#3 CVE-2018-6352 - Excessive Iteration in the PdfParser::ReadObjectsInternal

[Mattia Rizzolo]

https://security-tracker.debian.org/tracker/CVE-2018-6352
https://bugzilla.redhat.com/show_bug.cgi?id=1539237

In PoDoFo 0.9.5, there is an Excessive Iteration in the PdfParser::ReadObjectsInternal function of base/PdfParser.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file.

[MarkR]

Has this been fixed by the fix for CVE-2018-5296 https://sourceforge.net/p/podofo/tickets/6/ ?

This issue happens when /Size entry in the trailer dictionary PDF is set to a large value (2,100,000,041 in the PoC) which is read into m_nNumObjects by PdfParser::ReadDocumentStructure.

In 0.9.6 this should trigger an exception when ResizeOffsets( m_nNumObjects ) is called in ReadDocumentStructure because the max number of objects allowed is 8,388,607

[MarkR]

I've done some testing - the original PoC file throws an ePdfError_ValueOutOfRange exception in ResizeOffsets in 0.9.6

A modified version of the PoC file with /Size 8388607 takes around 12 seconds to execute the loop in ReadObjectsInternal. That's consistent with the tens of minutes reported for the PoC which used /Size 2100000041 (2100000041 / 8388607 *12 seconds = 50 minutes)

I think this CVE is fixed, but would be good if somebody else could confirm

[Dominik Seichter]

Yes, to my understanding this was fixed. Hence closing the issue.