Menu

#21 CVE-2018-11256 - NULL pointer dereference in PdfDocument::Append()

SVN TRUNK
closed
nobody
security (37)
2018-08-30
2018-07-09
Mattia Rizzolo
No

https://security-tracker.debian.org/tracker/CVE-2018-11256
PoC: https://bugzilla.redhat.com/show_bug.cgi?id=1575851

The function PdfDocument::Append() in PdfDocument.cpp:327 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.

Discussion

  • Matthew Brincke

    Matthew Brincke - 2018-07-15

    In the bug report at Red Hat there is an assemply dump of the concerned method around the crash site, but AFAICS the null-pointer dereference belongs to source code line 328, not 327: in line 328 the variable pPage is used for a method call without a NULL check, its value has been returned from the PdfDocument::GetPage(int) method in line 327 and can be (is, with the PoC) NULL.
    Therefore, my proposed fix is to insert a NULL check between these lines for pPage, with (in the NULL case) a PdfError exception thrown with error code ePdfError_PageNotFound.

     

  • Matthew Brincke

    Matthew Brincke - 2018-08-27

    I'd like to include the page number which wasn't found in the exception information. Should it be 0-based or 1-based?

     

  • Matthew Brincke

    Matthew Brincke - 2018-08-28

    This fixed now, in svn r1938: https://sourceforge.net/p/podofo/code/1938 (the page number not found is given 0-based to match up with the one in the CRITICAL message before, with an explanation saying the first page is 0).

     

  • Dominik Seichter

    Dominik Seichter - 2018-08-30
    • status: open --> closed
     

  • Dominik Seichter

    Dominik Seichter - 2018-08-30

    Fixed

     
MongoDB Logo MongoDB