Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-02-25 Thread Mattia Rizzolo 
On Sun, Feb 18, 2018 at 01:09:31PM +0100, zyx wrote:
> Right. Since the bug tracker is opened, I guess the best would be to
> use the bug tracker for new issues and for those CVE-s without patches,
> thus they won't get lost.

I've done so.
I opened a bug report for all CVEs that TTBOMK are still not fixed in
trunk.
See https://sourceforge.net/p/podofo/tickets/

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-02-19 Thread zyx 
On Sun, 2018-02-04 at 20:48 +0100, Mattia Rizzolo wrote:
> The patch is attached (it's against released 0.9.5).

Hi,
thanks for forwarding the patch for CVE-2018-5295. I committed it as
revision 1889:
https://sourceforge.net/p/podofo/code/1889

> 
> (PS: should we start moving these kind of things to the bug tracker,
> or perhaps only start with new ones, etc?)

Right. Since the bug tracker is opened, I guess the best would be to
use the bug tracker for new issues and for those CVE-s without patches,
thus they won't get lost. To be honest, I'm not aware of any pending
patches on the list (this was the last one on my list, the one for
visibility, which requires review and eventual confirmation from
others, I do not count), but it's likely I overlooked something.

Thanks and bye,
zyx

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-02-04 Thread Mattia Rizzolo 
On Sun, Jan 28, 2018 at 12:52:55AM +0100, Matthew Brincke wrote:
> > > src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error:
> > > signed integer overflow: 3 + 9223372036854775807 cannot be
> > > represented in type 'long int [3]'
> 
> It looks like still CVE-worthy (specifically, CVE-2018-5295) to me in
> svn r1875 as signed integer overflow is undefined behaviour (AFAIK
> also for 64-bit integer types). This happens for e.g. nW[0] + nW[1] >
> std::numeric_limits::max() - nW[2] assuming all nW[] > 0
> (first in line 125).

So I've received another patch for this in Debian,
https://bugs.debian.org/889511, from Matthias Brinke:
> I've implemented a patch to fix this vulnerability, it is attached
> and tested with the PoC from the report (RedHat Bugzilla #1531897)
> and GCC 7 UBSan (-fsanitize=undefined in CXXFLAGS set via .sbuildrc).
> The builds were done with sbuild in an up-to-date Debian sid chroot.
> I've done the tests in a sandbox, where without the patch,
> signed integer overflow was detected, with it, nothing from UBSan.
> Otherwise, the same (expected, correct for the PoC) exception message
> with detailed info and "call stack" (via PdfError method) was output
> by podofoimgextract.


The patch is attached (it's against released 0.9.5).


(PS: should we start moving these kind of things to the bug tracker, or
perhaps only start with new ones, etc?)

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
Description: Fix CVE-2018-5295
Author: Matthias Brinke 
Last-Updated: 2018-01-30
---
--- libpodofo-0.9.5.orig/src/base/PdfXRefStreamParserObject.cpp
+++ libpodofo-0.9.5/src/base/PdfXRefStreamParserObject.cpp
@@ -38,7 +38,9 @@
 #include "PdfStream.h"
 #include "PdfVariant.h"
 
-#include 
+// #include 
+
+#include 
 
 namespace PoDoFo {
 
@@ -122,12 +124,25 @@ void PdfXRefStreamParserObject::ParseStr
 {
 char*pBuffer;
 pdf_long lBufferLen;
-const size_t entryLen  = static_cast(nW[0] + nW[1] + nW[2]);
 
-if( nW[0] + nW[1] + nW[2] < 0 )
+for(pdf_int64 nLengthSum = 0, i = 0; i < W_ARRAY_SIZE; i++ )
 {
-PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, "Invalid entry length in XRef stream" );
+if ( nW[i] < 0 )
+{
+PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+"Negative field length in XRef stream" );
+}
+if ( std::numeric_limits::max() - nLengthSum < nW[i] )
+{
+PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+"Invalid entry length in XRef stream" );
+}
+else
+{
+nLengthSum += nW[i];
+}
 }
+const size_t entryLen  = static_cast(nW[0] + nW[1] + nW[2]);
 
 this->GetStream()->GetFilteredCopy( ,  );
 


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-01-27 Thread Matthew Brincke 
Hello zyx, hello all,

> zyx  has written on 14 January 2018 at 11:55:
> 
> 
> On Sat, 2018-01-06 at 09:25 -0500, Probe Fuzzer wrote:
> > we found that on latest version of PoDoFo (RELEASE_0.9.5_rc1),
> 
>   Hi,
> what is the RELEASE_0.9.5_rc1, please? The "rc1" suffix suggests it's a
> "release candidate", while the release itself had been made like a year
> ago, thus it seems you use some pre-release code. Nonetheless, as
that's a tag in the PoDoFo svn repository at sf.net, but the currently
latest is RELEASE_0.9.5, of course (made ca. 4 days less than a year ago).
> 
> > src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error:
> > signed integer overflow: 3 + 9223372036854775807 cannot be
> > represented in type 'long int [3]'
> 
> It looks like it had been fixed more than 6 months ago in the
> development version at revision 1851:
> https://sourceforge.net/p/podofo/code/1851
> as part of the fix for CVE-2017-8787.
>

It looks like still CVE-worthy (specifically, CVE-2018-5295) to me in
svn r1875 as signed integer overflow is undefined behaviour (AFAIK
also for 64-bit integer types). This happens for e.g. nW[0] + nW[1] >
std::numeric_limits::max() - nW[2] assuming all nW[] > 0
(first in line 125).
 
>   Thanks and bye,
>   zyx
> 

Best regards, mabri

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

2018-01-06 Thread Probe Fuzzer 
Hello,
we found that on latest version of PoDoFo (RELEASE_0.9.5_rc1), there is an
integer overflow in the PdfXRefStreamParserObject::ParseStream function
(src/base/PdfXRefStreamParserObject.cpp), which can cause denial of service
via a crafted pdf file.

src/src/base/PdfXRefStreamParserObject.cpp:125:64: runtime error: signed
integer overflow: 3 + 9223372036854775807 cannot be represented in type
'long int [3]'

To reproduce the issue, compile PoDoFo with UBSAN "-fsanitize=undefined",
then execute: podofoimgextract $POC OUTPUT_DIR

The POC file can be downloaded from:
https://github.com/ProbeFuzzer/poc/blob/master/podofo/podofo_0-9-5-rc1_podofoimgextract_integer-overflow_PdfXRefStreamParserObject-ParseStream.pdf


Thanks,

ProbeFuzzer
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users