Menu

#75 podofo 0.9.6 NULL pointer dereference caused in `ImageExtractor::ExtractImage(PdfObject*, bool)`

SVN TRUNK
closed
Matthew Brincke
security (37) nullptr-deref (2) Patch (10)
2021-08-18
2019-12-24
intreuse
No

There is a null pointer dereference vulnerability in PoDoFo::PdfVariant::DelayedLoad in PdfVariant.h caused by ImageExtractor.cpp:124.

gdb output

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>:   push   rbp)
RCX: 0x0 
RDX: 0x5555557ae018 --> 0x0 
RSI: 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>:    push   rbp)
RDI: 0x0 
RBP: 0x7fffffffd9a0 --> 0x7fffffffd9e0 --> 0x7fffffffdac0 --> 0x7fffffffdce0 --> 0x7fffffffdf50 --> 0x55555570a640 (<__libc_csu_init>:  push   r15)
RSP: 0x7fffffffd990 --> 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>: push   rbp)
RIP: 0x5555556323ee (<PoDoFo::PdfVariant::DelayedLoad() const+16>:  movzx  eax,BYTE PTR [rax+0x13])
R8 : 0x0 
R9 : 0x7fffffffda90 --> 0x746867696548 ('Height')
R10: 0x555555711562 --> 0x365000000000000a ('\n')
R11: 0x246 
R12: 0x555555630ec0 (<_start>:  xor    ebp,ebp)
R13: 0x7fffffffe030 --> 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555556323e2 <PoDoFo::PdfVariant::DelayedLoad() const+4>:  sub    rsp,0x10
   0x5555556323e6 <PoDoFo::PdfVariant::DelayedLoad() const+8>:  mov    QWORD PTR [rbp-0x8],rdi
   0x5555556323ea <PoDoFo::PdfVariant::DelayedLoad() const+12>: mov    rax,QWORD PTR [rbp-0x8]
=> 0x5555556323ee <PoDoFo::PdfVariant::DelayedLoad() const+16>: movzx  eax,BYTE PTR [rax+0x13]
   0x5555556323f2 <PoDoFo::PdfVariant::DelayedLoad() const+20>: xor    eax,0x1
   0x5555556323f5 <PoDoFo::PdfVariant::DelayedLoad() const+23>: test   al,al
   0x5555556323f7 <PoDoFo::PdfVariant::DelayedLoad() const+25>: je     0x555555632418 <PoDoFo::PdfVariant::DelayedLoad() const+58>
   0x5555556323f9 <PoDoFo::PdfVariant::DelayedLoad() const+27>: mov    rax,QWORD PTR [rbp-0x8]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd990 --> 0x7fffffffd9d0 --> 0x5555557ae000 --> 0x555555781c78 --> 0x555555633594 (<PoDoFo::PdfDictionary::~PdfDictionary()>:    push   rbp)
0008| 0x7fffffffd998 --> 0x0 
0016| 0x7fffffffd9a0 --> 0x7fffffffd9e0 --> 0x7fffffffdac0 --> 0x7fffffffdce0 --> 0x7fffffffdf50 --> 0x55555570a640 (<__libc_csu_init>: push   r15)
0024| 0x7fffffffd9a8 --> 0x55555563246c (<PoDoFo::PdfVariant::GetNumber() const+42>:    mov    rax,QWORD PTR [rbp-0x28])
0032| 0x7fffffffd9b0 --> 0x7fffffffda70 --> 0x555555783340 --> 0x55555564034a (<PoDoFo::PdfName::~PdfName()>:   push   rbp)
0040| 0x7fffffffd9b8 --> 0x0 
0048| 0x7fffffffd9c0 --> 0x555555711594 --> 0x5700746867696548 ('Height')
0056| 0x7fffffffd9c8 --> 0x22cb786a44b6d00 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555556323ee in PoDoFo::PdfVariant::DelayedLoad (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:553
553     if( !m_bDelayedLoadDone)
gdb-peda$ bt
#0  0x00005555556323ee in PoDoFo::PdfVariant::DelayedLoad (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:553
#1  0x000055555563246c in PoDoFo::PdfVariant::GetNumber (this=0x0) at /home/tim/podofo-0.9.6/src/base/PdfVariant.h:645
#2  0x000055555563179e in ImageExtractor::ExtractImage (this=0x7fffffffdd20, pObject=0x5555557b15a0, bJpeg=0x0) at /home/tim/podofo-0.9.6/tools/podofoimgextract/ImageExtractor.cpp:124
#3  0x000055555563146c in ImageExtractor::Init (this=0x7fffffffdd20, pszInput=0x7fffffffe3bc "crashes/123-compressed_1507.pdf-signalb-0x96", pszOutput=0x7fffffffe3e9 "out", pnNum=0x7fffffffdd04)
    at /home/tim/podofo-0.9.6/tools/podofoimgextract/ImageExtractor.cpp:81
#4  0x0000555555632b56 in main (argc=0x3, argv=0x7fffffffe038) at /home/tim/podofo-0.9.6/tools/podofoimgextract/podofoimgextract.cpp:54
#5  0x00007ffff755db6b in __libc_start_main (main=0x555555632ab5 <main(int, char**)>, argc=0x3, argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at ../csu/libc-start.c:308
#6  0x0000555555630eea in _start ()
gdb-peda$ p m_bDelayedLoadDone
Cannot access memory at address 0x13
gdb-peda$ p &m_bDelayedLoadDone
$1 = (bool *) 0x13
gdb-peda$

run ./podofoimgextract $poc out

1 Attachments
123-compressed_1507.pdf-signalb-0x96

Discussion

  • Sandro Mani

    Sandro Mani - 2020-01-17

    Possible patch

     
    podofo_CVE-2019-20093.patch

  • Matthew Brincke

    Matthew Brincke - 2021-02-20
    • labels: security --> security, nullptr-deref, Patch
    • assigned_to: Matthew Brincke
     

  • zyx

    zyx - 2021-08-18

    Thanks fro the patch. It has got obsolete meanwhile, the current r2035 doesn't dereference the NULL pointer, it ends with an error:

    <</Type/XRef/Filter/FlateDecode/ID[<334A7E79C9FCCBC7E87D7C325FA995C4><334A7E79C9FCCBC7E87D7C325FA995C4>]/Index[ 0 256]/Info 2 0 R/Length 451/Root 1 0 R/Size 256/W[ 1 2 1]>>
Error: An error 2 ocurred during processing the pdf file.


PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle
    Error Description: A NULL handle was passed, but initialized data was expected.
    Callstack:
    #0 Error Source: .../tools/podofoimgextract/ImageExtractor.cpp:105
     

  • zyx

    zyx - 2021-08-18
    • status: open --> closed