Source: libpodofo
Version: 0.9.5-8
Tags: upstream security patch
Severity: important
CVE-2018-5295 from the security-tracker.debian.org:
In PoDoFo 0.9.5, there is an integer overflow in
the PdfXRefStreamParserObject::ParseStream function
(base/PdfXRefStreamParserObject.cpp). Remote attackers
could leverage this vulnerability to cause a denial-of-service
via a crafted pdf file.
I've implemented a patch to fix this vulnerability, it is attached
and tested with the PoC from the report (RedHat Bugzilla #1531897)
and GCC 7 UBSan (-fsanitize=undefined in CXXFLAGS set via .sbuildrc).
The builds were done with sbuild in an up-to-date Debian sid chroot.
I've done the tests in a sandbox, where without the patch,
signed integer overflow was detected, with it, nothing from UBSan.
Otherwise, the same (expected, correct for the PoC) exception message
with detailed info and "call stack" (via PdfError method) was output
by podofoimgextract.
This bug is probably also present in version 0.9.4-6 in stretch, but I
haven't tested that, I don't use stretch (yet).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Best regards, Matthias Brinke
Description: Fix CVE-2018-5295
Author: Matthias Brinke <[email protected]>
Last-Updated: 2018-01-30
---
--- libpodofo-0.9.5.orig/src/base/PdfXRefStreamParserObject.cpp
+++ libpodofo-0.9.5/src/base/PdfXRefStreamParserObject.cpp
@@ -38,7 +38,9 @@
#include "PdfStream.h"
#include "PdfVariant.h"
-#include <stdio.h>
+// #include <stdio.h>
+
+#include <limits>
namespace PoDoFo {
@@ -122,12 +124,25 @@ void PdfXRefStreamParserObject::ParseStr
{
char* pBuffer;
pdf_long lBufferLen;
- const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
- if( nW[0] + nW[1] + nW[2] < 0 )
+ for(pdf_int64 nLengthSum = 0, i = 0; i < W_ARRAY_SIZE; i++ )
{
- PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, "Invalid entry length in XRef stream" );
+ if ( nW[i] < 0 )
+ {
+ PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+ "Negative field length in XRef stream" );
+ }
+ if ( std::numeric_limits<pdf_int64>::max() - nLengthSum < nW[i] )
+ {
+ PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+ "Invalid entry length in XRef stream" );
+ }
+ else
+ {
+ nLengthSum += nW[i];
+ }
}
+ const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
this->GetStream()->GetFilteredCopy( &pBuffer, &lBufferLen );