On Sun, Jan 28, 2018 at 12:52:55AM +0100, Matthew Brincke wrote: > > > src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: > > > signed integer overflow: 3 + 9223372036854775807 cannot be > > > represented in type 'long int [3]' > > It looks like still CVE-worthy (specifically, CVE-2018-5295) to me in > svn r1875 as signed integer overflow is undefined behaviour (AFAIK > also for 64-bit integer types). This happens for e.g. nW[0] + nW[1] > > std::numeric_limits<pdf_int64>::max() - nW[2] assuming all nW[] > 0 > (first in line 125).
So I've received another patch for this in Debian, https://bugs.debian.org/889511, from Matthias Brinke: > I've implemented a patch to fix this vulnerability, it is attached > and tested with the PoC from the report (RedHat Bugzilla #1531897) > and GCC 7 UBSan (-fsanitize=undefined in CXXFLAGS set via .sbuildrc). > The builds were done with sbuild in an up-to-date Debian sid chroot. > I've done the tests in a sandbox, where without the patch, > signed integer overflow was detected, with it, nothing from UBSan. > Otherwise, the same (expected, correct for the PoC) exception message > with detailed info and "call stack" (via PdfError method) was output > by podofoimgextract. The patch is attached (it's against released 0.9.5). (PS: should we start moving these kind of things to the bug tracker, or perhaps only start with new ones, etc?) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Description: Fix CVE-2018-5295
Author: Matthias Brinke <podofo-sec-cont...@mailbox.org>
Last-Updated: 2018-01-30
---
--- libpodofo-0.9.5.orig/src/base/PdfXRefStreamParserObject.cpp
+++ libpodofo-0.9.5/src/base/PdfXRefStreamParserObject.cpp
@@ -38,7 +38,9 @@
#include "PdfStream.h"
#include "PdfVariant.h"
-#include <stdio.h>
+// #include <stdio.h>
+
+#include <limits>
namespace PoDoFo {
@@ -122,12 +124,25 @@ void PdfXRefStreamParserObject::ParseStr
{
char* pBuffer;
pdf_long lBufferLen;
- const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
- if( nW[0] + nW[1] + nW[2] < 0 )
+ for(pdf_int64 nLengthSum = 0, i = 0; i < W_ARRAY_SIZE; i++ )
{
- PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, "Invalid entry length in XRef stream" );
+ if ( nW[i] < 0 )
+ {
+ PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+ "Negative field length in XRef stream" );
+ }
+ if ( std::numeric_limits<pdf_int64>::max() - nLengthSum < nW[i] )
+ {
+ PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+ "Invalid entry length in XRef stream" );
+ }
+ else
+ {
+ nLengthSum += nW[i];
+ }
}
+ const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
this->GetStream()->GetFilteredCopy( &pBuffer, &lBufferLen );
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
