[Podofo-users] PoDoFo PdfString::Write buffer overflow

Thu, 19 Apr 2018 15:10:02 -0700 

Hi

This code from PdfString::Write has a buffer overflow – it checks 
buffer.GetSize() > 0 then sets nInputBufferLen=GetSize()-2 which is passed to 
new[nInputBufferLen] and memcpy

if( pEncrypt && m_buffer.GetSize() && IsValid() )
{
pdf_long nInputBufferLen = m_buffer.GetSize() - 2; // Cut off the trailing pair 
of zeros
pdf_long nUnicodeMarkerOffet = sizeof( PdfString::s_pszUnicodeMarker );
if( m_bUnicode )
 nInputBufferLen += nUnicodeMarkerOffet;

 char * pInputBuffer = new char[nInputBufferLen];

 if( m_bUnicode )
{
 memcpy(pInputBuffer, PdfString::s_pszUnicodeMarker, nUnicodeMarkerOffet);
  memcpy(&pInputBuffer[nUnicodeMarkerOffet], m_buffer.GetBuffer(), 
nInputBufferLen - nUnicodeMarkerOffet);
}
else
 memcpy(pInputBuffer, m_buffer.GetBuffer(), nInputBufferLen);


}

If buffer.GetSize() == 1 and m_bUnicode is false then
  nInputBufferLen = -1;
   // bad_alloc or undefined behaviour when -1 sized array allocated
  char* pInputBuffer = new char[-1];
   memcpy( pInputBuffer, m_buffer.GetBuffer(), -1 );

If buffer.GetSize() == 1 and m_bUnicode is true then
  nInputBufferLen = 1;
  char* pInputBuffer = new char[1];
   // 2 bytes copied into 1 byte buffer
  memcpy( pInputBuffer, m_buffer.GetBuffer(), 2 );

If buffer.GetSize() == 2 and m_bUnicode is false then
  nInputBufferLen = 0;
  char* pInputBuffer = new char[0];
   // using pInputBuffer with size 0 is undefined behaviour 
https://stackoverflow.com/a/1087066
  memcpy( pInputBuffer, m_buffer.GetBuffer(), 0 );

If buffer.GetSize() == 2 and m_bUnicode is true then
  nInputBufferLen = 2;
  char* pInputBuffer = new char[2];
   memcpy( pInputBuffer, m_buffer.GetBuffer(), 2 );
   // first parameter is outside buffer bounds and C standard says it must 
still be a valid pointer for a zero byte copy
   // https://stackoverflow.com/a/3751937
   memcpy(&pInputBuffer[2], m_buffer.GetBuffer(), 2 - 2);

Best Regards
Mark

--
Mark Rogers - mark.rog...@powermapper.com<mailto:mark.rog...@powermapper.com>
PowerMapper Software Ltd - www.powermapper.com
Registered in Scotland No 362274 Quartermile 2 Edinburgh EH3 9GL


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to