[podofo-0.9.7]Stack-Overflow in PdfEncrypt.cpp

A PDF parsing, modification and creation library.

Brought to you by: domseichter

This project can now be found here.

#132 [podofo-0.9.7]Stack-Overflow in PdfEncrypt.cpp

Milestone: SVN TRUNK

Status: open

Owner: nobody

Labels: securty (2) vuln (3)

Updated: 2021-04-14

Created: 2021-04-04

Creator: treebacker

Private: No

In command line:

podofopdfinfo bug4

In gdb:

We see the stack is overwritten, so the stack overflow is exploitable.

And, there are two points with stack overflow

void
PdfEncryptMD5Base::ComputeOwnerKey(unsigned char userPad[32], unsigned char ownerPad[32],
                                   int keyLength, int revision, bool authenticate,
                                   unsigned char ownerKey[32])
{
    unsigned char mkey[MD5_DIGEST_LENGTH];      // 0x10
    unsigned char digest[MD5_DIGEST_LENGTH];

    .....
    for (int j = 0; j < keyLength ; ++j)        // keyLength = 0x20
    {
    if (authenticate)
    mkey[j] = static_cast<unsigned char>(static_cast<unsigned int>(digest[j] ^ (19-i)));
    else
    mkey[j] = static_cast<unsigned char>(static_cast<unsigned int>(digest[j] ^ i));
    }
    .....
}

mkey and digest only have 0x10 size, however keyLength may be 0x20, which raise a stack overflow.

Same thing occurs in PdfEncryptMD5Base::ComputeEncryptionKey:866

            status = MD5_Update(&ctx, n, m_keyLength);

1 Attachments

bug4

Discussion

Mattia Rizzolo - 2021-04-14

This is CVE-2021-30472

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

[podofo-0.9.7]Stack-Overflow in PdfEncrypt.cpp

A PDF parsing, modification and creation library.

Milestone

Searches

Help

#132 [podofo-0.9.7]Stack-Overflow in PdfEncrypt.cpp

Discussion