#61 [r1997] podofotxtextract heap buffer overflow

[Manh-Dung NGUYEN]

Hi,

I found a crashing input due to a heap buffer overflow bug on the commit r1997.
PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1997/PoC_hbo_PdfFontMetricsObject
Command: podofotxtextract $PoC

Valgrind says:

==28347== Invalid read of size 1
==28347==    at 0x57D987: DelayedLoad (PdfVariant.h:555)
==28347==    by 0x57D987: GetDataType (PdfVariant.h:585)
==28347==    by 0x57D987: IsReference (PdfVariant.h:209)
==28347==    by 0x57D987: PoDoFo::PdfFontMetricsObject::PdfFontMetricsObject(PoDoFo::PdfObject*, PoDoFo::PdfObject*, PoDoFo::PdfEncoding const*) (PdfFontMetricsObject.cpp:119)
==28347==    by 0x564B30: PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) (PdfFontFactory.cpp:241)
==28347==    by 0x557B44: PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) (PdfFontCache.cpp:362)
==28347==    by 0x445D10: TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) (TextExtractor.cpp:124)
==28347==    by 0x44A9AB: TextExtractor::Init(char const*) (TextExtractor.cpp:50)
==28347==    by 0x43C837: main (podofotxtextract.cpp:52)
==28347==  Address 0x74f2d2b is 19 bytes after a block of size 280 alloc'd
==28347==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28347==    by 0x4520DF: allocate (new_allocator.h:104)
==28347==    by 0x4520DF: allocate (alloc_traits.h:182)
==28347==    by 0x4520DF: _M_allocate (stl_vector.h:170)
==28347==    by 0x4520DF: _M_create_storage (stl_vector.h:185)
==28347==    by 0x4520DF: _Vector_base (stl_vector.h:136)
==28347==    by 0x4520DF: vector (stl_vector.h:320)
==28347==    by 0x4520DF: PoDoFo::PdfArray::PdfArray(PoDoFo::PdfArray const&) (PdfArray.cpp:59)
==28347==    by 0x57D68C: PoDoFo::PdfFontMetricsObject::PdfFontMetricsObject(PoDoFo::PdfObject*, PoDoFo::PdfObject*, PoDoFo::PdfEncoding const*) (PdfFontMetricsObject.cpp:113)
==28347==    by 0x564B30: PoDoFo::PdfFontFactory::CreateFont(FT_LibraryRec_**, PoDoFo::PdfObject*) (PdfFontFactory.cpp:241)
==28347==    by 0x557B44: PoDoFo::PdfFontCache::GetFont(PoDoFo::PdfObject*) (PdfFontCache.cpp:362)
==28347==    by 0x445D10: TextExtractor::ExtractText(PoDoFo::PdfMemDocument*, PoDoFo::PdfPage*) (TextExtractor.cpp:124)
==28347==    by 0x44A9AB: TextExtractor::Init(char const*) (TextExtractor.cpp:50)
==28347==    by 0x43C837: main (podofotxtextract.cpp:52)

Thanks,
Manh Dung

[Matthew Brincke]

I've found a fix to this, I hope (only cursorily tested yet, because it is not to be committed before the special revision svn r2000 has been made, I'll test it later in more build environments). It should fix also a possible null-pointer dereference and another (possible, with another PoC I don't yet have) array out-of-bounds access (both in the same loop, therefore I've put them in this, too). The patch is attached.

[Manh-Dung NGUYEN]

Hi Matthew,

I am wondering whether some bugs (e.g., #56, #57, #58 ...) found by me and
you have fixed some of them, could be CVEs?
There were quite a lot of CVEs of PoDoFo:
https://www.cvedetails.com/vulnerability-list/vendor_id-16143/product_id-36077/Podofo-Project-Podofo.html

Thanks,
Manh Dung

On Tue 15 Oct. 2019 at 23:08, Matthew Brincke mabri@users.sourceforge.net
has written:

• status: open --> accepted
• assigned_to: Matthew Brincke
• Comment:

As the patch posted for this has only been cursorily tested by me, and
also for another reason (the special revision 2000 hasn't been made yet),
please don't commit this! Therefore only changing to "accepted", not
"pending".

---

[Matthew Brincke]

As the patch posted for this has only been cursorily tested by me, and also for another reason (the special revision 2000 hasn't been made yet), please don't commit this! Therefore only changing to "accepted", not "pending".

[Matthew Brincke]

For Address Sanitizer output about this issue and newer discussion by me, please see also issue #112, which I just closed as a duplicate of this one.