Hello Mark, hello all, > On 15 April 2018 at 18:32 Mark Rogers <mark.rog...@powermapper.com> wrote: > > > Hi > > > I’ve been trying to write unit tests for CVE-2017-5855 and CVE-2017-6844, and > now think both are false positives due to a bug in Address Sanitizer > triggered > by large values passed to std::vector::resize() > > > CVE-2017-6844 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6844 > > https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp/ > > > the stack trace shows the problem occurring in a call to > std::vector::resize(count) > > > CVE-2017-5855 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855 > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp/ > > > the stack trace shows the problem occurring in a call to > std::vector::resize(count) > > > Without ASAN enabled std::vector::resize with a large count will throw a > std::bad_alloc and be > caught by the catch( std::exception ) statement in ReadXRefSubsection
that try/catch was introduced in svn r1843: https://sourceforge.net/p/podofo/code/1843 so CVE-2017-5855 is unlikely to be entirely a false positive (although it could be a DoS "only", a crash by std::bad_alloc not being caught), and AFAICS CVE-2017-6844 is no false positive either because adding two numbers whose sum is too too large for their type can (NB: this is UB, Undefined Behaviour) make the result much smaller (when MSB carry is ignored) and the guard against this was introduced in svn r1840: https://sourceforge.net/p/podofo/code/1840 These commits were performed much later than the CVEs were assigned. > > > Does this analysis make sense? > Summing up: No, at least your conclusion that the named CVEs are false positives is wrong AFAICS. > > Best Regards > > > Mark Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
