Someone probably
556 // used a public method that calls DelayedLoad() from a delayed load.
557 if (m_bDelayedLoadInProgress)
558 PODOFO_RAISE_ERROR_INFO( ePdfError_InternalLogic, "Recursive DelayedLoad() detected" );
559 #endif
→ 560 if( !m_bDelayedLoadDone)
561 {
562 #if defined(PODOFO_EXTRA_CHECKS)
563 m_bDelayedLoadInProgress = true;
564 #endif
565 const_cast<PdfVariant*>(this)->DelayedLoadImpl();
The log of ASAN is:
=================================================================
==27174==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x000000583908 bp 0x000000000002 sp 0x7ffcb5abb510 T0)
==27174==The signal is caused by a READ memory access.
==27174==Hint: address points to the zero page.
#0 0x583908 in PoDoFo::PdfVariant::DelayedLoad() const /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:560:10
#1 0x583908 in PoDoFo::PdfVariant::GetDataType() const /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:591:5
#2 0x583908 in PoDoFo::PdfVariant::IsDictionary() const /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:197:47
#3 0x583908 in PoDoFo::PdfObject::GetIndirectKey(PoDoFo::PdfName const&) const /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/base/PdfObject.cpp:264:17
#4 0x62b653 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/doc/PdfFontFactory.cpp:234:44
#5 0x619726 in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/doc/PdfFontCache.cpp:362:22
#6 0x54df4e in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:124:43
#7 0x54c350 in TextExtractor::Init(char const*) /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:50:15
#8 0x555ca4 in main /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/tools/podofotxtextract/podofotxtextract.cpp:52:17
#9 0x7fdbd48b7b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x4712f9 in _start (/home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/build_asan/tools/podofotxtextract/podofotxtextract+0x4712f9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/binpang/fuzzing_pdf/podofo_r2016/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:560:10 in PoDoFo::PdfVariant::DelayedLoad() const
==27174==ABORTING
Related
Tickets: #1
Tickets: #2
Tickets: #3
Tickets: #4
Tickets: #5
Tickets: #6
Tickets: #7
Tickets: #8
Tickets: #9
DelayedLoad--> Segmentation Fault inDelayedLoadcaused by PdfFontFactory::CreateFont(FT_LibraryRec_*, PoDoFo::PdfObject)DelayedLoadcaused by PdfFontFactory::CreateFont(FT_LibraryRec_, PoDoFo::PdfObject*) --> Segmentation Fault in GetDataType()->DelayedLoad() caused by PdfFontFactory::CreateFont(FT_LibraryRec_, PoDoFo::PdfObject*)According to my analysis (I haven't reproduced yet), the SEGV is caused by a null pointer dereference in src/podofo/doc/PdfFontFactory.cpp:234 which can happen because of a missing check of the
PdfObject*variablepFontObjectagainst nullptr, or to stay (source-)compatible with pre-C++11 environments, against NULL.My patch for this issue is attached. Because I tested it only cursorily yet (only according to the reproduction recipe, the issue reproduced without the patch, and I did get the to-be-expected PdfError exception message about a missing object, meaning one in the PoC PDF document, with it applied), please don't commit it already. As my testing opportunities are limited (I don't use Windows, for one) please do help test it (and report back to coordinate, in case I can do that test too, to avoid duplicate work).
Last edit: Matthew Brincke 2021-02-16
PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*)Diff:
This blocks reproduction of issue #119 so I'm tagging it accordingly (also some formatting changes, I hope the "Related:" entries are gone then).
Reproduction of issue #119 doesn't seem to be blocked by this issue (I've tested with my patch for it, in GCC 8.3 static build with Address Sanitizer), but by the unsuitability of the supposed PoC given there. Please answer/discuss there, I'm removing the tag "reprod-blocking" here therefore.