Hi, I tried to fuzz program podofopdfinfo and get the following asan report. I also attach the poc file. I analyzed the crash report first and found that there seems a bug in OutputInfoDict() in pdfinfo.cpp. The coding style is weird. In the following called function GetStringUtf8->InitUtf8 the buffer is allocated based on lBufferLen, but in GetStringUtf8->InitUtf8->ConvertUTF16toUTF8 it tries to make sure buffer is 0 termnated as buffer[lBufferLen], it is obvious an off-by-one overflow. And back in GetStringUtf8->InitUtf8 it will first free the buffer and return the buffer pointer to output. It is obvious a use-after-free. So, I don't know if it is a "write" vulnerability to code like that or a "real" bug? As I am researching vulnerabilities, it is appreciate to have your reply.
Thank you. Xiangkun Jia ********************************************************************************** $./run_fuzz/target/podofopdfinfo/podofopdfinfo ./run_fuzz/output/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:5364\,val\:-33 Document Info ------------- File: ./run_fuzz/output/crashes/id:000000,sig:06,src:000000,op:arith8,pos:5364,val:-33 PDF Version: 1.5 Page Count: 2 Page Size: 612 x 792 pts Fast Web View Enabled: No Tagged: No Encrypted: No Printing Allowed: Yes Modification Allowed: Yes Copy&Paste Allowed: Yes Add/Modify Annotations Allowed: Yes Fill&Sign Allowed: Yes Accessibility Allowed: Yes Document Assembly Allowed: Yes High Quality Print Allowed: Yes Classic Metadata ---------------- ================================================================= ==30227==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf440719e at pc 0x0820f5d0 bp 0xffffc848 sp 0xffffc83c WRITE of size 1 at 0xf440719e thread T0 #0 0x820f5cf in PoDoFo::PdfString::ConvertUTF16toUTF8(unsigned short const*, int, unsigned char*, int, PoDoFo::EPdfStringConversion) /home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:836:30 #1 0x820e2f6 in PoDoFo::PdfString::InitUtf8() /home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:626:26 #2 0x81ab44b in PoDoFo::PdfString::GetStringUtf8[abi:cxx11]() const /home/ajia/git/podofo-0.9.6/src/doc/../base/PdfString.h:501:39 #3 0x81ab44b in PdfInfo::OutputInfoDict(std::ostream&) /home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:62 #4 0x81b8b20 in main /home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:125:14 #5 0xf7812636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #6 0x80a099d in _start (/home/xxj56/git/experiment/podofo/run_fuzz/target/podofopdfinfo/podofopdfinfo+0x80a099d) 0xf440719e is located 0 bytes to the right of 62-byte region [0xf4407160,0xf440719e) allocated by thread T0 here: #0 0x8167584 in calloc /home/ajia/git/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:204 #1 0x842af9e in PoDoFo::podofo_calloc(unsigned int, unsigned int) /home/ajia/git/podofo-0.9.6/src/base/PdfMemoryManagement.cpp:136:9 #2 0x81ab44b in PoDoFo::PdfString::GetStringUtf8[abi:cxx11]() const /home/ajia/git/podofo-0.9.6/src/doc/../base/PdfString.h:501:39 #3 0x81ab44b in PdfInfo::OutputInfoDict(std::ostream&) /home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/pdfinfo.cpp:62 #4 0x81b8b20 in main /home/ajia/git/podofo-0.9.6/tools/podofopdfinfo/podofopdfinfo.cpp:125:14 #5 0xf7812636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ajia/git/podofo-0.9.6/src/base/PdfString.cpp:836:30 in PoDoFo::PdfString::ConvertUTF16toUTF8(unsigned short const*, int, unsigned char*, int, PoDoFo::EPdfStringConversion) Shadow bytes around the buggy address: 0x3e880de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e880df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e880e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e880e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e880e20: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00 =>0x3e880e30: 00 00 00[06]fa fa fa fa 00 00 00 00 00 00 04 fa 0x3e880e40: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa 0x3e880e50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x3e880e60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x3e880e70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x3e880e80: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30227==ABORTING ****************************************************************************************
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users