Description of problem:
In podofo 0.9.6 (the lastest version), there exists a bug in the method PoDoFo::PdfParser::ReadObjects(), which can cause the program to be aborted.
Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file.
here is the backtrace:
#0 0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6)
at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff57d202a in __GI_abort () at abort.c:89
#2 0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler ()
at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95
#3 0x00007ffff6110566 in __cxxabiv1::__terminate (handler=<optimized out>)
at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47
#4 0x00007ffff61105b1 in std::terminate ()
at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57
#5 0x00007ffff61107c8 in __cxxabiv1::__cxa_throw (obj=obj@entry=0x85e700,
tinfo=0x7ffff63f0ac0 <typeinfo for std::length_error>,
dest=0x7ffff6125240 <std::length_error::~length_error()>)
at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87
#6 0x00007ffff6137e8f in std::__throw_length_error (
__s=0x5c7ac2 "vector::reserve")
at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86
#7 0x000000000055cc44 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve(unsigned long) ()
#8 0x000000000055bfdc in PoDoFo::PdfVecObjects::Reserve(unsigned long) ()
#9 0x00000000005546b5 in PoDoFo::PdfParser::ReadObjects() ()
#10 0x0000000000553a02 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) ()
#11 0x0000000000553329 in PoDoFo::PdfParser::ParseFile(char const*, bool) ()
#12 0x000000000050e297 in PoDoFo::PdfMemDocument::Load(char const*, bool) ()
#13 0x000000000050e0d4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) ()
#14 0x00000000004afec7 in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#15 0x00000000004b4625 in main ()
#16 0x00007ffff57bb830 in __libc_start_main (main=0x4b4460 <main>, argc=0x2,
argv=0x7fffffffde18, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffde08)
at ../csu/libc-start.c:291
#17 0x00000000004afd99 in _start ()
Version-Release number of selected component (if applicable):
podofo 0.9.6
How reproducible:
use podofopdfinfo to read crafted pdf files.
Steps to Reproduce:
1.podofopdfinfo podofo0.9.6-poc
2.
3.
Diff:
Diff:
This seems to be a duplicate of issue #4 just with the backtrace (and PoC) missing there, so this should be closed (ideally after copying the backtrace and PoC). I haven't copied it because I can't verify right now.
I couldn't reproduce this with the current library code as
PdfMemDocument::InitFromParser( PdfParser* )throws with error code ePdfError_NoObject because it can't find the Catalog ("Root") object. Therefore I set this to pending herewith (I can't prove it's gone, otherwise I'd close).@krace do you think you could check again with the current trunk and confirm?
In the meantime, this was given CVE-2018-15889 ...
Krace, any comments on the questions? This would be likely otherwise a duplicate of CVE-2018-5783, which is issue #4 and fixed with https://sourceforge.net/p/podofo/code/1949 .
I'm sorry to reply so late. I download the podofo from sourceforge,but unfortunately, the code was not patched in PdfVecObjects::Reserve( size_t size ) , so it's duplicate to CVE-2018-5783...
How did you download podofo (the PoDoFo project doesn't fix released packages)? With an svn client (if yes, which revision did you download? For HEAD, please tell when) or a web browser (from the "Files" or the "Code" section? If "Code", which revision, please?) I need this info to know if something could still need to be changed.
I have email to CVE for cancel the CVE-2018-15889, sorry again.
CVE-2018-15889 has been rejected by MITRE.
I'm closing this, due to above comments about duplicate and because when I tested it with r2008, then it did not crash, as expected.