On Sun, Jan 28, 2018 at 12:52:55AM +0100, Matthew Brincke wrote: > > > src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: > > > signed integer overflow: 3 + 9223372036854775807 cannot be > > > represented in type 'long int [3]' > > It looks like still CVE-worthy (specifically, CVE-2018-5295) to me in > svn r1875 as signed integer overflow is undefined behaviour (AFAIK > also for 64-bit integer types). This happens for e.g. nW[0] + nW[1] > > std::numeric_limits<pdf_int64>::max() - nW[2] assuming all nW[] > 0 > (first in line 125).
So I've received another patch for this in Debian, https://bugs.debian.org/889511, from Matthias Brinke: > I've implemented a patch to fix this vulnerability, it is attached > and tested with the PoC from the report (RedHat Bugzilla #1531897) > and GCC 7 UBSan (-fsanitize=undefined in CXXFLAGS set via .sbuildrc). > The builds were done with sbuild in an up-to-date Debian sid chroot. > I've done the tests in a sandbox, where without the patch, > signed integer overflow was detected, with it, nothing from UBSan. > Otherwise, the same (expected, correct for the PoC) exception message > with detailed info and "call stack" (via PdfError method) was output > by podofoimgextract. The patch is attached (it's against released 0.9.5). (PS: should we start moving these kind of things to the bug tracker, or perhaps only start with new ones, etc?) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Description: Fix CVE-2018-5295 Author: Matthias Brinke <podofo-sec-cont...@mailbox.org> Last-Updated: 2018-01-30 --- --- libpodofo-0.9.5.orig/src/base/PdfXRefStreamParserObject.cpp +++ libpodofo-0.9.5/src/base/PdfXRefStreamParserObject.cpp @@ -38,7 +38,9 @@ #include "PdfStream.h" #include "PdfVariant.h" -#include <stdio.h> +// #include <stdio.h> + +#include <limits> namespace PoDoFo { @@ -122,12 +124,25 @@ void PdfXRefStreamParserObject::ParseStr { char* pBuffer; pdf_long lBufferLen; - const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]); - if( nW[0] + nW[1] + nW[2] < 0 ) + for(pdf_int64 nLengthSum = 0, i = 0; i < W_ARRAY_SIZE; i++ ) { - PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, "Invalid entry length in XRef stream" ); + if ( nW[i] < 0 ) + { + PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, + "Negative field length in XRef stream" ); + } + if ( std::numeric_limits<pdf_int64>::max() - nLengthSum < nW[i] ) + { + PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, + "Invalid entry length in XRef stream" ); + } + else + { + nLengthSum += nW[i]; + } } + const size_t entryLen = static_cast<size_t>(nW[0] + nW[1] + nW[2]); this->GetStream()->GetFilteredCopy( &pBuffer, &lBufferLen );
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users