Menu

#59 [r1996] SEGV of podofotxtextract in Type0 font handling (by PoDoFo::PdfFontFactory::CreateFont)

SVN TRUNK
pending
Matthew Brincke
None
2019-07-23
2019-07-09
Manh-Dung NGUYEN
No

Hi,
Our fuzzer found a crash on podofotxtextract (the latest commit on trunk r1996 - version 0.9.6) due to an invalid read of size 1 on function PoDoFo::PdfFontFactory::CreateFont.
PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1996/PoC_segv_PoDoFo::PdfVariant::DelayedLoad
Command: podofotxtextract $PoC
ASAN says:

==14022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x0000004bc1ac sp 0x7ffca35cc920 bp 0x7ffca35cc930 T0)
    #0 0x4bc1ab in PoDoFo::PdfVariant::DelayedLoad() const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:555
    #1 0x4bc623 in PoDoFo::PdfVariant::GetArray() /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:822
    #2 0x51e48e in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfFontFactory.cpp:218
    #3 0x5152b7 in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfFontCache.cpp:362
    #4 0x53be5c in PoDoFo::PdfMemDocument::GetFont(PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfMemDocument.cpp:703
    #5 0x4ba64a in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:124
    #6 0x4b9fe7 in TextExtractor::Init(char const*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:50
    #7 0x4c00b9 in main /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/podofotxtextract.cpp:52
    #8 0x7f8d9f7d282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4b9ce8 in _start (/home/dungnguyen/PoCs/podofo_r1996/podofotxtextract-asan+0x4b9ce8)

Valgrind says:

==14548== Invalid read of size 1
==14548==    at 0x564763: DelayedLoad (PdfVariant.h:555)
==14548==    by 0x564763: GetArray (PdfVariant.h:822)
==14548==    by 0x564763: PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) (PdfFontFactory.cpp:218)
==14548==    by 0x557B44: PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) (PdfFontCache.cpp:362)
==14548==    by 0x445D10: TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) (TextExtractor.cpp:124)
==14548==    by 0x44AB33: TextExtractor::Init(char const*) (TextExtractor.cpp:50)
==14548==    by 0x43C837: main (podofotxtextract.cpp:52)
==14548==  Address 0x13 is not stack'd, malloc'd or (recently) free'd

Thanks,
Manh Dung

Related

Commit: [r1996]

Discussion

  • Matthew Brincke

    Matthew Brincke - 2019-07-10
    • summary: [r1996] crash on podofotxtextract --> [r1996] SEGV of podofotxtextract in Type0 font handling (by PoDoFo::PdfFontFactory::CreateFont)
    • status: open --> accepted
    • assigned_to: Matthew Brincke
     

    Related

    Commit: [r1996]

  • Matthew Brincke

    Matthew Brincke - 2019-07-10

    I'll fix this also ASAP (hopefully today), I think this is a different logical change from the fix for issue #57.

     

    • Matthew Brincke

      Matthew Brincke - 2019-07-10

      Please refrain from creating issues for crashes with PdfFontFactory in the backtrace for now, especially for PdfFontFactory.cpp (svn r1997) lines 195 and 229, which I already know about (from reading the source code). I haven't committed fixes for them with the fix for this issue, because IMHO those are different logical changes, and I'd like to do one commit for each of them.

       

  • Matthew Brincke

    Matthew Brincke - 2019-07-10
    • status: accepted --> pending
     

  • Matthew Brincke

    Matthew Brincke - 2019-07-10

    I've committed my fix now into svn r1997, setting this to "pending" to say I'm done with my testing & committing, but for it to be "fixed" I'd like others to also test, especially on platforms they happen to use, but I don't (e.g. Windows).

     

  • Manh-Dung NGUYEN

    Manh-Dung NGUYEN - 2019-07-11

    Thanks Matthew. It works.

     

  • Manh-Dung NGUYEN

    Manh-Dung NGUYEN - 2019-07-12

    As you suggested, I provide a new crashing input due to a heap buffer overflow bug on the commit r1997. Note that the stacktrace contains the function PoDoFo::PdfFontFactory::CreateFont (line 241). Therefore, when you finish your fix, you could also test podofotxtextract with this crashing input.

    PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1997/PoC_hbo_PdfFontMetricsObject
    Command: podofotxtextract $PoC

    Valgrind says:

    ==28347== Invalid read of size 1
==28347==    at 0x57D987: DelayedLoad (PdfVariant.h:555)
==28347==    by 0x57D987: GetDataType (PdfVariant.h:585)
==28347==    by 0x57D987: IsReference (PdfVariant.h:209)
==28347==    by 0x57D987: PoDoFo::PdfFontMetricsObject::PdfFontMetricsObject(PoDoFo::PdfObject*, PoDoFo::PdfObject*, PoDoFo::PdfEncoding const*) (PdfFontMetricsObject.cpp:119)
==28347==    by 0x564B30: PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) (PdfFontFactory.cpp:241)
==28347==    by 0x557B44: PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) (PdfFontCache.cpp:362)
==28347==    by 0x445D10: TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) (TextExtractor.cpp:124)
==28347==    by 0x44A9AB: TextExtractor::Init(char const*) (TextExtractor.cpp:50)
==28347==    by 0x43C837: main (podofotxtextract.cpp:52)
==28347==  Address 0x74f2d2b is 19 bytes after a block of size 280 alloc'd
==28347==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28347==    by 0x4520DF: allocate (new_allocator.h:104)
==28347==    by 0x4520DF: allocate (alloc_traits.h:182)
==28347==    by 0x4520DF: _M_allocate (stl_vector.h:170)
==28347==    by 0x4520DF: _M_create_storage (stl_vector.h:185)
==28347==    by 0x4520DF: _Vector_base (stl_vector.h:136)
==28347==    by 0x4520DF: vector (stl_vector.h:320)
==28347==    by 0x4520DF: PoDoFo::PdfArray::PdfArray(PoDoFo::PdfArray const&) (PdfArray.cpp:59)
==28347==    by 0x57D68C: PoDoFo::PdfFontMetricsObject::PdfFontMetricsObject(PoDoFo::PdfObject*, PoDoFo::PdfObject*, PoDoFo::PdfEncoding const*) (PdfFontMetricsObject.cpp:113)
==28347==    by 0x564B30: PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) (PdfFontFactory.cpp:241)
==28347==    by 0x557B44: PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) (PdfFontCache.cpp:362)
==28347==    by 0x445D10: TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) (TextExtractor.cpp:124)
==28347==    by 0x44A9AB: TextExtractor::Init(char const*) (TextExtractor.cpp:50)
==28347==    by 0x43C837: main (podofotxtextract.cpp:52)

    Thanks,
    Manh Dung

     

  • Manh-Dung NGUYEN

    Manh-Dung NGUYEN - 2019-07-18

    [r1997] One more crashing input in PdfFontFactory::CreateFont (line 229) for testing your patch.

    PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1997/PoC_segv_GetIndirectKey

    ASAN says:

    ==7371==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x0000004bc1ac sp 0x7ffe3847a8c0 bp 0x7ffe3847a8d0 T0)
    #0 0x4bc1ab in PoDoFo::PdfVariant::DelayedLoad() const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:555
    #1 0x4bc26d in PoDoFo::PdfVariant::GetDataType() const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:585
    #2 0x4c62d7 in PoDoFo::PdfVariant::IsDictionary() const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:197
    #3 0x4d3639 in PoDoFo::PdfObject::GetIndirectKey(PoDoFo::PdfName const&) const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfObject.cpp:226
    #4 0x51e5b3 in PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfFontFactory.cpp:229
    #5 0x5152b7 in PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfFontCache.cpp:362
    #6 0x53beda in PoDoFo::PdfMemDocument::GetFont(PoDoFo::PdfObject*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/doc/PdfMemDocument.cpp:703
    #7 0x4ba64a in TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:124
    #8 0x4b9fe7 in TextExtractor::Init(char const*) /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp:50
    #9 0x4c00b9 in main /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/tools/podofotxtextract/podofotxtextract.cpp:52
    #10 0x7fc3ec73582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4b9ce8 in _start (/home/dungnguyen/PoCs/podofo_r1997/podofotxtextract-asan+0x4b9ce8)
     

    Related

    Commit: [r1997]

    • Matthew Brincke

      Matthew Brincke - 2019-07-22

      Thank you for your PoC and backtrace, also for those in your post before to this issue, they're valuable for reproducing the bugs, which I'd like to fix after issue #60 (which has been reported on the mailing list over 3 years ago and isn't really fixed yet AFAIK). However they're really distinct bugs, so should go into new issues again now (can you move them or should I ?)

       

  • Manh-Dung NGUYEN

    Manh-Dung NGUYEN - 2019-07-22

    Thanks Matthew. Which bugs should I create new issues ? Or both of them?

     

    • Matthew Brincke

      Matthew Brincke - 2019-07-23

      For both of them, please.

       
      👍
      2
MongoDB Logo MongoDB