PoDoFo / Tickets / #40 Null pointer dereference vulnerability in PoDoFo::Impose::PdfTranslator::setSource()

#40 Null pointer dereference vulnerability in PoDoFo::Impose::PdfTranslator::setSource()

Milestone: SVN TRUNK

Status: closed

Owner: Matthew Brincke

Labels: security (37)

Updated: 2019-03-17

Created: 2019-02-25

Creator: Ace Team

Private: No

What is the vulnerability?
A NULL pointer dereference vulnrability is discovered in function PoDoFo::Impose::PdfTranslator::setSource() located in file pdftranslator.cpp .
Version - 0.9.6 trunk r1966
Tested environment - 64-bit ubuntu 16.04 LTS & 64-bit Windows 10.
Command - podofoimpose $POC output native
**vulnerable code ** -

if ( pcount > 0 )  
  { 
                               PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
                                    sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
                                   sourceHeight =  rect.GetHeight() - rect.GetBottom() ;                  }

**Debug: In Ubuntu ** -

GDB -

151                                 PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); 
    152                                 // keep in mind it’s just a hint since PDF can have different page sizes in a same doc 
    153                                 sourceWidth =  rect.GetWidth() - rect.GetLeft(); 
    154                                 sourceHeight =  rect.GetHeight() - rect.GetBottom() ; 
    155                         } 
    156                 } 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[#0] Id 1, Name: "podofoimpose", stopped, reason: SIGSEGV 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
[#0] 0x811c4e6 → PoDoFo::Impose::PdfTranslator::setSource(this=0x82a9f00, source="/home/loginsoft/ACE/sources/pruthvi/id_000000_00") 
[#1] 0x811aebe → main(argc=0x4, argv=0xbffff3b4) 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤  bt 
#0  0x0811c4e6 in PoDoFo::Impose::PdfTranslator::setSource (this=0x82a9f00, source="POC") at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/pdftranslator.cpp:151 
#1  0x0811aebe in main (argc=0x4, argv=0xbffff3b4) at /podofo-code-r1966-podofo-trunk/tools/podofoimpose/podofoimpose.cpp:107 
gef➤  p/d pcount 
$1 = 11 
gef➤  p sourceDoc->GetPage ( 0 ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$5 = (PoDoFo::PdfPage *) 0x0 
gef➤  p GetPage( nIndex ) 
CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary 
Reference to invalid object: 1 0 R 
$2 = (PoDoFo::PdfPage *) 0x0 
gef➤  i r 
eax            0x0                 0x0 
ecx            0x0                 0x0 
edx            0x0                 0x0 
ebx            0x82aa100           0x82aa100 
esp            0xbffff130          0xbffff130 
ebp            0xbffff2c8          0xbffff2c8 
esi            0x82aa0a8           0x82aa0a8 
edi            0xb78a4000          0xb78a4000 
eip            0x811c4e6           0x811c4e6 <PoDoFo::Impose::PdfTranslator::setSource(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+1314> 
eflags         0x210286            [ PF SF IF RF ID ] 
cs             0x73                0x73 
ss             0x7b                0x7b 
ds             0x7b                0x7b 
es             0x7b                0x7b 
fs             0x0                 0x0 
gs             0x33                0x33

Debug: In windows -

STACK_TEXT: 
 podofoimpose!PoDoFo::Impose::PdfTranslator::setSource+0x57e 
00cffad0 010e58ce 00000004 001e2c78 001e1738 podofoimpose!main+0x161 
00cffae4 010e5767 90d90588 00f3b398 00f3b398 podofoimpose!invoke_main+0x1e 
00cffb40 010e55fd 00cffb50 010e5948 00cffb64 podofoimpose!__scrt_common_main_seh+0x157 
00cffb48 010e5948 00cffb64 74c38484 00af3000 podofoimpose!__scrt_common_main+0xd 
00cffb50 74c38484 00af3000 74c38460 9e791c38 podofoimpose!mainCRTStartup+0x8 
00cffb64 77bd41c8 00af3000 d24f9363 00000000 KERNEL32!BaseThreadInitThunk+0x24 
00cffbac 77bd4198 ffffffff 77bef326 00000000 ntdll!__RtlUserThreadStart+0x2f 
00cffbbc 00000000 00f3b398 00af3000 00000000 ntdll!_RtlUserThreadStart+0x1b 
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_podofoimpose.exe!PoDoFo::Impose::PdfTranslator::setSource 
BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ_podofoimpose!PoDoFo::Impose::PdfTranslator::setSource+57e 
 ExceptionCode: c0000005 (Access violation) 
FAULTING_SOURCE_FILE:  e:\podofo-code-r1966-podofo-trunk\tools\podofoimpose\pdftranslator.cpp 
FAILURE_FUNCTION_NAME:  PoDoFo::Impose::PdfTranslator::setSource 
Registers: 
eax=00000000 ebx=00af3000 ecx=90d909fc edx=00cff82c esi=00cff770 edi=00cff76c 
eip=00f5645e esp=00cff76c ebp=00cffa6c iopl=0         nv up ei pl zr na pe nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246

1 Attachments

POC

Ace Team - 2019-02-25

We also tested it against the latest trunk r1970 & are able to reproduce.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mattia Rizzolo - 2019-02-28

Also for cross-reference, this is known elsewhere as CVE-2019-9199

https://security-tracker.debian.org/tracker/CVE-2019-9199

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-11

I had tested my fix in svn r1971 [1] with g++ 4.8, clang++ 3.8 (both in C++11 mode) and (on a newer system) g++ 7.3 and clang++ 7.0 before committing, but I don't have a Windows system with C++ development tools, so I couldn't test there. Please do that for me: I'd like to close this issue in less than a week.
[1] https://sourceforge.net/p/podofo/code/1971/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-11

status: open --> pending
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-11

Pending verification testing on Windows, which I can't do (see my last post).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ace Team - 2019-03-12

Tested on windows, looks fixed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-14

Thanks for testing on Windows, Ace Team. If someone else is interested in testing, please be aware that I'd like to close this issue before Saturday (UTC). However, if you find some failure with it afterwards, please feel free to reopen if you can (with justification).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-17

status: pending --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matthew Brincke - 2019-03-17

Closing as per announcement (the reason for why I haven't closed this come yesterday is where I was the site styles/scripts didn't load so couldn't edit the issue), I think there should have been enough time to test.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Null pointer dereference vulnerability in ...

A PDF parsing, modification and creation library.

Milestone

Searches

Help

#40 Null pointer dereference vulnerability in PoDoFo::Impose::PdfTranslator::setSource()

Related

Discussion