[Podofo-users] CVE-2017-5855 and CVE-2017-6844

Sun, 15 Apr 2018 09:33:25 -0700 

Hi

I’ve been trying to write unit tests for CVE-2017-5855 and CVE-2017-6844, and 
now think both are false positives due to a bug in Address Sanitizer triggered 
by large values passed to std::vector::resize()

The issues were both found with American Fuzzy Lop (AFL) and Address Sanitizer 
(ASAN). AFL sets the ASAN environment variable allocator_may_return_null=1 
https://github.com/mirrorer/afl/blob/master/docs/env_variables.txt#L248

When allocator_may_return_null=1 is set, the C++ new operator and 
std::allocator return NULL when they cannot allocate memory, and do not throw 
std::bad_alloc as the C++ specification requires. This breaks the Standard C++ 
Library and is logged as a bug in ASAN:
https://github.com/google/sanitizers/issues/748
https://github.com/google/sanitizers/issues/295
https://github.com/google/sanitizers/issues/295#issuecomment-234273218 (comment 
by a libstdc++ library developer describes the behaviour seen in the CVEs)

CVE-2017-6844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6844
https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp/
the stack trace shows the problem occurring in a call to 
std::vector::resize(count)

CVE-2017-5855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp/
the stack trace shows the problem occurring in a call to 
std::vector::resize(count)

Without ASAN enabled std::vector::resize with a large count will throw a 
std::bad_alloc and be caught by the catch( std::exception ) statement in 
ReadXRefSubsection

Does this analysis make sense?

Best Regards
Mark

--
Mark Rogers - mark.rog...@powermapper.com<mailto:mark.rog...@powermapper.com>
PowerMapper Software Ltd - www.powermapper.com
Registered in Scotland No 362274 Quartermile 2 Edinburgh EH3 9GL


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to