[Podofo-users] CVE-2017-5853 and CVE-2017-6844 testing (overflow fixed, but unhandled exception present)

Fri, 13 Apr 2018 07:27:42 -0700 

Hi

I’ve been writing unit tests to check the fixes for various parser related CVEs.

I’m happy to say the fix for CVE-2017-5853 and CVE-2017-6844 prevents overflows 
on 32-bit (Win32) and LP64 (macOS) architectures for a wide range of values. 
I’ve not tested LLP64 (Win64) which may behave differently because sizeof(long) 
!= sizeof(size_t).

I did find 2 problems:


  1.  m_offsets.resize() can throw std::length_error as well as std::bad_alloc. 
The C++ spec also says implementations are allowed to throw other exceptions in 
addition to these as long as they’re derived from the base class 
(std::exception). Currently ReadXRefSubSection throws a std::length_error 
instead of PdfError for large values of nFirstObject and nNumObjects – this 
cause an unhandled exception termination unless the caller is catching 
std::length_error. I think this needs fixed for 0.9.6 - the attached patch 
fixes that.

  2.  The PdfError thrown for out-of-range values is ePdfError_ValueOutOfRange 
for some values and ePdfError_InvalidXRef for other values (and the specific 
values change depending on whether the code is compiled for 32-bit or 64-bit). 
I don’t think this is serious enough to fix for 0.9.6 – but the fix would be 
making all the errors in ReadXRefSubSection all throw ePdfError_InvalidXRef or 
all throw ePdfError_InvalidXRef.

If I can also submit the parser unit tests now, but I was planning to wait 
until 0.9.6 release was complete

Cheers
Mark

--
Mark Rogers - mark.rog...@powermapper.com<mailto:mark.rog...@powermapper.com>
PowerMapper Software Ltd - www.powermapper.com
Registered in Scotland No 362274 Quartermile 2 Edinburgh EH3 9GL

Attachment: patch-length-error.diff
Description: patch-length-error.diff

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to