Manh-Dung NGUYEN

Hi Matthew, I am wondering whether some bugs (e.g., #56, #57, #58 ...) found by me and you have fixed some of them, could be CVEs? There were quite a lot of CVEs of PoDoFo: https://www.cvedetails.com/vulnerability-list/vendor_id-16143/product_id-36077/Podofo-Project-Podofo.html Thanks, Manh Dung Le mar. 15 oct. 2019 à 23:08, Matthew Brincke mabri@users.sourceforge.net a écrit : status: open --> accepted assigned_to: Matthew Brincke Comment: As the patch posted for this has only been cursorily tested...

[r1997] podofotxtextract SEGV on unknown address

[r1997] podofotxtextract heap buffer overflow

Thanks Matthew. Which bugs should I create new issues ? Or both of them?

[r1997] One more crashing input in PdfFontFactory::CreateFont (line 229) for testing your patch. PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1997/PoC_segv_GetIndirectKey ASAN says: ==7371==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000013 (pc 0x0000004bc1ac sp 0x7ffe3847a8c0 bp 0x7ffe3847a8d0 T0) #0 0x4bc1ab in PoDoFo::PdfVariant::DelayedLoad() const /home/dungnguyen/gueb-testing/podofo-code/podofo/trunk/src/podofo/base/PdfVariant.h:555 #1 0x4bc26d in PoDoFo::PdfVariant::GetDataType()...

As you suggested, I provide a new crashing input due to a heap buffer overflow bug on the commit r1997. Note that the stacktrace contains the function PoDoFo::PdfFontFactory::CreateFont (line 241). Therefore, when you finish your fix, you could also test podofotxtextract with this crashing input. PoC: https://github.com/strongcourage/PoCs/blob/master/podofo_r1997/PoC_hbo_PdfFontMetricsObject Command: podofotxtextract $PoC Valgrind says: ==28347== Invalid read of size 1 ==28347== at 0x57D987: DelayedLoad...

Thanks Matthew. It works.

[r1996] crash on podofotxtextract