Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3)

[longuu9]

We found multiple heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3).

Command Input

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

All poc_file are attached.

Sanitizer Dump

==3904316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000e0b at pc 0x0000004ab577 bp 0x7ffe4a6cc310 sp 0x7ffe4a6cbad8
READ of size 32 at 0x603000000e0b thread T0
    #0 0x4ab576 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x5bcdd7 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, PoDoFo::PdfString, PoDoFo::PdfAESV3Revision) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1908:5
    #2 0x5a39a5 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:47
    #3 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
    #4 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
    #5 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
    #6 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
    #7 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
    #8 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
    #9 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #10 0x7fc7de7ed082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)

0x603000000e0b is located 0 bytes to the right of 27-byte region [0x603000000df0,0x603000000e0b)
allocated by thread T0 here:
    #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x7fc7dec9d87f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
    #2 0x7d5c2a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fff8170: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff8180: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fff8190: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff81a0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
  0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
=>0x0c067fff81c0: 00[03]fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fff81d0: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
  0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
  0x0c067fff81f0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
  0x0c067fff8210: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3904316==ABORTING

Environment

• OS: Ubuntu 20.04.1
• clang:12.0.0
• podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc_files.zip

[ceztko]

This is actually fixed in 8f514d6 which I committed today, and it was related to more encrypt dictionaries parameters validation. If you knew more about these fuzzed pdfs you could have intervened following my comment in #72 dating back April, since this one was really the same issue with more unchecked /O, /OE, /U, /UE, /Perms values. Anyway, it's fixed now.